There's no doubt that DevOps and security are top-of-mind for software organizations, and the result of integrating security into DevOps has been the introduction of the terms SecDevOps and DevSecOps. Although used interchangeably, the order of words is important. Why? Because in most cases, security is still being "tacked on" at the end of the deployment process. In this post I'll discuss how delivering secure software is easier to achieve when security is an integral part of development, from the start of the software development process rather than as a gate at the end of the delivery pipeline.
What Security Looks Like in DevSecOps
Despite the increased focus on security, it's challenging for software teams to build security into a process and pipeline. The pressure to complete projects on time and within budgets often overrules other considerations. As a result, we tend to see security added as the last gating step for a release candidate, as illustrated below: