DEV Community

Cover image for (EN) What is DevSecOps?
Deniz Bektaş
Deniz Bektaş

Posted on

(EN) What is DevSecOps?

DevSecOps enables fast and secure application development by incorporating the security layer into every step of the software development lifecycle. It was formed by combining the concepts of Development, Security, Operations.

DevSecOps represents the software company's approach to security. In DevOps processes, security was added at the end of the entire software development cycle, tested by a separate quality assurance team.

This process was not a problem when software updates were released 1-2 times a year. However, the concepts of agile software development and DevOps, which aimed to reduce the software development process to a few days, later made it impossible to deal with security separately.

This is where the concept of DevSecOps emerged. A security step has been added after each step of DevOps and agile software development steps. Thus, when the application is finished and published, instead of sticking it on the finished application like a patch later, it handles security at every step of production and operation, where security problems arise.

In addition, in the concept of DevSecOps, application security has become the joint responsibility of the development, security and IT operations teams rather than the responsibility of a single person or group. DevSecOps is the advancement of secure software in parallel with software development without slowing down the software development cycle.

Benefits of the DevSecOps Concept

The benefits of DevSecOps are quite simple. It eliminates the security problems that may be experienced during the software development and operation process. Teams/companies that want to include security in their DevOps processes can provide this process with the concept of DevSecOps.

Let's take a look at a typical DevSecOps development model:

  • A software developer creates code inside the version control system.
  • The changes made depend on the version control system. Another developer takes this code from the version control system and analyzes the code to identify the parts of the code that may cause security errors and fixes the relevant security errors.
  • The relevant code snippet is registered in the version control system with a different version number. These processes continue until all code snippets of the application are finished and ready to run.
  • Then, the application is deployed using an infrastructure tool (virtual server, cloud, docker, etc.) and the security configurations are applied to the relevant system.
  • Afterwards, the relevant application is subjected to a series of tests such as UI, integration, API and security tests, and the errors found during this test (if any) are fixed by the relevant units.
  • If the application passes the above tests, it is taken to the live environment.
  • This new application is constantly monitored to detect active security threats to the system.

Why Need DevSecOps?

While DevOps practices excel in speed, functionality, and scale, they often lack security and compliance. Therefore, with the concept of DevSecOps, security should be included in software development, testing and operations.

It is imperative for any application development organization to ensure that responsibility for security is equally distributed among software development and operations teams. When security practices and DevOps concepts are integrated, security is more easily achieved in product development and operation.

Discussion (0)