DevSecOps vs DevOps

DevOps

DevOps (a clipped compound of “development” and “operations”) is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity. Below is a classical DevOps Venn diagram.

DevOps Venn diagram

DevOps Venn diagram


DevOps, however, as an integral part of IT is not limited to be only used as a part of the software development process. While it emerged as a way to technology companies to be nimble and lean, experienced DevOps architects use the DevOps culture to better align technology with “people” and “operations” disciplines.

Components of DevOps approach:

  1. Better communication
    Get development and operation teams working together early.
  2. Automate infrastructure and solutions deployment
    Define Infrastructure as Code and automate software build, release and deployment processes.
  3. Use microservices and build portable solutions
    Microservices and technologies such as Cloud-Native and/or Serverless computing improve the agility of the development process.
  4. Test and monitor
    Embed automated testing for all solutions before deploying software, and automate monitoring of infrastructure and applications.

DevSecOps

DevSecOps is a practice of incorporating security at the beginning of an application lifecycle, as a part of DevOps, thus minimizing vulnerabilities by aligning security with IT and business objectives. Embedding security into the development process rather than adding as a “layer on top” allows DevOps and security professionals to harness the power of agile methodologies together as a team. The goal of DevSecOps is to bridge traditional gaps between IT and security while ensuring expedited delivery of secure solutions.
DevSecOps diagram

Below are six important components of a DevSecOps approach:

  1. Code analysis
    Embed automatic software vulnerabilities detection tools such as Snyk into your DevOps pipelines.
  2. Change management
    Increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.
  3. Compliance monitoring
    Automate compliance and be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.).
  4. Threat investigation
    Identify potential emerging threats with each code update and be able to respond quickly.
  5. Vulnerability assessment
    Identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
  6. Security training
    Train software and IT engineers with guidelines for set routines.

Conclusion

Just like DevOps, DevSecOps is a full-stack discipline, encompassing all aspects of the technology stack and product lifecycle. DevSecOps and DevOps are both not all or nothing and could be introduced gradually, at any IT project.

Introducing DevOps/DevSecOps as early as possible in the solution’s lifecycle is usually more beneficial than adding it as an afterthought.

For example, we recommend the following DevOps approach:
Once the software architecture is defined, the DevOps engineer works with the software architect to map-out components of the solutions then defines infrastructure as code, builds the initial automated CI/CD pipelines, including security/license -usage-auditing, while also providing all software developers with a stable development environment, before programmers even begin. Since we, like many other companies building secure DevOps for customers, do DevOps/DevSecOps for many clients, a Diophant engineer would usually come with a library of template solutions for common environments and fine-tune configurations in a matter of hours or a few days. If you are only starting with DevOps, see whether it makes sense to engage an outside expert to give your organization a jump-start.

When DevOps is introduced late, engineers often need to start by remediating problems such as slow and/or unreliable publishing/release process, gaps in automated monitoring, lack of strategy to deal with various forms of failure etc. However, introducing DevOps as a remediation will usually not resolve the problem immediately, and might actually cause additional short-pressure by creating a backlog of issues for the development team, to align themselves with operations.

More from our blog

See all posts