Can your existing DevSecOps and application security keep pace with modern development methods? Learn how next-generation software requires a new approach to app sec.

Download the ebook →


What is DevSecOps?

Security has traditionally come at the end of the development lifecycle, adding cost and time when code is inevitably sent back to the developer for fixes. It is time to shift left by embracing security earlier within the DevOps lifecycle.

Cost savings of DevSecOps

DevSecOps tools automate security workflows to create an adaptable process for your development and security teams, improving collaboration and breaking down silos. By embedding security into the SDLC, you can consistently secure fast- moving and iterative processes - improving efficiency without sacrificing quality.

DevSecOps weaves security practices into every stage of software development right through deployment with the use of tools and methods to protect and monitor live applications. New attack surfaces such as containers and orchestrators must be monitored and protected alongside the application itself.

What is application security?

Application security has been defined by TechTarget as the use of software, hardware, and procedural methods to protect applications from external threats. Modern approaches include shifting left to find and fix vulnerabilities earlier, while also shifting right to protect your applications and their infrastructure-as-code in production. Securing the Software Development Life Cycle (SDLC) itself is often a requirement as well.

This approach of building security into your development and operational processes effectively turns your DevOps methodology into a DevSecOps methodology. An end-to-end DevOps platform can best enable this approach.

DevSecOps fundamentals

If you’ve read the book that was the genesis for the DevOps movement, The Phoenix Project, you understand the importance of automation, consistency, metrics, and collaboration. For DevSecOps, you are essentially applying these techniques to outfit the software factory while embedding security capabilities along the way rather than in a separate, siloed process. Dev or security can find vulnerabilities, but a developer is usually required to remove such flaws. It makes sense to empower them to find and fix vulnerabilities while they are still working on the code. Scanning alone isn’t enough. It’s about getting the results to the right people, at the right time, with the right context for quick action.

Fundamental requirements include automation and collaboration, along with policy guardrails and visibility.


In our 2020 DevSecOps Survey. we found a majority of developers aren’t running SAST, DAST or other security scans regularly, and automation also lags. A majority of security pros reported their DevOps teams are “shifting left,” but test automation continues to be a huge challenge.


A single source of truth that reports vulnerabilities and remediation provides much-needed transparency to both development and security team. It can streamline cycles, eliminate friction, and remove unnecessary translation across tools.

Policy guardrails

Every enterprise has a different appetite for risk. Your security policies will reflect what is right for you while the regulatory requirements to which you must adhere will also influence the policies you must apply. Hand-in-hand with automation, guardrails can ensure consistent application of your security and compliance policies.


An end-to-end DevSecOps platform can give auditors a clear view into who changed what, where, when, and why from beginning to end of the software lifecyle. Leveraging a single-source-of-truth can also ensure earlier visibility into application risks.

Getting started

Ready to see how GitLab can help you get started with DevSecOps?

Our DevSecOps Solution. page has all of the details, along with a Free Trial offer for our Ultimate tier of capabilities.

Assess your DevSecOps maturity

We have developed a simple assessment that uses twenty questions to help you determine where you excel and areas for improvement. A helpful guide suggests steps to get you started.

Assess yourself →.

Benefits of DevSecOps


Developers can remediate vulnerabilities while they’re coding, which teaches secure code writing and reduces back and forth during security reviews.


Encouraging a security mindset across your app dev team aligns goals with security and encourages employees to work with others outside their functional silo.


DevSecOps saves time, money, and employee resources over every launch and iteration - all valuable assets to IT and security teams suffering from skills and budget shortages.

Manage your toolchain before it manages you

Visible, secure, and effective toolchains are difficult to come by due to the increasing number of tools teams use, and it’s placing strain on everyone involved. This study dives into the challenges, potential solutions, and key recommendations to manage this evolving complexity.


Here is a list of resources on DevSecOps that we find to be particularly helpful. We would love to get your recommendations on books, blogs, videos, podcasts and other resources that offer valuable insight into best practices.

Please share your favorites with us by tweeting us @GitLab!

Suggested Content

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Open in Web IDE View source