Understand DevSecOps


While adopting cloud computing is on the rise to support business productivity, a lack of security infrastructure can inadvertently compromise data.

The 2018 Microsoft Security Intelligence Report finds that:

  • Data isn't encrypted both at rest and in transit by:
    • 7% of software as a service (SaaS) storage apps.
    • 86% percent of SaaS collaboration apps.
  • HTTP headers session protection is supported by only:
    • 4% of SaaS storage apps.
    • 3% of SaaS collaboration apps.

Secure DevOps (or DevSecOps)

DevOps is about working faster. Security is about-emphasizing thoroughness. Security concerns are typically addressed at the end of the cycle. It can potentially create unplanned work right at the end of the pipeline. Secure DevOps integrates DevOps with security into a set of practices designed to meet the goals of both DevOps and safety effectively.

Diagram showing Venn Diagram with one DevOps circle and one Security circle overlapping. The overlap is labeled Secure DevOps.

A Secure DevOps pipeline allows development teams to work fast without breaking their project by introducing unwanted security vulnerabilities.


Secure DevOps is also sometimes referred to as DevSecOps. You might encounter both terms, but each refers to the same concept.

Security in the context of Secure DevOps

Historically, security typically operated on a slower cycle and involved traditional security methodologies, such as:

  • Access control.
  • Environment hardening.
  • Perimeter protection.

Secure DevOps includes these traditional security methodologies and more. With Secure DevOps, security is about securing the pipeline.

Secure DevOps involves determining where to add protection to the elements that plug into your build and release pipelines.

Secure DevOps can show you how and where you can add security to your automation practices, production environments, and other pipeline elements while benefiting from the speed of DevOps.

Secure DevOps addresses broader questions, such as:

  • Is my pipeline consuming third-party components, and are they secure?
  • Are there known vulnerabilities within any of the third-party software we use?
  • How quickly can I detect vulnerabilities (also called time to detect)?
  • How quickly can I remediate identified vulnerabilities (also known as time to remediate)?

Security practices for detecting potential security anomalies must be as robust and fast as your DevOps pipeline's other parts. It also includes infrastructure automation and code development.