What's DevSecOps and How is it Different From DevOps?

What 's DevSecOps and How is it Different From DevOps? April 24, 2026 · 7 min read · Testing Guide

What 's DevSecOps and How is it Different From DevOps?

What's DevSecOps and How is it Different From DevOps?
Bob Reselman (Guest Author)
July 11, 2018
`` As with caliber, you can not scrutinise security into a system. ”

For most companies, software is a creature, a cost of doing concern like to any other piece of equipment. Some company need a fleet of speech motortruck to do business. Others need a software driven inventory procural scheme. Both cost money, a lot of money. Funny as it may sound, no executive acquire up in the morning bore to buy either. If they could debar the disbursement, they would. But, they can ’ t.

Those of us who make tools tend to sentimentise their value. Both motortruck designers and software engineers can become magnetise by their work. After all, there is an innate, almost obsessive enchantment that goes with making things. Most engineers really do love what they ’ re doing. But, for those on the get end of the engineering, all that thing in the end is that the tool works according to expectation.

The good news is that the history of truck fabrication is one of dependability in terms of cost and characteristic. Sadly, for the art and science of package development, twas but a dream. The history of package development is that of companies compose big checks for software systems and gettingpoor results. Delays and cost overruns were common. And, when the software eventually did show up, there be usually defect that require a number of workarounds. Spending money on software evolution was more of a roll of the dice than a planned expense.

Something had to be done. Hence, DevOps.

DevOps: The Remedy for a World of Testing Pain

Software development prior to DevOps used thewaterfall methodology.For many, waterfall is a world of painfulness. Each step in the waterfall access to software development life cycle (SDLC) gets behave in a strict sequence, by an isolated group. Coders do the programming. Testers do the examination. Release direction get the code out to the end-user. Once released, Customer Service raft with the complaint.

Each group is skirt by a very high, organizational wall. On each side of the paries is a manager who is remarkably adept at tossing over completed employment to the next group in the waterfall episode. Also, the manager is unremarkably good at pitch back defective employment. However, the ability to accept and effectively fix rejected work varies from handler to director. Dropping the ball on the toss rearward is not unusual.

History has shown us that the waterfall summons created an environs in which each group in the SDLC become a tribe with its own language, customs and rituals. Some groups might be friendly to one another. Others might be belligerent. Sadly, aggressiveness tended to be more common than friendliness.

Programmers consider QA annoying. QA, whose job was to find fault in the codification, perceive programmers to be people whose sense of self is defined by one ’ s power to dominate the given coding lyric toward some entertaining end with little regard for the needs of the customer or fellowship. Release management is made up of folks who end up spend more than a few weekends away from family and friends, trying to get a mishmash of code artifacts to work in production. Thus, they ’ re hostile to just about everybody. Or, so it seems.

`` DevOps is to combine all those associated with create software into a unified, cross-functional radical ... [and] let mechanisation do the rote work and have humans focus on creating better products, best testing and better release processes. ''

 

The limited information sharing and continuous infighting that is commonplace between groups under waterfall kept motor up costs and failure rates to unbearable, and more significantly, unprofitable levels. Fortunately, Corporate America had akumbayamoment. Someone had the idea of make a procedure that advertize unity over fragmentation and episodic releases of acceptable, act code over a grand freeing of perfect software. Thus,Agilewas born and on it ’ s coattails cameCI/CDand DevOps.

DevOps is, as the name implies, the unification of Development and Operations. The fundamental premise of DevOps is to compound all those associated with create software into a unified, cross-functional radical while also injecting mechanization into as much process as potential. The mentation is to let automation do the rote employment and have humans centre on creating better ware, better testing and better release processes.

The results have been remarkable. Due to DevOps, deployments are becoming more farinaceous. Automation is doing more of the work of inscribe, testing and liberation. Teams are becoming more cross functional. Given recent history, it ’ s not unreasonable to expect DevOps to preserve to allow fellowship to make better package and low price.

For autonomous testing across multiple user personas, check out SUSATest — it explores your app like 10 different real users.

It ’ s a good dream that lasted for a while ... until the walloping at Target, Experian and Cambridge Analytica came on.

What Could Possibly Go Wrong?

Christmas 2013 was not a good twelvemonth for Target. At the acme of the Holiday Season hackersbroke intoits scheme and stole the recognition card and user information of 40 million client. To give you a sense of scale, this is equivalent of everybody in the province of Pennsylvania, Ohio, Illinois and Iowa having their pockets picked. To say it was a major protection breach is an understatement.

Then, in September 2015, hackers busted into Experian ’ s infrastructure and stole information on about 15 million users who had applied for service from T-Mobile. The perpetrator got birth dates as well as passport, driver ’ s license, and societal security numbers; all the information a would be impersonator needs to live a life sumptuousness for a long time on a remote, yet warm and wired beach someplace on the Aegean Sea.

You ’ d think that Experian would feature memorize, given a related attack it suffered back in 2012 that result in the larceny of information about 200 million users. But, it didn ’ t. However, Experian wasn ’ t the only dupe of cyber-robbery. InSeptember 2014hackers got their hands on private datum about 76 million households stored in the datacenters of the premiere Wall Street financial institution: JPMorgan Chase.

Clearly, when it came to security, the DevOps magic was not working. It seemed as if any kid with a laptop could break into any system, anywhere. Something was dreadfully wrong and a lot of people were getting hurt.

Why? Mostly because up until recently security was never really part of the DevOps way of life. Granted, nobody trivialized protection or assay to cut back on the resources it needed to do its work. Security has always been considered essential. The trouble was that security was ne'er really given a first-class seat the the DevOps table. To put it bluffly, security tends to be more about birth control than family provision: give Johnny and Suzy enough information and technology to make sure they don ’ t do anything stupid, but let the bigger picture work itself out… hopefully.

Which brings us to Cambridge Analytica.

The storey of Cambridge Analyticais middling well known at this point. A data analysis company uses existing technology to extract, analyze and repurpose data in a questionably effectual way, with far reaching outcomes. Yet, Cambridge Analytica perpetrated no unauthorized intrusion into systems. If anything, Cambridge Analytica violated the Terms of Use of the supporting platform, in this case, Facebook. While, no illegal encroachment took place, security was still the problem. No bad tech was expend. It ’ s precisely that tech was expend badly.

So what does it have to do with DevSecOps?

The Value of DevSecOps

As mentioned above,DevSecOps& nbsp; is about giving protection personnel a rightful seat the the DevOps table. DevSecOps is about not alone make standard protection processes component of the SDLC, but it ’ s also about instilling basic security principles and aesthesia among all members of the development squad, from product designers to release handler to Customer Service congressman.

Going rearward to the Cambridge Analytica example, the issue was more about policy violations than any rift of a protection border.Facebook ne'er authoriseCambridge Analytica to share the user data it gathered with others.

Could Facebook have create a technology that would detect such a policy violation? Who knows? But the idea of implementing a protection framework that mechanically ensures proper policy compliance would have had a unharmed lot well chance of seeing the light of day had a security expert been an ongoing member of the production ’ s DevOps team.

What are the Principles of DevSecOps?

The principles of DevSecOps, published in the DevSecOps manifesto, by DevSecOps.org are as follows:

  • Leaning in over Always Saying “ No ”
  • Data & amp; Security Science over Fear, Uncertainty and Doubt
  • Open Contribution & amp; Collaboration over Security-Only Requirements
  • Consumable Security Services with APIs over Mandated Security Controls & amp; Paperwork
  • Business Driven Security Scores over Rubber Stamp Security
  • Red & amp; Blue Team Exploit Testing over Relying on Scans & amp; Theoretical Vulnerabilities
  • 24x7 Proactive Security Monitoring over Reacting after be Informed of an Incident
  • Shared Threat Intelligence over Keeping Info to Ourselves
  • Compliance Operations over Clipboards & amp; Checklists

There’s a quoteby the noted caliber control expert,Harold F. Dodge, that goes like this, “ You can not scrutinize quality into a product. ”

The same is true for security. For too long protection has be about review. Inspection is useful for expose the security hazards of the bit and so addressing those immediate threats. But review does not necessarily create the overall environment more secure. Like quality, security need to be built into a product from the beginning, not visit in after the fact.

Building security into a merchandise at the start, under the standard practices and sensibilities of DevOps is the essential premise of DevSecOps. DevSecOps is the welcoming acceptance of security force, engineering, technique and sensitiveness as an essential part of the continuous software maturation lifecycle as practiced within the discipline of DevOps overall. DevSecOps is about giving protection a first-class tooshie at the DevOps table.

Is it really that different the DevOps overall? Dunno. We could argue over its nature until the moo-cow come home. But, regardless of definition, DevSecOps is an important addition to DevOps landscape and we ’ re lucky it showed up when it did.

Quality Engineering Resources

Automate This With SUSA

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts needed.

Try SUSA Free

Test Your App Autonomously

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.

Try SUSA Free