What is DevSecOps?

As the name suggests, DevSecOps combines a third key party into the DevOps process, Security, and adds a fifth key pillar— Continuous Security. This means that security becomes an integral part present in every part of software development— instead of Security Engineers stepping in only after development of a feature is complete, security becomes present in every stage of the SDLC and is involved in every medium, from the application itself to the infrastructure (containers, servers, network, etc.) and technology stack.

What does it mean to me?

As with DevOps, developers in DevSecOps teams take on responsibility for the security of their code by applying practices such as secure coding and security testing in their daily work. The practice of integrating security tools into the DevOps process is known as Security as Code (SaC). The purpose of SaC is to add automated security checks, tests, and scans to the development flow without causing any negative impact or delay. Thus, security becomes constant and effortless— something that is always present rather than being an afterthought.

DevSecOps practices effectively remove the famous QA and Security bottleneck problem in two ways:

1. It reduces the chances of serious bugs and security vulnerabilities being found (and needing to be fixed) at the last minute immediately before release. At traditional Waterfall and Agile organizations, teams often find QA and Security becoming blockers to their release as they uncover major issues at the last minute, but under DevSecOps, the chances of this occurring are greatly reduced as problems are usually found and fixed earlier.
2. Developers no longer have to sit around waiting for QA and Security to do their thing! Since developers are the ones who know their code best, it is more efficient for them to write tests as they are coding (or even before coding, a well-known practice known as Test-Driven Development) as opposed to handing off the work to QA afterwards. As for security, it is simply more efficient to build security into the software from the beginning instead of trying to make an insecure software into a secure one as that typically involves intrusive changes such as changes to the architecture or feature logic itself.

Another defining characteristic of DevSecOps teams is to rely heavily on automation. QA and security tests are run frequently, as often as on every code commit, to ensure consistency of software quality and security. This allows DevSecOps teams to release much quicker than teams in Waterfall or Agile organizations that don’t make use of automation.