AppSec and DevSecOps are commonly used buzzwords in the cybersecurity field. I often find them being mistaken for each other and used in the wrong context, which is why I would like to clarify and introduce you to both of these terms and what they really entail, as well as break some myths.
Myth #1: “Dude, we hired a DevSecOps and that makes us secure!”
This might seem unrealistic at first glance, but it is one of the most common phrases I usually hear, and it always triggers me. First of all, you have not hired DevSecOps into your organization, you have hired a DevSecOps Engineer. DevSecOps is a philosophy, whereas DevSecOps Engineer is a profession. You are not hiring a philosophy to work for you, you are hiring a person who is familiar with this philosophy and who will help you understand and incorporate this concept into your workflow in order to improve your security posture.
DevSecOps is a culture and methodology. It puts an emphasis on the seamless integration between the three disciplines of development, security, and operations, which can only be achieved by collaborative processes and increased automation. DevSecOps aims to incorporate security measures into every stage of the SDLC, from planning and design to development, testing, and deployment. It also empowers developers and operation teams to take ownership of security.
Myth #2: “You don’t have to know coding to do AppSec!”
While DevSecOps implements security through a change of philosophy, Application Security (AppSec for short) improves security by doing various activities, such as vulnerability scanning, penetration testing, code reviews, and threat modeling. In order to do most of these, you should be familiar with some programming languages, frameworks, and other engineering best practices.
Myth #3: “AppSec and DevSecOps are basically the same!”
Even though both approaches are essential for building secure software and protecting against potential threats, they are not the same. AppSec is focused on securing applications through specialized security practices and tools, while DevSecOps is focused on integrating security into software development as a whole. They are frequently used in combination, but they use different techniques. I have listed some of them in this table.
| AppSec | DevSecOps |
| Secure coding practices | Threat modeling |
| Vulnerability scanning | Security plugins and pre-commit hooks |
| Penetration testing | CI/CD |
| Security code review | IaC |
| Auth/Autz + Access control | Security monitoring and logging |
| Encryption | Collaboration and communication |
TL; DR: The goal of AppSec is to identify and mitigate security risks in applications to protect against potential threats. The goal of DevSecOps is to integrate security practices into every aspect of software development.
If you have read so far, you might want to follow me here on Hashnode. Feel free to connect with me over at LinkedIn or Mastodon.
