Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Jan 30, 2019 — Application Security expert

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

Application Security

What are the key considerations and components of DevSecOps?

The intention of DevSecOps is to build the mindset that everyone is responsible for security — and that security needs to be built into your process, rather than as a perimeter around apps and data.

Normally during the Software Development Life Cycle (“SDLC”), traditional security teams were isolated to a specific team in the final stage of development. This waterfall approach was not a problem when development cycles lasted months or years. However with the rise of agile, Continuous Integration (“CI”) and Continuous Deployment (“CD”) models — this is no longer a feasible approach.

DevSecOps involves creating a flexible collaboration between release engineers and security teams in order to build security into the DevOps process. This seeks to avoid the bottleneck effect of older security models on the CI/CD pipeline — but requires increased communication and shared responsibility between development, IT and security teams to ensure that security testing and implementation is done in iterations during code development, as opposed to shortly before release.

The two primary benefits of DevSecOps are:

  1. Better ROI of existing security infrastructure
  2. Improved operational efficiencies across security and the rest of IT

The six important components of a DevSecOps approach are:

  1. Code Analysis: Deliver code in small chunks, so vulnerabilities can be identified quickly
  2. Change Management: Increase speed and efficiency by allowing anyone to submit changes, then determine whether change is good or bad
  3. Compliance Monitoring: Be ready for an audit at any time
  4. Threat Investigation: Identify potential emerging threats with each code update and be able to respond quickly
  5. Vulnerability Assessment: Identify new vulnerabilities with code analysis, then analyze how quickly they are responded to and patched
  6. Security Training: Train software and IT engineers with guidelines for set routines

By integrating security into the agile development process, organizations will be able to address security threats more effectively, in real time. Making security a shared responsibility between development, IT and security teams should help change the perception that security is a burden and slows down the agile process — in addition to sensitizing the entire team to the need for speed and agility to deliver new solutions to market.

To learn more about how to start implementing a DevSecOps process into your organization, read our blog next week.

More from the Blog

View more
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Jun 05, 2020

In Plain Sight II: On the Trail of Magecart

Application Security
On the surface, the breaches that impacted British Airways, Ticketmast ...
Read More
Jun 02, 2020

Here Comes CCPA

Application Security
  Ready Or Not, Here It Comes! As of publication, there are 147 ...
Read More
May 27, 2020

Application Security: Testing is NOT Enough

Application Security
In the software development world, developers are faced with a break ...
Read More
Contact Us