Table of content
DevSecOps is the term used when security becomes a shared responsibility in a DevOps context. The practice of streamlining development and operations is known as DevOps, and when security is inserted into this process we talk about DevSecOps. Therefore, in DevSecOps, a third group is actively contributing to the development process: the security team. Security engineers collaborate with developers to automate security checks and provide defaults and templates to make it as easy as possible for them to write secure code and configurations from the start.
Because security is a governance process, the governed (developers) and the governors (security and compliance analysts) frequently have an adversarial relationship in security. Culture and teamwork are therefore essential to foster a DevSecOps mindset and increase staff collaboration and understanding. You can read more on DevSecOps here and more on its best practices and tools here.
The added value of DevSecOps compared to DevOps is that security is baked in the software development lifecycle. In other words, the supply chain is secured: all the components entering the final artifact(s), including the environment it was built on, are monitored, verified, signed, and hardened (third-party dependencies, frameworks, repositories, and services, as well as build and delivery pipelines). You can read more on software supply chains and the importance of securing them here.