After years of lip service, DevSecOps looks poised for prime time.

The somewhat elusive concept aims to imbue security into the DevOps process, which means organizations can find and fix flaws earlier in the development lifecycle, before an application enters production — and long before a breach occurs because of a missed software vulnerability.

DevSecOps technologies and processes also mean that the security team, by automating security tools and integrating those into the development lifecycle, can keep pace with the DevOps teams.

But while security vendors have been talking about DevSecOps for years, and most organizations would probably say that they embrace the concept, neither paint an accurate picture of real-world workflows.

“DevSecOps as a discipline has been slow to mature,” Gartner analyst Mark Horvath said. “It’s been slow to get up to speed, in part because the DevOps process was never really meant to be a large software development process.”

DevOps was supposed to be a way to make quick changes to an existing piece of software, he added. “But we’ve taken it out of context, and made it bigger, and we’ve added security to make it DevSecOps.”

Horvath likes to ask his audience at conferences: How many of you are doing DevOps? He said 90% of the hands go up. Next he asks: How many are doing Agile or Waterfall and telling your manager you’re doing DevOps?

“Three-quarters of the hands go back up,” Horvath said. “DevSecOps is popular in part because nobody really knew what it meant. And no one wants to be seen as not doing it because that would mean you don’t have any security.”

However, the confusion around and implementation of DevSecOps processes is changing, he added. In fact, Gartner’s latest Hype Cycle for Application Security puts DevSecOps on the “Slope of Enlightenment” — and it’s headed toward the “Plateau of Productivity.”

A few things have conspired to make DevSecOps a reality, Horvath said. First, security became a board-level topic, and boards of directors have started asking tough questions about their company’s security posture.

Additionally, DevSecOps tools have become more developer friendly, Horvath said. “The vendors in the space have come up to meet the developers where they are, offering enormous amounts of assistance,” he explained. “Instead of telling the developers, ‘You have to go figure all this stuff out for your own,’ they make sure that the developers don’t have to leave their native environment in order to use it.”

And finally, it’s cheaper to fix vulnerabilities in code at the beginning of the application-development process rather than waiting to fix security flaws in production.

“At the end of the day, you can say that you believe in security all you want. But you believe in saving money a little bit more,” Horvath said. “Being able to show we’re saving 10-times as much money fixing stuff in the development phase than on the attack surface — that’s a great investment. That’s how we argue the ROI: We’re lowering the amount of risk.”

While most security vendors offer some type of tooling to shift security left in the development process, Snyk is one of the providers that has embraced DevSecOps since its start. It bills itself as a “developer security platform,” and that approach has paid off for the cybersecurity unicorn. Snyk’s valuation recently hit $8.5 billion, which means it more than tripled its valuation from the beginning of the year.

“This new investment, together with the rapid adoption of our platform and growing customer base, validates our developer security vision,” Snyk CEO Peter McKay said at the time.

In another key indicator that DevSecOps has reached mainstream: several security vendors have either bought or built infrastructure-as-code (IaC) security tools over the last year. Palo Alto Networks acquired BridgeCrew to add IaC security to Prisma Cloud, and it rolled out those new capabilities during last month’s Ignite event.

Also in November, cloud-security unicorn Lacework acquired Soluble to help its customers integrate security earlier in the software delivery process by remediating IaC flaws. Soluble’s technology conducts static analysis of code, and it also inspects risk, impact, cost, and potential policy violations in IaC via popular development tools including Terraform, CloudFormation, and Kubernetes.

“To truly remediate or fix those misconfigurations, you have to remediate them at the source where they began, where they got introduced, and that is typically through infrastructure as code,” Lacework VP of Product Adam Leftik said.

This is why Lacework and others in the space are integrating these capabilities into their platforms, he added. “We need to be able to correlate the things that are misconfigured and exposed at runtime, and then help fix them at the build and development time,” Leftik said.

“And the more robust and mature your security and development programs get, then you prevent those things from ever getting out of production, which ultimately reduces the risk,” he continued. “That is what we’re really driving for our customers: to help them reduce the risk and help them build stuff faster.”

Security vendors aren’t the only ones talking about DevSecOps, however. Security snaked its way into this year’s KubeCon event where secure development practices became a hot topic of discussion.

Gartner’s Horvath said he expects these trends to continue into 2022 and beyond as more security vendors add developer-focused tools to their portfolios, and a growing number of organizations feel comfortable adopting DevSecOps processes and technologies.

“And that’s exciting because that means the world is getting a little bit safer,” Horvath said. “These technologies that exist are starting to get adopted and have been moved into a position where people can really start to use them in a smart way.”