Concerns about security and compliance can be a reason for companies to be reluctant to accept a full DevOps mindset, in order to ship software often and quickly. In the past, they used to have fewer releases that were all handed off for a security or pen test before being deployed to production. This gave them the confidence that they were not shipping software that contained security vulnerabilities.

This practice of fewer releases and having a big final security test before the final release conflicts with a DevOps mindset, and this is where some companies struggle. They are looking for ways to ensure that they are shipping business value to their users but are not willing to compromise on security to do so. The question is whether this is a fair trade-off. Wouldn't it be possible to have both speed and security? Might it not actually be the case that releasing faster and more often, in combination with rigorous automation, can help to increase the level of security in software development? To answer this question, it is good to first explore how security is often practiced in non-DevOps environments and how this needs to be changed when adopting DevOps.