devsecops
DevSecOps
The practice of integrating security tools and responsibilities throughout the software development lifecycle.
Also known as
Development Security Operations Shift-Left Security
DevSecOps extends the DevOps model by embedding security practices and tooling at every stage of the software development lifecycle (SDLC), rather than applying security as a gate at the end.
The phrase “shift left” refers to moving security earlier in the development pipeline — catching vulnerabilities when they are cheapest to fix (in code review or CI) rather than in production.
Key practices
| Stage | Security activity |
|---|---|
| Plan | Threat modelling, security requirements |
| Code | IDE security plugins, pre-commit hooks, SAST |
| Build | Dependency scanning (SCA), container image scanning |
| Test | DAST, integration security tests, fuzzing |
| Deploy | IaC scanning (Terraform, Helm), policy as code |
| Operate | Runtime protection (SIEM, WAF, EDR), vulnerability mgmt |
DevSecOps pipeline (GitLab CI example)
stages: [sast, dependency-scan, container-scan, dast, deploy]
sast: stage: sast image: registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:latest
dependency_scanning: stage: dependency-scan image: registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:latestSee also