* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [DevSecOps](https://origin-researchcenter.paloaltonetworks.com/blog/category/devsecops/)
* How to Think About DevSec...

# How to Think About DevSecOps for a Secure Future

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fhow-to-think-about-devsecops-for-a-secure-future%2F)  
[](https://twitter.com/share?text=How+to+Think+About+DevSecOps+for+a+Secure+Future&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fhow-to-think-about-devsecops-for-a-secure-future%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fhow-to-think-about-devsecops-for-a-secure-future%2F&title=How+to+Think+About+DevSecOps+for+a+Secure+Future&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/how-to-think-about-devsecops-for-a-secure-future/&ts=markdown)  
\[\](mailto:?subject=How to Think About DevSecOps for a Secure Future)  
Link copied  
By [Glenn Wilson](https://www.paloaltonetworks.com/blog/author/glenn-wilson/?ts=markdown "Posts by Glenn Wilson")  
Feb 16, 2023  
5 minutes  
[DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)  
[CI/CD Security](https://www.paloaltonetworks.com/blog/tag/ci-cd-security/?ts=markdown)  
[DevOps](https://www.paloaltonetworks.com/blog/tag/devops/?ts=markdown)  
[IaC](https://www.paloaltonetworks.com/blog/tag/iac/?ts=markdown)  
[Software Composition Analysis](https://www.paloaltonetworks.com/blog/tag/software-composition-analysis/?ts=markdown)

Despite the technological advances of recent years (or perhaps because of them), the number of threats on the internet continues to rise. In fact, a[2022 survey from ThoughtLab](https://thoughtlabgroup.com/cyber-solutions-riskier-world/) found that the number of breaches suffered by organizations rose by 20% between 2020 and 2021.

This increase in attacks has caused widespread concern in the security industry. GitHub found that [43% of security professionals feel "somewhat" or "very" unprepared](https://about.gitlab.com/developer-survey/) for the future -- and that's a serious issue.

As a security consultant and founder of [Dynaminet](https://dynaminet.com/), I have more than 20 years of experience in the fields of [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops), and, more recently, DevSecOps. I've watched the rise in cyberattacks with concern, and I believe we must reverse this disturbing trend. From my vantage, the best solution is the wholesale adoption of [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops) practices and policies that continue to embed security increasingly earlier into the development pipeline.

I've spent a lot of time contemplating how to help organizations embrace DevSecOps principles, which is how I eventually came to write the book, [*DevSecOps: A leader's guide to producing secure software without compromising flow, feedback and continuous improvement*](https://www.amazon.com/DevSecOps-producing-compromising-continuous-improvement-ebook/dp/B08QRRNX6K)\*.\*To understand why and how to implement DevSecOps, we first need to understand what DevSecOp is and how it differs from DevOps.

## DevOps or DevSecOps?

Traditionally, developers write the code for applications and software, as well as patches, fixes, and updates. Once created, they pass their code off to the operations team for testing and eventual deployment. If the code contains errors or other problems, the operations team sends it back to the Dev team to be fixed. The resulting back-and-forth can slow down even simple projects, causing some internal tension in the process.

To resolve this ongoing tug-of-war, the process known as DevOps was born. DevOps *integrates* the development and operations teams from design through deployment, allowing problems to be caught and resolved earlier in the software pipeline and automating much of the testing needed for deployment. DevOps is a game-changer because it removes the headache associated with siloed teams and reduces the time it takes to bring software to market.

Sounds great, right? It is, but with one caveat: security. The DevOps system often overlooks (or bypasses) crucial security checks that would prevent breaches down the road. In fact, [research from Delinea](https://www.prnewswire.com/news-releases/thycoticcentrify-report-57-of-organizations-suffered-security-incidents-related-to-exposed-secrets-in-devops-301425193.html) (formerly ThycoticCentrify) found that 57% of organizations surveyed were the victim of at least one security incident due to exposed secrets in DevOps.

[DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops) seeks to solve the security issues created by DevOps. As the name implies, it integrates security into the DevOps environment, ensuring security is a core tenant of the software development process instead of an afterthought or siloed check.

## The 3 Layers of DevSecOps

Properly implementing DevSecOps isn't as simple as dropping a security expert into the development or operations team. DevSecOps requires buy-in from stakeholders throughout an organization, as it contains multiple layers that need to be understood to function properly.

#### Layer 1: DevSecOps Education

Proper security education is foundational to implementing DevSecOps. Organizations need to ensure that those involved with software development and the [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security) are consistently learning how to do security, whether it's through structured courses, self-paced learning, or even experimenting to find ways to keep software and applications secure. Continuous education is even more important when we consider that the world of application security is evolving. It's vital to stay up to date to keep code (and organizations) safe from attack.

#### Layer 2: Secure by Design

Having secure infrastructure and secure code at every stage of the development process is crucial to the success of DevSecOps. After all, what's the point of working to make sure engineers and developers know how to keep things secure if they aren't *implementing* security throughout the development lifecycle? It can be difficult to ensure that everything under development is designed and coded securely from the ground up, but with the average total [cost of a data breach at $4.24M](https://www.dataendure.com/wp-content/uploads/2021_Cost_of_a_Data_Breach_-2.pdf), it's best not to rush to deployment.

#### Layer 3: Security Automation

Once a solid education foundation is complemented with securely designed code, organizations need a way to make sure their DevSecOps efforts are maintained. Security automation tests software, application, and infrastructure security to verify that DevSecOps practices are effective. Automated tests like [SCA scanning](https://www.paloaltonetworks.com/cyberpedia/what-is-sca) and [IaC scanning](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security) can efficiently identify critical vulnerabilities before deployment -- a necessity in the fast-paced world of modern software development.

## Securing the Future

[DevSecOps](https://www.https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops) practices are rapidly being adopted, but the number of serious breaches continues to rise as well. If we want to ensure a secure internet future, we must make security a priority from the start.

The current mindset around software development favors speed: faster design, faster coding, and faster to market. But we need sustainable long-term solutions to keep the internet safe. We need to take a step back and focus on implementing effective DevSecOps practices.

To learn more about DevSecOps, be sure to watch my full conversation with Steve Giguere on Season 2 of DevSecTalks, where I discuss the foundational elements of DevSecOps and how to implement effective practices at an organizational level. For a closer look at my recommendations for establishing a security-first culture within your DevOps teams, you can also check out my book, [*DevSecOps: A leader's guide to producing secure software without compromising flow, feedback and continuous improvement*](https://www.amazon.com/DevSecOps-producing-compromising-continuous-improvement-ebook/dp/B08QRRNX6K).

Did you enjoy this episode of DevSecTalks? Tune in to our other sessions to hear from more industry experts who are building the future of cloud security.

*** ** * ** ***

## Related Blogs

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### It's Not All Bad! Using Cloud Drift for Teachable Moments](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/using-cloud-drift-for-teachable-moments/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### From Manifest to Workload: Embedding Kubernetes Security at Each Phase of the DevOps Lifecycle](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/devops-lifecycle-embedding-kubernetes-security/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Exposed Credentials Across the DevSecOps Pipeline: 5 Places Secrets Hide in Plain Sight](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/exposed-credentials-across-the-devsecops-pipeline/)

### [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Abusing Repository Webhooks to Access Internal CI/CD Systems at Scale](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/repository-webhook-abuse-access-ci-cd-systems-at-scale/)

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown)

[#### Visualizing Your CI/CD Ecosystem From an Attacker's Perspective](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/visualizing-ci-cd-ecosystem-from-attackers-perspective/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### The Top 5 Secrets Management Mistakes and How to Avoid Them](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/5-secrets-management-mistakes/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language