The systematic un-siloing of the development, security, and operations aspects of software and software delivery organizations so that people and systems covering all of these aspects can work more effectively together.
What is it?
DevOps was intended to bring an organization’s development and operations teams together, to build better IT systems for the enterprise. DevSecOps adds the security teams into that mix, to make enterprise security a first-class concern for all software development.
It has been common for an organization to have these three aspects of software development separate, using separate teams, processes, and systems. DevSecOps refers to an organization choosing to combine these aspects so that the same strategies can be used and integrated. Teams can focus and build technology combining all of these equally and in harmony.
In practice this means security testing is done by the development team as they proceed; they deal with any issues as they arise. That means ensuring that development teams have the necessary security skills.
What’s in for you?
Making security part of everyone’s job reduces business risks. With DevSecOps, teams aren’t siloed, so can better communicate their aims and objectives, which reduces bottlenecks and provides clear accountability and shared expertise.
It increases the emphasis on automating builds and quality assurance testing and can result in early identification of vulnerabilities in code — which should reduce your risks of being attacked.
What are the trade offs?
Like many agile working practices, this changes how people work and introduce more collaboration and less buck-passing. This is a cultural shift for some.
How is it being used?
Many organizations are shifting closer to a DevSecOps approach. Often this goes hand in hand with what is often known as moving security left, which means bringing the checking for vulnerabilities and scenario testing earlier in the production cycle.