DevSecOps FAQ: Get up to speed

Dec 8, 2021 · 3 min read · Leave a comment
Valerie Silverthorne GitLab profile

If it feels like DevSecOps is just one more flavor of DevOps, we get it. After all, DevOps could be known as DevSecBizTestMonitorOps, but that’s not easy to say or remember. DevSecOps actually plays a unique role in the world of software development. Here’s what you need to know.

Why is DevSecOps important?

All of the well-publicized security breaches have shown us one thing: Security can no longer be an afterthought in software development. It used to be that security was a separate department and function with a top-down approach and little actual understanding of how software was developed. Code was handed to security late in the process, and then the sec team had to chase busy devs down for fixes. TL;DR: Let’s just say that didn’t ever work well.

Today, DevSecOps aims squarely at the idea that security has to be baked into the process from the beginning. The need for security to “shift left,” i.e., move from production to development, is at the heart of what DevSecOps is.

The data is clear: The earlier a developer finds a flaw, the faster the fix, so DevSecOps puts security scans (and their results) in a dev’s workflow, minimizing the barriers to resolution and greatly decreasing context-switching.

And this isn’t just something that’s a nice-to-have – it’s actually happening. In our 2021 Global DevSecOps Survey, we found DevSecOps teams are running more SAST, DAST, container and dependency scans than ever before. And, thanks to DevSecOps, a full 72% of security pros told us their organizations’ security efforts as either “strong” or “good.”

The difference between DevSecOps and DevOps

DevSecOps is DevOps and honestly the terms are, can, and should be used interchangeably. That said, GitLab defines DevOps as “…people working together to conceive, build and deliver secure software at top speed” and, as you can see, that definition includes security. DevSecOps, on the other hand, “weaves security practices into every stage of software development right through deployment with the use of tools and methods to protect and monitor live applications.”

Some think the term “DevSecOps” puts undue emphasis on security, but we heartily disagree. You can’t emphasize security enough!

Why is DevSecOps important to business?

The number one benefit of DevOps is code quality, according to our survey, and, clearly, that’s businesses’ priority as well; bad code costs money literally (time to fix) and figuratively (brand reputation).

So, if it’s time to convince management to invest in DevSecOps, it’s important to continue to emphasize how devastating a security breach can be.

Also, it’s vital to connect the dots on exactly how a DevSecOps team can help prevent the worst-case scenarios. From automated software testing to a security champions program, DevSecOps is one of the most efficient ways to help prevent hacks.

The future of DevSecOps

The future of DevSecOps can be summed up in one simple word: more. More testing, more automation, more integration, more shift left, more comprehensive scans… just more of everything that brings security into the development process earlier in the game.

There are signs that “more” is already happening, based on our 2021 survey results. Nearly 28% of security respondents report they are now part of a cross-functional team and a growing percentage are more focused on compliance. And more than 70% of security pros report their teams shifted left in 2021, up from 65% in 2020. In other words, security is increasingly on the team.

And don’t forget about the promise of artificial intelligence and machine learning. As AI/ML use expands in DevOps teams, DevSecOps will no doubt benefit.

Ready to learn DevSecOps?

If you’re ready to dive into DevSecOps, we have a 20 question quiz so you can test your readiness level and learn more.

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license