Can you have DevSecOps without DevOps?

Michael

I would like to understand whether it is possible to implement DevSecOps practices without first adopting DevOps principles. Since DevSecOps focuses on integrating security into every stage of the software development lifecycle, how important is the foundation of DevOps practices such as continuous integration, continuous delivery (CI/CD), automation, and collaboration between development and operations teams? What role do security tools—such as SAST, DAST, container security scanners, secrets management systems, and cloud security platforms—play in embedding security within DevOps pipelines? Additionally, how do organizations balance the need for strong security controls while maintaining the speed and agility that DevOps aims to achieve in modern software delivery?

Daniel

DevSecOps builds on the principles of DevOps by integrating security practices into every stage of the software development lifecycle, making security a shared responsibility across development, operations, and security teams. While some security practices can be implemented independently, DevSecOps is most effective when a strong DevOps foundation—such as automation, continuous integration and delivery (CI/CD), and close collaboration between teams—is already in place. These DevOps practices allow security checks to be embedded directly into development pipelines without slowing down the release process. Organizations often use tools such as SonarQube for SAST, OWASP ZAP for DAST, Trivy for container security, and HashiCorp Vault for protecting sensitive credentials, along with cloud security solutions from Amazon Web Services, Microsoft Azure, and Google Cloud. By automating security testing, vulnerability scanning, and compliance checks within DevOps pipelines, organizations can maintain strong security standards while still achieving the speed, agility, and continuous delivery that modern software development requires.

mister766

DevSecOps typically performs well when there is already an established foundation of automation, CI/CD, and collaboration within the DevOps environment, since DevSecOps relies on DevOps to work correctly. Although you can implement security processes by themselves, if your current DevOps processes are inefficient, security processes will typically be inefficient, slow, and manual; they will not be part of the delivery pipeline.

Security tools play an important role in this process by enabling teams to perform checks early in the development process. Security tools such as SAST, DAST, container scanning, secrets management, and cloud security tools help teams to identify vulnerabilities and misconfigurations and to protect credentials before deploying their applications to production. Therefore, the ultimate goal of these tools is to incorporate security into the workflow instead of adding security as an afterthought.

To strike a balance between security risk and speed of delivery, organizations automate as much as possible with a focus on continuous checks rather than extensive manual approvals and authorizations. By using an automated approach for testing and validating the security of their applications, organizations can continue to leverage the DevOps fast delivery model while ensuring that they have improved security throughout their entire software development process.