Gadi Bashvitz

Gadi Bashvitz

Author

Published Date: December 14, 2020

Estimated Read Time: 4 minutes

Putting the Sec in DevSecOps

Table of Contents

  1. So, why is putting the Sec in DevSecOps so important today?
  2. How do you Add the Sec to DevSecOps?.

Last week I had the pleasure of presenting at the Pittsburgh Cybersecurity day in partnership with ISACA. It was exciting to see more than 250 cybersecurity and application security professionals interested in discussing and learning how security can be enabled in a world rapidly adopting DevOps practices.

So, why is putting the Sec in DevSecOps so important today?

According to Gartner research, 2020 is the inflection point where more than 50% of organizations will adopt DevOps practices. This adoption is expected to continue at a rate of 20% year over year for the next 5 years. This accelerated DevOps adoption is justified as it offers many advantages including:

  • Faster release times
  • Higher SW quality
  • Reduced failure rates
  • Cost savings

However, with all these advantages there are also some disadvantages. First among these is the risk of releasing vulnerable applications and the concern of being hacked. To understand this better, let’s look at an example:

Before DevOps

– 4-6 months release cycles
– Critical security issues wait a minimum of 4 months for a patch, but this not a concern
– Endless manual PT cyclesThe upside? Security is in sync with development speed		With DevOps

– A new build every 2-3 minutes
– Best PT team in the world can’t handle end to end test in less then a day
– 24 hours / 2 minutes = 720 builds a day, or a merge to master multiple times per day

This results in significant vulnerabilities in production as issues are only remediated months after a release is completed!

Now that we understand the problem, where should we focus?

According to the latest Forrester Wave, >70% of security incidents occur at the web layer. With the accelerated adoption of APIs and the less mature threat models for Web Applications and APIs, these risks are continually increasing.

How do you Add the Sec to DevSecOps?

Now that we understand the importance of adding application security into your DevOps environment (adding Sec to DevSecOps), what do you need to do to achieve this?

There are a number of aspects to consider:

  • People: Putting the correct organization in place
  • Process: Establishing the right processes
  • Technology: Implementing solutions that enable you to achieve this

In order to effectively implement DevSecOps an organization needs to share the responsibility (and joy) of security with the development and QA organizations. Due to the increased velocity of development and the ratio between developers and security professionals in the organization (up to 100:1 in many cases), it is impossible to achieve this goal without sharing the ownership for security. You can read more about this in our recent post about security champions and how to create them

Once the team is in place you need to make sure you have the correct processes to facilitate effective SecOps. These processes include feedback loops for:

  • Defining the correct procedures for ensuring security is timely and effective
  • Making sure you have the right coverage
  • Identifying vulnerabilities early
  • Remediating vulnerabilities when they are identified
  • Validating the fixes that were implemented
  • Facilitating feedback loops for continuous improvement

To learn more about this, you can follow our blog post about it here: https://brightsec.com/blog/devsecops-tooling-best-practices/

Last but certainly not least, you need to implement the correct technology that will enable the organization to effectively implement DevSecOps. These solutions need to be built from the ground up to enable developers and QA professionals to adopt them and must include these key features:

  • Seamless integration into the SDLC
  • Making sure scans can complete at the speed of DevOps while effectively identifying vulnerabilities.
  • Provide different users with different interfaces that will enable them to adopt solutions as part of their standard workflows and not change their flows.
  • Eliminate false positives in an automated manner and don’t delay (and annoy) developers by having them waste hours sifting through false positives. 
  • Provide clear and effective remediation guidelines.

Solutions like Bright are specifically built to enable organizations to add the Sec into DevSecOps.

When implemented correctly, organizations can achieve amazing results.

To learn more about effectively implementing DevSecOps please reach out to Bright and speak with our experts

Stop testing.

Start Assuring.

Join the world’s leading companies securing the next big cyber frontier with Bright STAR.

Our clients:

More

Security Testing

Top Vulnerability Scanners for Enterprise Web Applications

Most teams don’t struggle with vulnerability scanning because they lack tools. They struggle because they can’t make sense of what...
Gadi Bashvitz
April 14, 2026
Read More
Security Testing

Best Security Testing Tools for Modern Web Apps (SPA & APIs)

Most teams believe their current security tools are enough. That belief made sense a few years ago. But modern applications...
Gadi Bashvitz
April 14, 2026
Read More
Security Testing

DAST Tools Comparison: Speed, Coverage, and False Positives

When security teams begin comparing Dynamic Application Security Testing tools, the conversation often starts with a spreadsheet.
Gadi Bashvitz
April 13, 2026
Read More
Security Testing

Best Application Security Testing Software for DevSecOps Teams

The way security testing was performed on applications was not so different even in recent history. Weeks, if not months,...
Gadi Bashvitz
April 13, 2026
Read More

Platform

Resources

Company

Partners

Get our newsletter

Checkboxes

Bright All rights reserved © Bright Security 2026
Terms of service Privacy policy Cookies policy