Full Text

DevSecOps definition

DevSecOps is a culture shift in the software industry that aims to bake security into the rapid-release cycles that are typical of modern application development and deployment, also known as the DevOps movement. Embracing this shift-left mentality requires organizations to bridge the gap that usually exists between development and security teams to the point where many of the security processes are automated and handled by the development team itself.

[ Keep up with 8 hot cyber security trends (and 4 going cold). Give your career a boost with top security certifications: Who they're for, what they cost, and which you need. | Sign up for CSO newsletters. ]How does DevSecOps differ from traditional software development?

Traditionally, major software developers used to release new versions of their applications every few months or even years. This provided enough time for the code to go through quality assurance and security testing, processes that were performed by separate specialized teams, whether internal or externally contracted.

However, the past ten years have seen the rise of the public clouds, containers and the microservice model where monolithic applications are broken down into smaller parts that run independently. This breakdown has also had a direct impact on the way software is developed, leading to rolling releases and agile development practices where new features and code are continuously pushed into production at a rapid pace. Many of these processes have been automated with the use of new technologies and tools, allowing companies to innovate faster and stay ahead of the competition.

The advance of cloud, containers and microservices also led to the emergence of what the industry calls the DevOps culture, where developers can now provision and scale the infrastructure they need without waiting for a separate infrastructure team to do it for them. All major cloud providers now offer APIs and configuration tools that allow treating infrastructure configuration as code using deployment templates.

While the DevOps culture brought a lot of innovation to software development, security was often not able to keep up with the new speed at which code was being produced and released. DevSecOps is the attempt to correct that and fully integrate security testing into the continuous integration (CI) and continuous delivery (CD) pipelines, but also build...