DevOps vs DevSecOps

INTRODUCTION.. “DevOps is anything, any tool or concept, used to remove any bottlenecks on the way of releasing and delivering changes to the end user fast and with minimum bugs”

This applies whether it’s application or infrastructure changes ☝️ So naturally if security is a bottleneck, that should become part of DevOps issue that we have to eliminate this show stopper. So DevOps naturally should include security, but as I often say:

“Reality and theory or how it’s supposed to be are 2 different scenarios". 🤷🏻‍♀️

So in practice, it so happened that DevOps left out security. It focused on development and fast release cycle, but security teams and external pen tests stayed outside the DevOps cycle.

Security as Afterthought in DevOps

Now, when we implement DevOps processes in our organization, we end up with streamlined and efficient process of the application development and release, which is happening at a fast pace.

So we are releasing fast, or trying to release fast, but all those attempts get blocked by having a manual, slow security checks right before the release.

These security checks are usually done by security engineers or compliance team or even external pen testers.

And this may take weeks or months ⏳

So we are just aggravating the security bottleneck with DevOps.

This is Why DevSecOps is so important

So as a reminder, to highlight the importance of security in DevOps, DevSecOps emerged.

Also as we saw, security is overarching the entire software development lifecycle (SDLC), all parts and layers. And as you also know, DevOps affects entire software development lifecycle too.

So DevSecOps is taking that overarching security and integrating it in all DevOps steps from start to finish, from automated tests to building and deploying steps:

So DevSecOps is really: DevOps that doesn’t forget about security. /p>

So the responsibility of fixing security issues and secure implementation still lies with individual teams, who have the expertise in those specific areas, but DevSecOps creates an over-stretching CI/CD process and automated processes that measure what’s called the "security posture".

Basically giving us a visibility of how secure your systems are.

That's what is meant by "DevSecOps" 💡

Now how does DevSecOps do this? How does it integrate security into the DevOps workflows, like a complete CI/CD pipeline? 🤔

One core part is integrating automated security checks into the CI/CD like this:

DevSecOps as part of DevOps

So instead of DevSecOps vs DevOps, we now learned that DevSecOps is really the same as DevOps in theory. 💡 It just emphasizes and re-introduces the integration of security in the whole DevOps workflow in practice.

So overall, this makes the process fast again by

✅ reducing the feedback cycle on any security issues, by

✅ infusing the security checks throughout the pipeline,

instead of having it as a big task right before the release.

🤓 Learn DevOps before DevSecOps

And that's why if you want to learn DevSecOps, you need to first learn the DevOps principles and technologies:

You need to learn the core of DevOps, which is building fully automated CI/CD pipelines

You need to learn technologies, like Docker, K8s, Jenkins etc.You need to learn technologies, like Docker, K8s, Jenkins etc.

You need to be able to configure infrastructure on cloud platforms etc.

And as the most important skillset of a DevOps engineer, you need to be able to automate all DevOps tasks, using tools, like:

Terraform for automated infrastructure provisioning or

Ansible for automated server configuration

Python for various DevOps automation tasks.

These DevOps skills are becoming more and more demanded in the IT world, but are also one of the most complex to learn.

Because just like DevOps, DevSecOps is a concept affecting the entire software development lifecycle. That's why you need to learn the basic level of DevOps and then move on to the next level of adding and infusing security in that complete lifecycle.