AppSec and DevSecOps – what’s the difference?

AppSec and DevSecOps are commonly used buzzwords in the cybersecurity field. I often find them being mistaken for each other and used in the wrong context, which is why I would like to clarify and introduce you to both of these terms and what they really entail, as well as break some myths.

Myth #1: “Dude, we hired a DevSecOps and that makes us secure!”

This might seem unrealistic at first glance, but it is one of the most common phrases I usually hear, and it always triggers me. First of all, you have not hired DevSecOps into your organization, you have hired a DevSecOps Engineer. DevSecOps is a philosophy, whereas DevSecOps Engineer is a profession. You are not hiring a philosophy to work for you, you are hiring a person who is familiar with this philosophy and who will help you understand and incorporate this concept into your workflow in order to improve your security posture.

DevSecOps is a culture and methodology. It puts an emphasis on the seamless integration between the three disciplines of development, security, and operations, which can only be achieved by collaborative processes and increased automation. DevSecOps aims to incorporate security measures into every stage of the SDLC, from planning and design to development, testing, and deployment. It also empowers developers and operation teams to take ownership of security.

Myth #2: “You don’t have to know coding to do AppSec!”

While DevSecOps implements security through a change of philosophy, Application Security (AppSec for short) improves security by doing various activities, such as vulnerability scanning, penetration testing, code reviews, and threat modeling. In order to do most of these, you should be familiar with some programming languages, frameworks, and other engineering best practices.

Myth #3: “AppSec and DevSecOps are basically the same!”

Even though both approaches are essential for building secure software and protecting against potential threats, they are not the same. AppSec is focused on securing applications through specialized security practices and tools, while DevSecOps is focused on integrating security into software development as a whole. They are frequently used in combination, but they use different techniques. I have listed some of them in this table.

Secure coding practicesThreat modeling
Vulnerability scanningSecurity plugins and pre-commit hooks
Penetration testingCI/CD
Security code reviewIaC
Auth/Autz + Access controlSecurity monitoring and logging
EncryptionCollaboration and communication

TL; DR: The goal of AppSec is to identify and mitigate security risks in applications to protect against potential threats. The goal of DevSecOps is to integrate security practices into every aspect of software development.

If you have read so far, you might want to follow me here on Hashnode. Feel free to connect with me over at LinkedIn or Mastodon.