DevSecOps
What is DevSecOps?
DevSecOpsA culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.
DevSecOps extends DevOps by treating security as a shared responsibility across development, security and operations rather than a downstream gate. It automates security controls inside CI/CD pipelines — SAST, SCA, secret scanning, container scanning, IaC analysis, DAST and policy-as-code — so issues are surfaced where developers already work. It pairs automation with cultural change: security champions, blameless retrospectives, security KPIs in dashboards and self-service tooling. Done well, DevSecOps shortens mean-time-to-remediate, reduces escape rates of vulnerabilities to production and lowers compliance friction, while keeping deployment frequency high.
● Examples
- 01
Running Trivy, Semgrep and Gitleaks on every pull request in a GitHub Actions pipeline.
- 02
Enforcing OPA/Conftest policy-as-code on Terraform plans before they can be applied.
● Frequently asked questions
What is DevSecOps?
A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed. It belongs to the Application Security category of cybersecurity.
What does DevSecOps mean?
A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.
How do you defend against DevSecOps?
Defences for DevSecOps typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DevSecOps?
Common alternative names include: SecDevOps, Rugged DevOps.