DevSecOps Made Simple: 6 Strategies
June 11, 2024

Josh Buker
Cloud Security Alliance

Long gone are the days when security is merely an afterthought in the DevOps process. Instead, recognizing that vulnerabilities can be inadvertently introduced during development, the issue of security has moved front and center, becoming an integral part of the development lifecycle rather than something to be bolted on at the end.

To help organizations navigate the myriad issues and challenges that arise when embedding security into the DevOps process and provide a path to success, the Cloud Security Alliance (CSA), together with Software Assurance Forum for Excellence in Code (SAFECode), drafted a series of white papers based on six critical pillars described in CSA's Reflexive Security Framework(link is external). Each paper tackles a different aspect of implementation and empowers readers with actionable security resources and guidance.

Overview: Six Pillars of DevSecOps(link is external) provides an overview of DevSecOps — what it is and why it's important — and defines the six focus areas that are considered to be critical in its implementation and integration into an organization. Together, these pillars provide a holistic framework, blending traditionally siloed operations — development, infrastructure operations, and information security — into a cohesive group that facilitates creation of secure software. This is a go-to document for anyone looking to get buy-in from stakeholders.

Pillar 1: Collective Responsibility

Pillar 1: Collective Responsibility(link is external) describes the common practices shared by organizations that have taken a program-level approach to security culture development. Broken into three key areas: 1) executive support and engagement, 2) program design and implementation, 3) program sustainment and measurement, the paper suggests how to best garner (and keep) executive support and engagement while building an inclusive cultural program based on cumulative experience. The paper also touches upon how to leverage security champions to create deep engagement and using metrics to sustain, build, and help evolve the program. (Those looking for a deeper understanding should consider the DevSecOps: Collective Responsibility self-paced course(link is external).)

Pillar 2: Collaboration and Integration

Pillar 2: Collaboration and Integration(link is external) addresses the importance of integrating DevSecOps into organizational processes and stresses the key role that fostering a sense of collaboration plays in its successful implementation. Notably, the paper also dives into the convergence between DevSecOps and various technology areas, providing an overview of how DevSecOps can be leveraged for Zero Trust and MLSecOps, and AIOps. Among the topics covered:

■ Overarching principles for successful collaboration in DevSecOps

■ Role-based security training programs, including details on implementing a continuous, role-based security training program at an organization

■ How various organizational roles can and should join forces in an end-to-end DevSecOps delivery pipeline

■ Role-based communication requirements to integrating a new acquisition into an organization's existing DevSecOps processes

■ Crafting a winning DevSecOps culture

Pillar 3: Pragmatic Implementation

Pillar 3: Pragmatic Implementation(link is external) outlines the practices, processes, and technologies that organizations should consider when building out any DevSecOps program and how to implement DevSecOps pragmatically. The paper offers such key take-aways as:

■ Different role profiles to consider during DevSecOps adoption

■ Common mistakes in designing a DevSecOps team structure

■ Impact of culture on velocity and performance

■ Characteristics of an optimized and productive culture

■ Which technologies and processes underpin the pragmatic implementation of DevSecOps

■ Considerations for various activities across all stages of the DevSecOps process, including threat modeling, developer training, security unit testing, penetration testing, GitOps, secrets and key management, and chaos engineering

Pillar 4: Bridging Compliance and Development

Pillar 4: Bridging Compliance and Development(link is external) is broken into three parts offering 1) an approach to compartmentalization and assessment with an eye to minimizing operating impact, 2) best practices on how compliance can be designed and implemented into applications, and 3) a look at the different security tooling practices that can provide assurance to compliance requirements. This paper provides actionable, measurable guidance to DevSecOps teams on translating security and compliance requirements into the development cycle thereby ensuring that the gap between compliance and development is addressed.

Pillar 5: Automation

Pillar 5: Automation(link is external) provides a holistic framework for facilitating security automation within DevSecOps. It offers a series of best practices for automating those security controls, as well as clarification of common misconceptions surrounding DevSecOps security testing. Specifically, the document provides insight into:

■ Triggers and checkpoints that should occur in the delivery pipeline

■ Shifting security left while accelerating right

■ Prioritizing and balancing resources along with deliverability

■ Risk factors throughout the delivery pipeline and how automation can mitigate them

■ Automation best practices beyond DevSecOps

Pillar 6: Measure, Monitor, Report, and Action

Pillar 6: Measure, Monitor, Report, and Action(link is external) emphasizes the importance of continuous measurement and observability in DevSecOps and offers a detailed exploration of making security data observable, applying these principles to various team performance levels, and improving security observability through effective reporting. Among the paper's key recommendations are the adoption and use of specific principles for enhancing reporting to drive continuous improvement in security. Topics of exploration include:

■ Data observability, specifically turning security data and metrics into observable data

■ Scenario-based review and how security observability can be applied to high- and low-performing teams

■ Improvement through reporting and where companies should start on their security-observability reporting journey

DevSecOps is still relatively new, and I'd encourage anyone interested in shaping its future to join CSA's DevSecOps working group(link is external). It's open to anyone — no prior experience is required — and you can participate as much (or as little) as you like. I hope to see you there.

Josh Buker is a Research Analyst for the Cloud Security Alliance
Share this

Industry News

May 13, 2025

Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.

May 13, 2025

Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.

May 13, 2025

Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.

May 13, 2025

Parasoft has added Agentic AI capabilities to SOAtest, featuring API test planning and creation.

May 13, 2025

Zerve unveiled a multi-agent system engineered specifically for enterprise-grade data and AI development.

May 12, 2025

LambdaTest, a unified agentic AI and cloud engineering platform, has announced its partnership with MacStadium(link is external), the industry-leading private Mac cloud provider enabling enterprise macOS workloads, to accelerate its AI-native software testing by leveraging Apple Silicon.

May 12, 2025

Tricentis announced a new capability that injects Tricentis’ AI-driven testing intelligence into SAP’s integrated toolchain, part of RISE with SAP methodology.

May 12, 2025

Zencoder announced the launch of Zen Agents, delivering two innovations that transform AI-assisted development: a platform enabling teams to create and share custom agents organization-wide, and an open-source marketplace for community-contributed agents.

May 08, 2025

AWS announced the preview of the Amazon Q Developer integration in GitHub.

May 08, 2025

The OpenSearch Software Foundation, the vendor-neutral home for the OpenSearch Project, announced the general availability of OpenSearch 3.0.

May 08, 2025

Jozu raised $4 million in seed funding.

May 07, 2025

Wix.com announced the launch of the Wix Model Context Protocol (MCP) Server.

May 07, 2025

Pulumi announced Pulumi IDP, a new internal developer platform that accelerates cloud infrastructure delivery for organizations at any scale.

May 07, 2025

Qt Group announced plans for significant expansion of the Qt platform and ecosystem.

May 07, 2025

Testsigma introduced autonomous testing capabilities to its automation suite — powered by AI coworkers that collaborate with QA teams to simplify testing, speed up releases, and elevate software quality.