Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

DevSecOps: Why you should care and how to get started

January 27, 2022
Katrina Novakovic Chris Jenkins
Related topics:
Automation and managementCI/CDDevOpsDevSecOpsSecure Coding
Related products:
Red Hat OpenShift

Share:

    The increasing popularity of DevOps software development methodologies has led to shorter and more agile life cycles, in which software is released and deployed in minutes or hours rather than the days, weeks, or even months required under traditional practices. However, many development teams still experience delays in getting releases into production due to the security considerations that are traditionally brought to bear at the end of the life cycle. To address this, organizations are more and more frequently adopting a DevSecOps approach.

    What is DevSecOps?

    DevSecOps includes security in DevOps practices by embedding (or left-shifting) security into applications early and continuously through a rapid, iterative, and automated software development life cycle (SDLC). The main goal is to produce more secure code more quickly. DevSecOps doesn't aim to turn developers into security experts, but rather educate them in best practices that promote more secure development processes.

    In practical terms, DevSecOps:

    • Promotes secure coding standards and provides automated and repeatable testing.
    • Uses static and dynamic code analysis to quickly find and remediate weaknesses and vulnerabilities in code.
    • Applies secure configurations to provide a secure and compliant development environment.
    • Continuously monitors the production environment for security threats and provides visible governance metrics for both security teams and developers.

    Why should developers care about DevSecOps?

    Organizations that foster a DevSecOps culture can become more agile and respond more quickly to change and innovation, while still meeting regulatory and organizational security goals. Development teams can roll out applications more quickly—without sacrificing security, while still meeting compliance standards. Automated compliance processes can lower costs, and historical data can be made visible and tracked to analyze trends and quickly identify potential vulnerabilities and exposures.

    DevSecOps can decrease the potential risk for your organization and your customers by implementing a few simple strategies:

    • Writing secure code and sharing best practice guides across development teams. This creates a more collaborative environment where everyone is responsible for security risk.
    • Identifying and fixing vulnerabilities earlier in the life cycle. Typical security testing takes place near the end of the development cycle, such as during user acceptance testing or in staging or pre-production environments. Developers end up patching or rewriting code at this late stage when security flaws are discovered. That's counterproductive and increases time to production.
    • Implementing an integrated development environment (IDE) security plugin. This can help developers check for security flaws while coding. There are many options, with two examples being the OWASP SAST plugin and the Snyk IDE Plugin. Using the same IDE across development teams will also lower onboarding time and increase collaboration.

    How can you get started with DevSecOps?

    A shift to a DevSecOps philosophy will not happen overnight and will require buy-in at all levels of your organization. Planning and resources are required to begin the journey. A good place to start would be to identify developers who are already aware of the concepts; they can then become ambassadors to help enable other teams.

    If your development teams want to implement DevSecOps for their projects successfully, the following suggestions can help overcome common challenges and get them started.

    Mindset and culture change

    Consider what a DevSecOps collaborative culture looks like for your development teams. How willing are team members to share the responsibility for security throughout the DevOps value chain? What is your security debt—in other words, how many vulnerabilities have made it into production because developers have chosen not to fix them?

    You'll want to identify security priorities, responsibilities, and communication paths for team members throughout the development life cycle. DevSecOps isn't just about providing tools; you'll also want to change people's perception of security and create more security-aware cross-functional teams. This fosters a culture where security is built in by default rather than bolted on at the end of a project.

    Learning and training

    Consider the additional security-related skills that developers and other team members need to acquire so that they can independently resolve security-related bugs. Formal in-house and external training can raise awareness and allow more experienced developers to mentor others within your organization. These mentors could then run short "Lunch and Learn" sessions with other developers to promote usage and understanding of DevSecOps practices within other development teams.

    The following Red Hat courses and training can assist you:

    • Red Hat DevOps Pipelines and Processes: CI/CD with Jenkins
    • Red Hat Certified Specialist in Security: Linux
    • Various articles in the Red Hat Developer training program

    Integrate security into CI/CD pipelines

    A good way to start with DevSecOps is to create an initial team to evangelize its benefits. Start small so as not to be overwhelmed; for instance, the team could start with a small project that will enable them to hone their skills and create "ways of working" frameworks for other teams. The team should include members from the development, security, and infrastructure groups, as you'll need input from all these areas to plan the move to DevSecOps. Look at implementing a few essential security checks into the SDLC as a proof of concept, but remember to keep it simple at the beginning.

    Tools such as Jenkins, CircleCI, and Bamboo will help automate the parts of software development related to building, testing, and deployment, and should include security checks in the process. If you already have continuous integration/continuous delivery (CI/CD) tools and processes, it should be quite straightforward to add security checks into the mix.

    Examples of security checks include:

    • Enforcing secure coding and defensive coding standards.
    • Looking for source code vulnerabilities.
    • Scanning external libraries.
    • Using a trusted software supply chain.
    • Image vulnerability scanning (consider using a product such as Red Hat Advanced Cluster Security for Kubernetes).
    • Identifying compromised credentials (e.g., passwords, secrets, certificates, API keys, and so on).
    • Static application system testing (SAST), which analyzes development source code for security vulnerabilities and quality issues such as SQL injections or cross-site scripting.
    • Dynamic application security testing (DAST), which analyzes running applications for execution vulnerabilities. This includes black box testing techniques such as fuzz testing.
    • Active and passive penetration testing.

    The results of these tests should be fed into the CI/CD tool, along with the decisions made on the next steps. It's critical to provide feedback to developers at this stage so that security is not seen as a blocker to deployment.

    From here, you'll be able to create common, sharable automated pipelines that include security checks into your application development processes. This approach will ensure that security and consistency are built into your applications from the very beginning. Security doesn't stop after deployment; continuous monitoring and alerting are required during the complete life cycle of an application.

    How can DevSecOps help with regulatory compliance?

    If your application manages payments, handles sensitive customer or patient data, or operates in a regulated market, then there are industry and regulatory standards that you need to meet and monitor. Some organizations may also require that you complete proof-of-compliance or authorization-to-operate documents before you can deploy applications into production environments.

    Compliance goes beyond pure code and can also require additional artifacts, including:

    • Up-to-date documentation that describes data flow, mitigation against accidental data egress, and access controls. Documentation can also include instructions on the secure use of the application.

    Tip: Following coding naming conventions and structured programming conventions will provide nearly self-documenting code, which can minimize the effort required to support and maintain that code.

    • Proposed patching processes for the application, with SLAs relevant to the associated risk categories.

    Tip: Using the most up-to-date Universal Base Images provides a higher level of assurance when it comes to vulnerabilities and patching.

    • Update and release controls to demonstrate and confirm security checks before deployment.

    Tip: Using a GitOps process can implement change control efficiently and effectively, with metrics that show where an application is in the SDLC.

    • Documentation on the complete supply chain, including a software bill of materials that shows what components and vulnerabilities are in the software and associated third-party libraries.

    Tip: Check out the Generating software bill of materials video produced by the Linux Foundation.

    Weaving automated security compliance audits and controls into your SDLC will reduce the time developers will need to meet compliance requirements, allowing them to concentrate on developing software while adhering to all security policies.

    DevSecOps: Security + agility

    DevSecOps is all about automating and integrating security within all phases of the software development life cycle to produce more secure code more quickly and easily. Getting started requires that you change your mindset and organizational culture to collaborate and share responsibility for producing secure and compliant code, using tools and processes to implement security checks into CI/CD pipelines, and implementing automated security compliance audits and controls to comply with regulations. There is much more to DevSecOps, and you can explore it further as you build upon the foundation of these initial recommendations.

    Here are a few resources to continue your DevSecOps journey:

    • Modernize your life cycle and reduce risk with DevSecOps
    • How to deploy a comprehensive DevSecOps solution
    • Modernize and secure your application life cycles with DevSecOps

    You can also explore tutorials, videos, and more on Red Hat Developer's DevSecOps and automation topic pages.

    Last updated: August 26, 2022

    Related Posts

    • How DevSecOps brings security into the development process

    • Four reasons developers should use Ansible

    • A developer's guide to CI/CD and GitOps with Jenkins Pipelines

    • How to apply machine learning to GitOps

    • The present and future of CI/CD with GitOps on Red Hat OpenShift

    • 3 steps toward improving container security

    Recent Posts

    • Cloud bursting with confidential containers on OpenShift

    • Reach native speed with MacOS llama.cpp container inference

    • A deep dive into Apache Kafka's KRaft protocol

    • Staying ahead of artificial intelligence threats

    • Strengthen privacy and security with encrypted DNS in RHEL

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue