DEV Community

Tanya Janca
Tanya Janca

Posted on • Edited on

Security is Everybody's Job - Part 4 - What is DevSecOps?

The previous article in this series is here.

In this post we will explore The 3 Ways of DevOps. But first, a definition.

DevSecOps is Application Security, adjusted for a DevOps environment.

-Imran A Mohammed

DevSecOps is the security activities that application security professionals perform, in order to ensure the systems created by DevOps practices are secure. It's the same thing we (AppSec professionals) have always done, with a new twist. Thanks Imran!

Photo by Marvin Meyer on Unsplash
Photo by Marvin Meyer on Unsplash

Refresher on The Three Ways:
Emphasize the efficiency of the entire system, not just your part.
Fast feedback loops.
Continuous learning, risk taking and experimentation (failing fast)

Let’s dig in, shall we?

  1. Emphasize the efficiency of the entire system, not just one part.

This means that Security CANNOT slow down or stop the entire pipeline (break the build/block a release), unless it's a true emergency. This means Security learning to sprint, just like Ops and Dev are doing. It means focusing on improving ALL value streams, and sharing how securing the final product offers value to all the other steams. It means fitting security activities into the Dev and Ops processes, and making sure we are fast.

  1. Fast feedback loops.

Fast feedback loops = "Pushing Left" (in application security)

Pushing or shifting "left" means starting security earlier in the System Development Life Cycle (SDLC). We want security activities to happen sooner in order to provide feedback earlier, which means this goal is 100% inline with that we want. The goal of security activities must be to shorten and amplify feedback loops so security flaws (design/architecture issues) and bugs (code/implementation issues) are fixed as early as possible, when it's faster, cheaper and easier to do a better job.

  1. Continuous learning, risk taking and experimentation For most security teams this means serious culture change; my favourite thing. InfoSec really needs some culture change. In fact, all of IT does (including Dev and Ops) if we want to make security everybody's job.

Part of The Third Way:

  • Allocating time for the improvement of daily work
  • Creating rituals that reward the team for taking risks: celebrate successes
  • Introducing faults into the system to increase resilience: red team exercises

We are going to delve deep into each of the three ways over the next several articles, exploring several ways that we can weave security through the DevOps processes to ensure we are creating more secure software, without breaking the flow.


For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

Top comments (0)