* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [Cloud Native Security Platform](https://www.paloaltonetworks.com.au/blog/cloud-security/category/cloud-native-security-platform/)
* DevSecOps and Value Strea...

# DevSecOps and Value Stream Management

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fvalue-stream-management%2F)  
[](https://twitter.com/share?text=DevSecOps+and+Value+Stream+Management&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fvalue-stream-management%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fvalue-stream-management%2F&title=DevSecOps+and+Value+Stream+Management&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/value-stream-management/&ts=markdown)  
\[\](mailto:?subject=DevSecOps and Value Stream Management)  
Link copied  
By [Vince Power](https://www.paloaltonetworks.com/blog/author/vince-power/?ts=markdown "Posts by Vince Power")  
Feb 14, 2022  
5 minutes  
[Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)  
[Value Stream Management](https://www.paloaltonetworks.com/blog/tag/value-stream-management/?ts=markdown)  
[VSM](https://www.paloaltonetworks.com/blog/tag/vsm/?ts=markdown)

Everything done within an organization should provide value to customers and other stakeholders. **Value Stream Management (VSM)** is a business practice that helps identify areas for improvement in a process to make operations more efficient and [drive business value](https://www.paloaltonetworks.com/blog/2022/01/cloud-security-survey-better-security-drives-better-business-outcomes/). In VSM, you need to know the value of the output and the value that each step in the process flow adds during the creation of the asset. A core tenant of lean management is that teams optimize value streams for what and how they do things. This commonsense approach is why VSM is valuable, especially in our modern digital economy. It has been adopted by more and more organizations since it was born out of Toyota's manufacturing and business practices way back in the 1930s.

Of course, you may be thinking, "that makes sense, but what does this have to do with **DevSecOps**?"

Agile, Scrum, SAFe, and most other post-waterfall development methodologies involve developing software delivery flow and removing obstacles to deliver value faster and to increase productivity. [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops) focuses on figuring out how to integrate this into an organization's culture and tooling so that the organization can achieve those streamlined flows. DevSecOps is the latest iteration, and it highlights security as a core value-add within DevOps practices. All the tooling involved in DevSecOps has one thing in common, it proves some level of automation that removes manual bottlenecks in the application build and deployment lifecycle.

## **Learn and Document Existing Processes**

On any journey that involves utilizing DevOps as a part of software development, you need to use a lot of existing technology and processes. While a true fresh start can happen, that approach rarely works in the long term because services become so complex that migrating and rearchitecting them is a better use of time and money than rewriting from scratch. To start down this path, you need to learn the existing processes and technologies used by both software development teams and security teams to identify where to integrate principles like [shift-left](https://www.paloaltonetworks.com/cyberpedia/shift-left-security) to a [software development lifecycle (SDLC)](https://www.paloaltonetworks.com/cyberpedia/sdlc-software-development-lifecycle) to show off the value and efficiencies [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops) best practices can provide, like faster remediation of vulnerabilities.

As you learn existing processes and all the steps for taking a requirement from inception to production, it's important to document the current state and why you performed each step. Even when you're working with methodologies that appear "anti-documentation" (like Agile), that's not the case; rather, they focus on value and eliminating overhead. As you build out a new pipeline to support existing applications, you want to make sure that every step has value. You want to make sure that you don't lose the existing value that you are providing, so it's important to document things "as-is" as well. You don't need to write a master's thesis that documents every little detail or who decided what, but you do need to capture the major steps.

Some of the information to capture includes:

* Is the application built manually or with automation?
* What test coverage and [code container-based scanning](https://www.paloaltonetworks.com/prisma/cloud/cloud-code-security) is there?
* Which stages of the continuous integration/continuous delivery (CI/CD) pipeline include them?
* Are the security checks automated or manual?
* Is [infrastructure as code (IaC)](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security) in place to build the environments?
* Is there a software manifest of all included components?
* Are dependencies automatically imported using Maven or something similar?
* Are there [internal registries and repositories](https://www.paloaltonetworks.com/blog/prisma-cloud/cloud-container-image-trust-groups/) with approved versions?

## **Adapt and Optimize**

Now that you know the existing state, it's time to [introduce tooling and processes built with DevSecOps practices](https://www.paloaltonetworks.com/blog/prisma-cloud/prisma-bridgecrew-infrastructure-security/) that will automate the process from code to delivery as part of your VSM.

Some easy wins that will show value to stakeholders include the following:

* Automating the application saves your developers' time increasing productivity.
* [Adding application security testing to scan code for critical vulnerabilities (CVEs)](https://www.paloaltonetworks.com/blog/prisma-cloud/open-source-license-detection-expanded-git-repo-scanning/) and best practices using that automated build stage will enable you to catch issues immediately and address them before any time has been spent building environments and testing the application.
* Having a central repository with approved versions of dependencies and automated dependency management frees developers from having to remember where to find the latest versions and which versions need an upgrade.
* Using [infrastructure as code](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security) to build your environment, including your cloud and [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes) stack, allows you to scan the environment in many ways to ensure that it complies with regulations and requirements. This will help keep organizations out of legal and contractual trouble with customers.

## **Conclusion**

Combining Value Stream Management with the implementation and expansion of DevSecOps practices is becoming the best-of-breed approach to optimize every stage of development and security end-to-end. By having everything in a single pipeline with optimized value streams and checks and controls for vulnerabilities and misconfigurations, you eliminate time-consuming manual reviews at later stages of the development process flow. These manual steps add costs and become bottlenecks that cause unpredictable delays as projects make their way to becoming products. Documenting every step of the process and the value that it adds to the final service increases transparency, security, and the trust that stakeholders and customers will have in the final product. Ultimately, this process improves business metrics and customer value.

**Learn what works for other cloud native security experts:**

[**The State of Cloud Native Security Report**](https://www.paloaltonetworks.com/state-of-cloud-native-security)

*** ** * ** ***

## Related Blogs

### [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Growing Dichotomy of AI-Powered Code in Cloud-Native Security](https://www.paloaltonetworks.com.au/blog/2024/07/the-growing-dichotomy-of-ai-powered-code-in-cloud-native-security/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Checkov 3.0: Upgraded Open-Source Infrastructure-as-Code Security](https://www.paloaltonetworks.com.au/blog/cloud-security/checkov-upgrade-iac-security/)

### [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Abusing Repository Webhooks to Access Internal CI/CD Systems at Scale](https://www.paloaltonetworks.com.au/blog/cloud-security/repository-webhook-abuse-access-ci-cd-systems-at-scale/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Agentless Workload Scanning Gets Supercharged with Malware Scanning](https://www.paloaltonetworks.com.au/blog/2023/06/agentless-malware-scanning/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### How to Embrace Kubernetes Security With Checkov's Graph Connections](https://www.paloaltonetworks.com.au/blog/cloud-security/kubernetes-security-with-checkov-graph-connections/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### The Top 5 Secrets Management Mistakes and How to Avoid Them](https://www.paloaltonetworks.com.au/blog/cloud-security/5-secrets-management-mistakes/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language