* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Company \& Culture](https://www2.paloaltonetworks.com/blog/category/company-culture/)
* Bridging the DevOps and S...

# Bridging the DevOps and Security Divide with DevSecOps

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F05%2Fcloud-devsecops%2F)  
[](https://twitter.com/share?text=Bridging+the+DevOps+and+Security+Divide+with+DevSecOps&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F05%2Fcloud-devsecops%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F05%2Fcloud-devsecops%2F&title=Bridging+the+DevOps+and+Security+Divide+with+DevSecOps&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/05/cloud-devsecops/&ts=markdown)  
\[\](mailto:?subject=Bridging the DevOps and Security Divide with DevSecOps)  
Link copied  
By [Vinay Venkataraghavan](https://www.paloaltonetworks.com/blog/author/vinay-venkataraghavan/?ts=markdown "Posts by Vinay Venkataraghavan")  
May 11, 2020  
5 minutes  
[Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/tag/devsecops/?ts=markdown)

To keep up with the demands of working in the cloud -- and do so securely -- we need to incorporate security practices into the application development and deployment pipelines. The term "DevSecOps" describes this process. Unfortunately, the transformation to DevSecOps can lead to friction between Security and DevOps teams. The good news is that it doesn't have to be this way. Enterprises can adopt practices that reduce conflict and help make the journey to DevSecOps successful. Purpose-built security tools can also empower DevOps teams to make this transition.

Importantly, the information and conclusions presented here are based on conversations I have had with DevOps, Security and DevSecOps leaders from the finance, retail and media industries. Those experiences have given me insight into the concerns these teams tend to have, as well as information and ideas about how they can be addressed.

## **Emergence of DevSecOps**

Innovative products and services catering to end-user needs and preferences require applications to be deployed with great agility, frequency and scale. Consequently, development teams leverage cloud and container platforms in conjunction with a DevOps practice to meet business objectives.

Security teams, tasked with protecting customer data and apps, have a hard task under normal circumstances. The adoption of highly elastic and scalable infrastructure -- frequently deploying resources from hundreds to a thousand times a day -- puts a tremendous burden on security teams that are ultimately unable to meet these requirements.

DevSecOps, when done right, has the ability to inject security in a cloud native manner to provide vulnerability management, help with compliance, and offer misconfiguration and runtime protections. However, security and DevOps teams have often been at odds with each other in their efforts to achieve their respective objectives.

Both DevOps and Security teams can obtain a better understanding of the reasons that contribute to prior failed attempts at DevSecOps. Implementing certain steps can also enable a successful transition.

## **Marching Toward Different Goals**

The term "culture" is often used to describe people, process and tools that enable organizations to accomplish business objectives. However, it has been hard for many organizations to embrace and acknowledge the cultural barrier that exists between security and DevOps teams. It is important to understand these differences before discussing their consequences. Some major differences are:

|-------------------------------------------|----------------------------------------------------|
| ### **DevOps Culture**                    | ### **Security Culture**                           |
| Security inhibits innovation and agility. | Does not trust DevOps to get security right.       |
| Security is hard to adopt.                | Needs to ensure compliance and protection.         |
| Security is not a DevOps function.        | Do as I say in order to sanction your application. |

This mismatch precipitates undesirable outcomes for the enterprise as a whole:

* Apps with critical vulnerabilities are deployed into production.
* No visibility into the compliance posture (apps, cloud and container platform).
* Applications fully exposed to the internet.
* No record of highly ephemeral workloads.
* Inability to correlate app behavior -- sanctioned or unsanctioned.

## **Toward a Common Goal**

There is no silver bullet or switch that can be flipped to adopt a DevSecOps practice. The [transformation to DevSecOps](https://www.paloaltonetworks.com/blog/2020/03/cloud-break-silos-devsecops/) is a process of continuous improvement, not an end in itself. Improved communication, collaboration and, most importantly, empowerment can help bridge the cultural divide.

#### Communication | Process

Good communication helps to put in place a process that enables security teams to clearly articulate the desired outcomes, such as full visibility into vulnerabilities, compliance failures and misconfigurations prior to applications being deployed into production. Conversely, it will help DevOps teams to recognize that it's far "cheaper" (in terms of breach and reputation) and efficient to address these issues in the CI/CD pipeline as opposed to on a running production environment. Establishing consensus and enabling a continuous process of improvement dramatically reduces the attack surface.

#### Collaboration | People

Better collaboration among people allows both teams to partner to converge on a strategy to minimize the attack surface. For example, security teams desire that cloud misconfigurations and critical vulnerabilities be detected and addressed when a pull request (PR) is made. DevOps teams are willing to sign up for this requirement, as it is much easier to address these issues while a feature is being developed, aided by instant feedback (with data provided as a pre-check failure in the PR), as opposed to being bolted on after deployment (far more complex to accomplish).

#### Empowerment | Tools

Empowerment through tools ensures that security teams provide DevOps teams with the right tools to take ownership for the security posture of their applications. Providing security tools for DevOps dramatically increases the willingness and ability of DevOps teams to inject security into their pipelines. For example, security needs to provide tools to:

* Scan infrastructure misconfigurations when a PR is made.
* Scan container images when the image is built or after it is checked into a registry.
* Decentralize security, by enabling DevOps teams to specify, consume and tweak security policies for their respective teams and pipelines.

Taking these steps is a recipe for success in the transformation to DevSecOps, wherein:

* Security teams **trust** DevOps teams to take ownership for security.
* Security **empowers** DevOps with the right tools to adopt DevSecOps.
* Culture change happens **organically** .
* Security **partners** with DevOps to adopt DevSecOps.
* Security adopts a **trust, but verify** posture.
* A **process of continuous improvement** strengthens the security posture.

To learn more about bridging the divide between security and DevOps teams, you can watch our [Cloud Native Live virtual summit on-demand](https://www.crowdcast.io/e/containerolympics).

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### 3 Simple Techniques to Add Security Into the CI/CD Pipeline](https://www2.paloaltonetworks.com/blog/2020/10/cloud-add-security-cicd-pipeline/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Call for Papers for Ignite 2020: Share Your Cybersecurity Expertise](https://www2.paloaltonetworks.com/blog/2020/08/call-for-papers-ignite-2020/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How to Create a DevSecOps Culture](https://www2.paloaltonetworks.com/blog/2020/06/cloud-devsecops-culture/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Native Security Platform Embeds Security into DevOps Lifecycle](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-native-security-platform-2/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How Prisma Cloud Secures Cloud Native App Development with DevOps Plugins](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-devops-plugins/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Breaking Down Silos with DevSecOps](https://www2.paloaltonetworks.com/blog/2020/03/cloud-break-silos-devsecops/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language