DevOps Dudes
Published in

DevOps Dudes

Security is Everybody’s Job — Part 4 — What is DevSecOps?

The previous article in this series is here.

In this post we will explore The 3 Ways of DevOps. But first, a definition.

DevSecOps is Application Security, adjusted for a DevOps environment.

-Imran A Mohammed

DevSecOps is the security activities that application security professionals perform, in order to ensure the systems created by DevOps practices are secure. It’s the same thing we (AppSec professionals) have always done, with a new twist. Thanks Imran!

Photo by Marvin Meyer on Unsplash

Refresher on The Three Ways:

  1. Emphasize the efficiency of the entire system, not just your part.
  2. Fast feedback loops.
  3. Continuous learning, risk taking and experimentation (failing fast)

Let’s dig in, shall we?

1. Emphasize the efficiency of the entire system, not just one part.

This means that Security CANNOT slow down or stop the entire pipeline (break the build/block a release), unless it’s a true emergency. This means Security learning to sprint, just like Ops and Dev are doing. It means focusing on improving ALL value streams, and sharing how securing the final product offers value to all the other steams. It means fitting security activities into the Dev and Ops processes, and making sure we are fast.

2. Fast feedback loops.

Fast feedback loops = “Pushing Left” (in application security)

Pushing or shifting “left” means starting security earlier in the System Development Life Cycle (SDLC). We want security activities to happen sooner in order to provide feedback earlier, which means this goal is 100% inline with that we want. The goal of security activities must be to shorten and amplify feedback loops so security flaws (design/architecture issues) and bugs (code/implementation issues) are fixed as early as possible, when it’s faster, cheaper and easier to do a better job.

3. Continuous learning, risk taking and experimentation

For most security teams this means serious culture change; my favourite thing. InfoSec really needs some culture change. In fact, all of IT does (including Dev and Ops) if we want to make security everybody’s job.

Part of The Third Way:

•Allocating time for the improvement of daily work

•Creating rituals that reward the team for taking risks: celebrate successes

•Introducing faults into the system to increase resilience: red team exercises

We are going to delve deep into each of the three ways over the next several articles, exploring several ways that we can weave security through the DevOps processes to ensure we are creating more secure software, without breaking the flow.

If you are itching for more, but can’t wait until the next post, watch this video by Tanya Janca. She will explain this and much more in her talk Security Learns To Sprint.

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!




A collection of stories that have anything and everything to do with DevOps from horror stories to success stories. If it's about Gitlab, Jenkins, Chef, Ansible, AWS, Azure, Kubernetes, Software Engineer then it belongs here.

Recommended from Medium

Here is what happened at Rapido during lockdown

Be careful!! Objects are closer than they appear…

Chapter 12 Getting Parallel with Elixir

Blog_Post 306

A Brief Look at Django’s UpdateView

Product Recognition in a Retail App — Is Real-Time Needed?

Get Down With Markdown

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Tanya Janca’s Application Security Adventures #WeHackPurple

More from Medium

Using Github Actions to deploy Blazor to App Service with private endpoint enabled

Kubernetes from Scratch — Part 6

Error: building client: unable to obtain access token: running Azure CLI: exit status 1: ERROR…

Moving between clouds (A Cloud Migration tale)