Getting Your Security Program to Shift Left: Operationalizing Security Controls via DevSecOps

DevSecOps is a hot topic. It’s touted as a utopia where automation saves time and money while cutting risk and reducing dependencies. In reality, without effective oversight, DevSecOps leaves orphaned technologies, unmaintained repositories and application artifacts, and ruined credibility in its wake.

The value of DevSecOps lies in shifting your security program to the left in your schedule—in other words, shifting it earlier into the software development lifecycle and testing against it all the time. 

Tony UcedaVélez, founder and CEO of VerSprite, outlines this well in his presentation, available on demand below.

The Goals of DevSecOps

The high-level goals of a DevSecOps program are:

  • Reduce security control gaps.
  • Lessen the time spent on manual configurations.
  • Improve incident recovery efforts.
  • Increase security assurance across environments.
  • Build security requirements into products and platforms.
  • Eliminate vulnerabilities in the deployment pipeline itself.
  • Put governance into operation.

Two of the most important aspects of DevSecOps are assurance and compliance.


Assurance ultimately dictates the reputation of any product you sell. To manage it properly, build it into your code base, infrastructure, and even the actors in your pipeline.


Including governance in the DevSecOps process is key from a compliance point of view. By doing so, you can demonstrate compliance on an ongoing basis across all environments.

Governance currently sits outside of DevOps and catches issues too late. Instead, determine your security requirements before development starts. To do so, work with your compliance team to understand the controls they need and account for them early in the process.

Planning the Shift

The goals of shifting security left are:

  • Ensure that all environments—not just production—receive security configuration.
  • Reduce security and privacy discrepancies across environments.
  • Operationalize security efforts through code and the CI/CD process.

Shifting left means not waiting until deployment time to worry about (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Daniel Longest. Read the original post at: