DevOps vs. SecDevOps vs. SecOps: Why It Matters
Google Trends shows that interest in DevSecOps has spiked over the last two years. The high-level definition of DevSecOps is easy enough to understand: it's integrating security into DevOps. At the high level, it's an agile approach to IT security. Diving deeper gets a little tricky, though.
For starters, there is a lot of ambiguity surrounding the definition of DevOps. You know it's terrible when Wikipedia isn't clear about DevOps. As DevOps is the most popular of the "xOps" terms, this can lead to a fuzzy understanding of what SecOps and DevSecOps are. It gets even more confusing when you consider "SecOps," which is sometimes used to refer to DevOps-related security.
Here, we'll explore the debate surrounding DevOps, provide our take, and explain SecOps and DevSecOps in more detail.
How Do We Define DevOps?
Despite our best efforts, we probably won't get everyone to agree on a definition. The debate has been going on for a while. On the one hand, plenty of people will tell you DevOps is not a job or role.
On the other hand, DevOps Engineer was the most highly recruited job on LinkedIn from April 2017 to April 2018. A quick web search will also show you that there is no shortage of demand for DevOps "jobs" as well.
Similarly, you may read that DevOps isn't a tool or technology. You may also notice plenty of "DevOps" tools and technologies being promoted online.
We understand the argument of those who say DevOps is a culture. The principles that drive DevOps culture focus on delivering applications fast while improving quality. DevOps is about people, teams, and communication. Specifically, DevOps is an agile approach to software development that emphasizes cooperation and communication between development and operations teams.
When you drill down into the term's origins, they seem the most "right." But the reality is DevOps has become an adjective, too. Maybe it shouldn't have, but it did. DevOps is now commonly used to describe tools and jobs that fit a given criteria. Given that, we prefer a pragmatic definition that encompasses most of the ways the term is used. AWS does a good job of providing such a definition, but we'd parse it down to just the first part:
"DevOps is the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services at high velocity."
DevOps is a culture at its core, but the term is generally used to mean much more than just philosophies. If someone asks about a DevOps tool, you'll likely think of products like Jenkins, Puppet, and Docker. When you hear "DevOps Engineer," it's common to think of a role that requires *nix administration, automation, and scripting skills.
While some may cringe at the thought of this (defining DevOps in this way), if you're new to DevOps, understanding that there is some debate and knowing how the term is used is important. As you dive further into DevOps, you can develop your own more nuanced definition.
To summarize, DevOps is used as a noun or an adjective. As a noun, it's the culture and philosophy of the underlying ideas. As an adjective, it can modify terms like "engineer" or "tool" to imply a specific thing.
Understanding SecOps
So, we have a (hopefully agreeable) definition of DevOps. Before we move on to DevSecOps, let's review SecOps. The term is used less frequently than DevOps, but it does imply some specific things about how IT security gets done. In a nutshell, "SecOps" implies an agile shared responsibility approach to security that focuses on collaboration between security and IT operations (e.g., sysadmins). SecOps breaks down silos and ideally improves both security and performance.
Like DevOps, the term SecOps is ambiguous. Some articles (e.g., this TripWire piece) seem to imply SecOps is a discrete thing, different from DevSecOps. Other bits of info you may find online seem to indicate that SecOps and DevSecOps are the same.
For example, compare Sumo Logic's DevSecOps definition:"DevSecOps is the philosophy of integrating security practices within the DevOps process."
To the answers to this StackExchange question. To quote one:
"…I would define SecOps as a first step toward a DevOps org, aiming at getting a multi-skill team around security/network/operating systems engineers where they are separate teams in an existing department."
They seem to be referring to more or less the same thing.
However, there is a bit of a difference if you keep digging. Development isn't necessarily involved in SecOps. IT operations and security alone could theoretically adopt SecOps.
SecOps can be important when considering the alternative: a siloed approach to security. If you work in IT, you know security often slows things down. This is effectively a necessary evil. You can't risk critical data being compromised or infrastructure being brought down. However, you don't want to hamstring processes for trivial or irrelevant issues.
SecOps encourages collaboration between IT operations units like sysadmin and IT security teams. Outcomes are improved with both teams working toward a common goal of delivering service that meets security and operational standards.
It's also worth noting that the term SecOps comes up in the Cisco Certification process. The CCNA Cyber Ops 210-255 exam is the SECOPS exam. It certifies knowledge and skills related to being a Security Analyst in a Security Operations Center.
Looking for help studying for the Cisco CCNA Cyber Ops 210-255 SECOPS exam? Check out Keith Barker's training.
DevSecOps: Integrating SecOps and DevOps
With SecOps and DevOps understood, defining DevSecOps becomes easy. Simply put: DevSecOps is the integration of SecOps and DevOps. This means that the high-velocity, collaborative, and holistic philosophy that made DevOps popular is extended to include security.
Instead of security simply scanning and flagging vulnerabilities after code is delivered, they are part of the process. Development, IT operations, and security are cross-functional and work toward a common goal.
If you think about it, this is really a natural evolution of the DevOps philosophy, which focuses on collaboration. Integrating all stakeholders into the development pipeline improves the final product.
In practice, this means including security in the process from the beginning. It also often means adopting security as code and automating vulnerability scans. For more on security as code, check out this Simple Programmer article by Justin Boyer.
Final Thoughts
DevOps, SecOps, and DevSecOps are terms used to describe different things depending on who you ask. Some will argue that the term DevOps is enough. Others will call out the importance of SecOps and DevSecOps. As an IT pro looking to sort through the differences, there are a few quick rules of thumb you can rely on. The most obvious are baked-in to the names:
DevOps. Development (Dev) and operations (Ops) teams working collaboratively.
SecOps. IT security (Sec) and operations (Ops) teams working collaboratively.
DevSecOps. Development (Dev), security (Sec), and operations (Ops) teams are working collaboratively.
The more important takeaway is these different Ops terms' collaborative and agile nature. They all focus on breaking down silos and working with agility. Feedback loops are shortened, responsibility is shared, and processes are automated. The collaborative and agile ideals are the important takeaways. Knowing the labels helps you explain them better.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.