DevSecOps is an approach to IT security based on the principles of DevOps. The exact formulation is still emerging, but we think it’s useful to capture emerging practices for achieving security while building applications and APIs without disrupting high-speed software pipelines.

DevSecOps Is Full Stack: DevSecOps spans the entire IT stack and includes network, host, container, server, cloud, mobile, and application security. Increasingly, all of these layers are turning into software, which makes application security a critical focus for DevSecOps.

DevSecOps Is Full SLC: DevSecOps also spans the full software lifecycle, including development and operations. In development, the focus is on identifying and preventing vulnerabilities, while in operations, monitoring and defending applications are the goals.


Can you apply DevSecOps practices and tools to non-DevOps projects? Absolutely. The ideas in this document are applicable to almost any software project. If your goal is to produce highly secure software in the most cost-effective way possible, then DevSecOps is the path forward.

Gartner has named DevSecOps one of their fastest-growing areas of interest and predicts that DevSecOps will be embedded into 80 percent of rapid development teams by 2021. Organizations practicing DevSecOps have shown impressive results. These early adopters are 2.6x more likely to have security testing keep up with frequent application updates and show a 2x reduction in time to fix vulnerabilities.

Understanding the different types of security work and their value to your organization is critical to successful DevSecOps initiatives. Until you truly understand the work, it’s going to be difficult to deliver it effectively. You can learn more about this topic and DevOps in general by reading books like The Phoenix Project and The DevOps Handbook.