DevSecOps builds on DevOps with security testing and compliance checks, without reducing agility or speed.
- Gartner client? Log in for personalized search results.
DevSecOps is where DevOps in highly regulated industries is going
DevSecOps explicitly calls out the addition of security in DevOps initiatives by emphasizing the importance of security throughout the software development cycle. This is desirable in highly regulated industries that are under pressure to mitigate risk as they seek the value of DevOps. DevSecOps brings security teams into the DevOps collaborative mindset, shifts security left to check developer workflows and shifts security right to bring in continuous security monitoring and remediation.
Integrating security early on means less back and forth after code has progressed to testing, security and compliance. This translates into faster development and delivery, happier developers, safer software and more satisfied users.
Making sense of DevOps and DevSecOps
DevSecOps (as well as GitOps and DataOps) evolved from DevOps — a term first coined in 2009.
What is DevOps?
DevOps culminated from efforts to solve the disconnect and dysfunction built into the software development process. Although they had the same ultimate goal, software developers and IT operations traditionally worked separately, under different leaders and toward different objectives and priorities. Without avenues for collaboration, developers’ and ops professionals’ differences grew into roadblocks that negatively affected time to market and customer satisfaction.
DevOps is defined as a business-driven approach for delivering customer value using agile methods, collaboration and automation. It makes software development more holistic by breaking down traditional silos, encouraging communication and moving away from the rigidity of the waterfall methodology. Done right, it allows organizations to release a greater volume of software more quickly (or continuously) while maintaining a high level of quality. Customer satisfaction and value are the primary measures of DevOps success.
What is DevSecOps?
DevSecOps builds on DevOps by adding security and compliance explicitly into the mix. In an environment of escalating risk, it makes good business sense to eliminate security breaches and vulnerabilities wherever and as early as possible. Whereas traditional application security testing is done late in the software development cycle, the DevSecOps approach builds in security during development. Runtime protection is an essential part of a DevOps strategy.
DevSecOps views application security as part of a continuous improvement process that spans development and operations. However, the object is not to eliminate all vulnerabilities during development, but rather to speed up development without compromising security and compliance.
What DevOps and DevSecOps have in common
Aside from having development and operations in common, DevOps and DevSecOps both rely on an agile, collaborative approach that emphasizes automation. In an ideal software development scenario, all software would be developed with security in mind. As security is in everyone’s interest, developers ideally consider it whether working with a DevOps or DevSecOps approach. With DevOps, collaboration is implicit; with DevSecOps, collaboration is explicit.
Both ways of working foster alignment versus division, communication versus assumptions, problem solving versus blame, and continuous improvement.
How DevOps and DevSecOps differ
DevSecOps explicitly integrates security into DevOps with the express purpose of solving the bottlenecks between developers and security teams. Security team collaboration, testing tools and processes such as threat modelling are available earlier in the development process, ideally as the developers are designing code. Regardless of the term used — DevOps or DevSecOps — the security group needs to be collaborated with and controls to enable security must be built in throughout the whole delivery value stream. In the end, it’s the focus on the customer and optimizing value, cost and risk in the time frames required that matters, not the label used. Pick the term that resonates the most with your organization and move ahead from there.
DevSecOps and DevOps FAQs
What is DevSecOps?
DevSecOps is the integration and automation of security and compliance testing into agile IT and DevOps development pipelines. DevSecOps aims to do this as seamlessly and transparently as possible, without reducing developers’ agility or speed or requiring them to leave their development toolchain.
What type of role can a company hire to incorporate DevOps or DevSecOps?
DevOps is not a team or role, nor is it an objective or a goal. Instead, it is a way of working to address business needs and deliver customer value. Simply put, DevOps is about focusing on customer value and then getting various groups to work together to deliver it.
Attend a Conference
Join Gartner experts and your peers to accelerate growth
Gather alongside your peers in Las Vegas to gain insight on emerging trends, receive one-on-one guidance from a Gartner expert and create a strategy to tackle your priorities head-on.
2 – 4 Jun 2026
Gartner Application Innovation & Business Solutions Summit
Las Vegas, NV
Drive stronger performance on your mission-critical priorities.