The term DevSecOps has often been confused with securing DevOps, with security operations, or with using a secure development lifecycle in agile development. When you build security into DevOps and even into agile development, when do practices such as threat modeling, static application security testing, and dynamic application security testing occur? This session explains how sound architecture and implementation is key to providing DevSecOps capability with AWS. A core concept is that cybersecurity requirements are foundational and cannot be placed on a backlog indefinitely while development and operations are actively worked on.