Interview › Security & DevSecOps
What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
Answer
DevSecOps means security is engineered into the full software delivery lifecycle instead of being treated as a final approval gate. The difference is ownership and timing: developers, platform, security, and operations all share controls that run continuously in code, CI/CD, cloud, and production.
Technical explanation
Traditional security gating often creates late rework because vulnerabilities are found after implementation or right before release.
DevSecOps moves guardrails into developer workflows: secure templates, SAST, SCA, image scanning, IaC scanning, secrets checks, admission policy, and runtime detection.
The goal is not to bypass security; it is to make secure behavior the default while keeping high-risk exceptions visible and approved.
Hands-on example
Hands-on: in a Jenkins or GitHub Actions pipeline, run unit tests, SAST, dependency scanning, container image scanning, IaC policy checks, and artifact signing before deployment. Low-risk findings create tickets, critical exploitable findings fail the build, and policy-as-code blocks noncompliant Kubernetes manifests at admission time.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]