Why so many terms? How should we call what we are doing in our company? SecDevOps? DevSecOps? SecOps? DevOps? This is a recurring discussion and there are some interesting “philosophical” discussions out on the internet.
Reasoning behind terms
I’m not a big fan of marketing terms. I believe some terms have just been created to say: ‘hey, look how cool we are’. We should have a strong reason to invent a new term, and in this example i think DevOps is more than justified. Some years ago, we started to hear about containers, docker, Kubernetes, etc, and we changed from the waterfall world of development and operations teams, to having the developers participate in most of the operations tasks. We started to hear:
You build it, you run it
And then Security came along…
During the last years, cybersecurity has taken a strong place in all companies. Most operations teams were already taking care of security, at different levels. But not so much on the development side. Developers have always been focused on business delivery, project deadlines, functional requirements, and they knew that security was taken care on the operations side. But nowadays, it’s not that easy, and another great quotes came along:
Security is everyone’s responsibility
Push left Security
Are you Peter, Paul or Mary?
Peter: Hey, we should call it DevSecOps. Security should be in the middle of DevOps, we say “you build it, you run it”. Now, it should be: “you build it, you secure it”.
Paul: I think it should be better to call it SecDevOps. Security should be always first. And, as they say, we have to “push left security”.
Mary: Why don’t we just leave it as DevOps? Security should be intrinsic to both development and operations, and we don’t need to create a new term to strengthen the idea that Security should be everywhere… “Security by design”, “Security is everyone’s responsibility”
So why do we need to introduce new terms after DevOps? Why should “Sec” be a part of the term? All programs related to a DevOps transformation are composed of People, Processes and Technology, and Security is a very important part of it. So, i think it’s ok to just say DevOps, but it’s also a way for the company to strengthen the role of Security in the project.
- People: DevOps requires a deep culture transformation, it is not a minor change, it requires time, effort and full support from the senior management.
- Processes: there is an impact on all phases of the Software Development Lifecycle (SDLC), some processes have to be rewritten from scratch, and Security has to be included on all meetings, since the planning phase.
- Technology: this is the fun part for techies like me. Many tools and automation are integrated to the SDLC, with the objective to help developers with their secure coding and the integration of operations tools. Containers, orchestrators, scanning tools, testing tools, monitoring tools, SAST, DAST, IASR, SCA, RASP, etc. Everything has a reason to be there.