DevSecOps extends DevOps, in that everyone in the software development life cycle is responsible
for security bringing operations and development together with security functions. DevSecOps
embeds security in every part of the development and operations processes. It is about automating
core security tasks by embedding security controls and processes early in the DevOps workflow
(rather than being bolted on at the end). For example, this could be the case when migrating to
microservices, building out a CI/CD pipeline, compliance automation or simply testing cloud
infrastructure. It is about getting security back into the lifecycle, or as it has been described: ‘shifting security left’.
Integrating security into DevOps to deliver DevSecOps requires new mindsets, processes, and tools.
Starting with continual Risk Assessment, Security and Risk Management leaders need to adhere to
the collaborative, agile nature of DevOps to be seamless and transparent in the development
process, making security as silent, encompassing, and seamless as possible.
How to get a business to approach built-in security, from the beginning and continually:
1. By establishing a security and data privacy strategy – a Security Program spanning people, process, products with Risk Assessment and Policies.
2. Integrating Data Protection, Secure Coding and Testing practices within the engineering
lifecycle.
3. Leveraging automation to integrate security into the DevOps & CI/CD pipeline – from code scanners through to continuous security configuration management and remediation – in Dev, Testing, Staging, Production environments.
4. Finally, staying abreast of practices, regulations, auditing and remaining certified, in true intent and spirit.