Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

We’re working on a new version of

We’re adding tools to help GSA deliver a digital-first public experience. You can track our progress in our open-source repository.

Understanding the Differences Between Agile & DevSecOps - from a Business Perspective

In GSA IT, we examine how Agile and DevSecOps address different aspects of the delivery process. In terms of software development, Agile improves the process of delivery; encouraging changes in the functions and practices of the Business and Development teams to better produce the project / product envisioned by the end-user, or customer. DevSecOps improves the lead time and frequency of delivery outcomes through enhanced engineering practices; promoting a more cohesive collaboration between Development, Security, and Operations teams as they work towards continuous integration and delivery.

Understanding the Differences

Both Agile and DevSecOps can be implemented to promote change and collaboration within their respective domains, resulting in a cultural shift in the practices of the individuals implementing them. In an ideal environment, an organization would employ both Agile and DevSecOps practices, however, it is important to note that DevSecOps can be implemented in any environment - Agile or otherwise.

Remember, Agile is a mindset; its encompassed values promote a cultural shift in the organization and its departmental functions, project management practices, and product development. Likewise, DevOps also requires a cultural shift.

DevSecOps cycle

It focuses primarily on the frequency of delivery, pushing past departmental lines and calling for collaboration between Development and Operations for more effective planning, design, and release of projects / products. Further, by incorporating Security into the coding process (i.e. DevSecOps), loopholes and weaknesses are exposed early on so that remediation actions can be implemented.

DevOps Continuous Workflow

As with Agile frameworks, DevSecOps incorporates lean, synergistic practices, like Continuous Integration and Continuous Delivery, that encourage and support frequent code check-in, version control, sensible test automation, continuous low-risk releases and feedback, often through a number of electronic tools. Within a DevSecOps environment, the Business can benefit from such practices by saving dollars and resources through improved operations, reduced re-work, increased quality through automated testing and monitoring, and projects / products delivered early and often with less cycle time to the customer or end-user.

Supporting a DevSecOps Culture

Regardless of their differing focal points in the cycle of delivery, both Agile and DevSecOps share similar goals of eliminating silos, promoting collaboration and teamwork, and providing better, faster delivery. Though DevSecOps is driven by the “engineering” functions of Development, Security, and Operations, Business support can enhance the DevSecOps process.

Business support begins with understanding how work flows throughout the organizational level. As The Phoenix Project states, there are four types of work - “business projects, internal projects, operational changes, and unplanned work.” As an organization builds their understanding of their work, they can better manage coordination and uncover the restraints that impact their efforts.

At the Team level, that coordination ensures Operations and Security team members are engaged with Development from the very beginning of an effort; an engagement championed by the Business role leading the project / product. The organizational knowledge of potential restraints or impacts to an effort strengthens the team’s ability to:

Moreover, by incorporating Agile practices, the Business can better ensure prioritized work is fed into DevSecOps continuous release cycles. They can better plan for and reflect Development team member’s engagement in coordinated efforts on the team’s working boards, further ensuring visibility and transparency of the entire delivery cycle.

Good Reads

These are good references for understanding Agile & DevSecOps: / Office of the CTO

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?