The DevSecOps use case is applicable for customers who are trying to “shift left” to find security vulnerabilities earlier within their DevOps methodology but have not been able to achieve expected results.
Application Security is hard when security is separated from your DevOps flow. Security has traditionally been the final hurdle in the development life cycle. Iterative development workflows can make security a release bottleneck. Customers don’t have enough security people to test all of their code, and hiring more security analysts won’t automatically reduce the friction between app sec and engineering teams. Only testing major releases, or limiting tests to certain apps, leaves weak spots hackers can exploit. They need a way to balance risk and business agility. Instead of waiting for security at the end of the development process, they want to include it within their DevOps workflow. Often this is referred to as DevSecOps.
DevSecOps integrates security controls and best practices in the DevOps workflow. DevSecOps automates security and compliance workflows to create an adaptable process for your development and security teams.
Balancing business velocity with security is possible. With GitLab, DevSecOps architecture is built into the CI/CD process. Every merge request is scanned through its pipeline for security issues and vulnerabilities in the code and its dependencies using automated tests. This enables some magic to happen.
Every piece of code is tested upon commit for security threats, without incremental cost. The developer can remediate now, while they are still working in that code, or create an issue with one click. The dashboard for the security pro is a roll-up of vulnerabilities remaining that the developer did not resolve on their own. Vulnerabilities can be efficiently captured as a by-product of software development. A single tool also reduces cost over the approach to buy, integrate and maintain point solutions throughout the DevOps pipeline.
✅ Check out the market viewpoint on the DevSecOps use case for a more in-depth explanation.