Broadening the concept of devops, devsecops is an emerging organizational and cultural framework encompassing the orchestration of development, IT operations and security teams. In practice, its enabling technologies\u2014continuous integration (CI) and continuous deployment (CD)\u2014have transformed software development to make it agile, more reliable and more collaborative and incremental. Acceleration and precision have enabled state-of-the-art software enterprises to operate in ways not unlike the industrial factories of the past. And, like past industrial revolutions and manufacturing-based economies, the app economy depends on superior quality, secure products and high degrees of customer satisfaction in order to survive and thrive. As a result, the responsibility for ensuring the stability and resiliency of applications\u2014from the production stage right through to consumer use\u2014is pulled forward in the cycle to include developers.\nThis \u201cshifting left\u201d means that security testing can be deeply incorporated into app coding earlier, which heavily increases the likelihood that secure code will be produced in the first place, without costly late-stage fixes further down the road. However, this paradigm shift has a bunch of implications for security professionals and developers alike. It\u2019s time to rethink responsibilities, break down silos and revamp the engagement model between the actors in a devsecops cosmos.\nAn iterative process no longer makes sense\nIn the pre-digital era, security testing for apps was solely the domain of the security folks, making the process complex, costly and lengthy. Testing was typically performed at last minute, right before the code was released for production\u2014or worse, after the app was deployed to the world. Because of ambitious planning and tough deadlines, some releases even went live without any fixes at all\u2014sometimes with disastrous consequences. On one hand, detecting and fixing security-related issues late in the development process was a major cost burden. On the other hand, when things went south post-release, the less-expensive rush to market proved to be false economy.\u00a0\nBut longstanding development paradigms are shifting, and security testing has transitioned from its usual late-in-the-game stage to become deeply embedded right from day one. Many organizations today use application security frameworks that require certain tests at various stages of development. This is an effective approach to application security that can substantially mitigate risk and, ultimately, result in much better outcomes. However, the number of applications is growing exponentially and the development cycles are accelerating at breakneck pace. Consequently, some organizations having a hard time to keep up with the demand for thorough, consistent and timely testing. The security folks never seem to have enough resources and capabilities to scale this undertaking.\nStronger collaboration needed\nNot only is the security professional\u2019s role changing in this new paradigm; cultural changes will also need to be taken into account. In terms of culture, devsecops arguably represents a bigger change for security than for dev or ops teams. Like it or not, security professionals must embrace this cultural shift and change their mindset, or get left in the dust. As the old-school silos crumble and previous demarcation lines are blurring, security is now a joint task and everyone\u2019s responsibility. In turn, professionals in the field will have to alter their deep-rooted privacy mentality and start to share their reporting and platforms more openly with others across the organization, even those with whom they may have once been reluctant to share with.\nNevertheless, that sharing needs to happen, and in all directions. For instance, it\u2019s no longer feasible to make extensive security demands of development teams without any knowledge of their own constraints and priorities. Security and development need to seek much closer alignment and collaboration, which means understanding each other\u2019s pain points in a far more granular way. The days of simply handing developers a long list of security-related code defects, heading to the water cooler, and checking a box on a departmental to-do list are over.\nFrom control-based to context-based security\nContext-based information security is becoming more important than ever as IT consumerization and cloud and mobile computing erase network perimeters that used to be rigidly controlled. Due to the erosion of what was once a well-defined security perimeter, traditional \u201ccontrol-based\u201d security solutions such as hardware firewalls must evolve to become \u201ccontext-based\u201d solutions driven by factors such as \u201cDoes the application process\/store sensitive data?\u201d and \u201cIs this a private, internal application or a public-facing one?\u201d\n\u201cThis is another area where the culture of devsecops can be a big help,\u201d says Mike D. Kail, Co-Founder and CTO of Cybric. \u201cOnce again, security people must collaborate with application developers to fully understand the aforementioned context, and then automate security approaches and continuously measure improvements in overall resiliency.\u201d\nSummary\nMake no mistake: devsecops is poised to disrupt and transform the future of the app economy. As this framework unfolds, it will also change how people do their jobs, and even what their core responsibilities are. The security-related tasks in the development process are evolving radically\u2014and it\u2019s a one-way trip. There\u2019s no going back. But it\u2019s also something positive and perhaps long overdue. It\u2019s a unique opportunity to take application security to a whole new level and free up the security experts to spend time on more value-creating activities such as advising and coaching when it comes to safeguarding digital business models. The key is to understand what\u2019s driving the shift and its implications for the security team\u2014and to be prepared to not only survive it, but thrive as a result.