Shift left, secure first: what you need to know about DevSecOps

As digital security experts at ActWise, we are a CyberArk preferred partner meaning we also work with DevSecOps experts. DevSecOps, that is: Development, Security and Operations. It’s an approach to bridge the gap between those 3 services, which is not an easy thing to do. You might have heard about DevOps before, but what do you know about DevSecOps? In this article we will take you through the pros and cons.

Mind the gap

DevOps is a combination of software development (dev) and operations (ops). It’s focused on uniting people, processes and technologies. The coordination and collaboration between formerly siloed roles like development, IT, engineering and security is central in this approach. 

However, DevOps is also focused on the quick delivery of high quality software, but what about security?

“Security should never be a blockage, security should be everyone’s concern. It should be part of your company culture, of your mindset. It’s not something that can be overlooked.”
– Jochen Kerremans, DevSecOps expert –

Cyber security is a hot topic all around the world and should never be neglected. That’s exactly where DevSecOps comes into play. DevSecOps also focuses on Security. It’s the integration of security practices into every phase of the software development lifecycle, even in those early stages of strategic development and architecture.

 

At Actwise, we for example use CyberArk Conjur as DevSecOps tools. Conjur is a tool to manage credentials on the DevSecOps level and is focused on robotic credentials. The tool is used to centralize all the credentials spread over the different DevOps-tools. It’s not only part of the DevSecOps but also part of Privileged Access Management on the side of robotic credentials (when applications log in). Conjur is a very efficient tool and has some concrete benefits that we’ll show later in this article.

To the left, to the left

There’s a big security evolution going on today. What we already saw in America, is now finding its way to Europa. There’s a ‘shift left testing’ evolution happening, meaning security teams will be more and more involved from the very beginning of the development cycle. Security teams are often isolated on their own islands but with the shift left evolution, you’ll find them more and more involved in different steps of the cycle like strategic level thinking.


It’s the practice of moving “testing, quality and performance evaluation” early in the development process, even before any code is written. It helps teams to anticipate changes that could potentially arise during the development process, that could eventually affect performance or other delivery processes.

Prioritizing security, cutting costs

Last but not least, let’s talk benefits..

1. security overall

First of all, security overall. Generally improving security and preventing security vulnerabilities from surfacing later in software so that they are addressed from the very beginning.

For example, an application has gone into production and afterwards, some vulnerabilities come to the surface. That less likely to happen with DevSecOps because vulnerabilities will be addressed from the very beginning.

2. risk & breach REDUCTION

That first benefit will automatically lead to the second: an overall reduction of security risks and data breaches. All possible vulnerabilities have been looked at since the very beginning and should have been solved before any next steps, like production, are taken.

After implementing the CyberArk Conjur tool, it will stay up and running for new projects too. You’ll be able to implement other credentials from new projects into your existing ones.

3. cost reduction

Last but not least, because security is involved from the ground up, there’s a cost reduction in the long run. Often you’ll find that if there are any vulnerabilities in your software, it takes more time and money to fix them and to release those fixes. In this case, you’ll find and fix the vulnerability in the beginning and this will save you time and money.

Overall, DevSecOps is a must!

Overall, DevSecOps is a must! By embedding security into every aspect of the development lifecycle, you can minimize risks and reduce potential threats. With implementing security in the beginning of the cycle, you’ll also save time and money and you know what they say, time is money! Not convinced yet? Reach out to our expert Jochen for further insights!

More insights