DevOps vs. SecDevOps vs. SecOps: Why It Matters
Google Trends shows that interest in the term DevSecOps has spiked over the last two years. The high-level definition of DevSecOps is easy enough to understand: it's the integration of security to DevOps. At the high level, it's an agile approach to IT security. Diving deeper gets a little tricky though.
For starters, there is a lot of ambiguity surrounding the definition of DevOps. You know it's bad when Wikipedia isn't clear on what DevOps is. As DevOps is the most popular of the "xOps" terms, this can lead to a fuzzy understanding of what SecOps and DevSecOps actually are. It gets even more confusing when you consider "SecOps" is sometimes used to refer to DevOps related-security.
Here, we'll explore the debate surrounding DevOps, provide our take, and explain SecOps and DevSecOps in more detail.
How Do We Define DevOps?
Despite our best efforts, we probably won't get everyone to agree on a definition. The debate has been going on for a while. On the one hand, there are plenty of people that will tell you DevOps is not a job or role.
On the other hand, DevOps Engineer was the most highly recruited job on LinkedIn from April 2017 to April 2018. A quick web search will also show you that there is no shortage of demand for DevOps "jobs" as well.
Similarly, you may read that DevOps isn't a tool or technology. You may also notice that there are plenty of "DevOps" tools and technologies being promoted online.
We understand the argument of those who say DevOps is a culture. The principles that drive DevOps culture focus on delivering applications fast while improving quality. DevOps is about people, teams, and communication. Specifically, DevOps is an agile approach to software development that emphasizes cooperation and communication between development and operations teams.
When you drill down into the origins of the term, they seem to be the most "right." But the reality is DevOps has become an adjective too. Maybe it shouldn't have, but it did. DevOps is now commonly used to describe tools and jobs that fit a given criteria. Given that, we prefer a pragmatic definition that encompasses most of the ways the term is used. AWS does a good job of providing such a definition, but we'd parse it down to just the first part:
"DevOps is the combination of cultural philosophies, practices, and tools that increases an organization's ability to deliver applications and services at high velocity."
DevOps is a culture at its core, but the term is generally used to mean much more than just philosophies. If someone asks about a DevOps tool, you'll likely think of products like Jenkins, Puppet, and Docker. When you hear "DevOps Engineer," it's common to think of a role that requires *nix administration, automation, and scripting skills.
While some may cringe at the thought of this (defining DevOps in this way), if you're new to DevOps, understanding that there is some debate and knowing how the term is used is important. As you dive further into DevOps, you can develop your own, more nuanced definition.
To summarize, DevOps is used as a noun or an adjective. As a noun, it's the culture and philosophy of the underlying ideas. As an adjective, it can modify terms like "engineer" or "tool" to imply a specific thing.
So, we have a (hopefully agreeable) definition of DevOps. Before we move on to DevSecOps, let's review SecOps. The term is used less frequently than DevOps, but does imply some specific things about how IT security gets done. In a nutshell, the word "SecOps" implies an agile shared responsibility approach to security that focuses on collaboration between security and IT operations (e.g. sysadmins). SecOps breaks down silos and ideally improves both security and performance.
Like with DevOps, there is ambiguity surrounding the term SecOps. Some articles, (e.g. this TripWire piece) seem to imply SecOps is a discrete thing, different from DevSecOps. Other bits of info you may find online seem to imply SecOps and DevSecOps are the same thing.
For example, compare Sumo Logic's DevSecOps definition:"DevSecOps is the philosophy of integrating security practices within the DevOps process."
To the answers in this StackExchange question. To quote one:
"…I would define SecOps as a first step toward a DevOps org, aiming at getting a multi-skill team around security/network/operating systems engineers where they are separate teams in an existing department."
They seem to be referring to more or less the same thing.
However, there is a bit of a difference if you keep digging. Development isn't necessarily involved in SecOps. IT operations and security alone could theoretically adopt SecOps.
SecOps can be important when you consider the alternative: a siloed approach to security. If you work in IT, you know security often slows things down. This is effectively a necessary evil. You can't risk critical data being compromised or infrastructure being brought down. However, you don't want to hamstring processes for trivial or irrelevant issues. SecOps encourages collaboration between IT operations units like sysadmin teams and IT security teams. With both teams working toward a common goal of delivering service that meets security and operational standards, outcomes are improved.
It's also worth noting that the term SecOps comes up in the Cisco Certification process. The CCNA Cyber Ops 210-255 exam is the SECOPS exam. It certifies knowledge and skills related to being a Security Analyst in a Security Operations Center.
Looking for help studying for the Cisco CCNA Cyber Ops 210-255 SECOPS exam? Check out Keith Barker's training.
DevSecOps: Integrating SecOps and DevOps
With SecOps and DevOps understood, defining DevSecOps becomes easy. Simply put: DevSecOps is the integration of SecOps and DevOps. This means that the high-velocity, collaborative, and holistic philosophy that made DevOps popular is extended to include security.
As opposed to security simply scanning and flagging vulnerabilities after code is delivered, they are part of the process. Development, IT operations, and security are cross-functional and work toward a common goal.
If you think about it, this is really a natural evolution of the DevOps philosophy that focuses on collaboration. Integrating all stakeholders into the development pipeline makes the final product better.
In practice, this means including security in the process from the beginning. It also often means adopting security as code and automating things like vulnerability scans. For more on security as code, check out this Simple Programmer article by Justin Boyer.
DevOps, SecOps, and DevSecOps are terms used to describe different things depending on who you ask. Some will argue that the term DevOps is enough. Others will call out the importance of SecOps and DevSecOps. As an IT pro looking to sort through the differences, there are a few quick rules of thumb you can rely on. The most obvious are baked-in to the names:
DevOps. Development (Dev) and operations (Ops) teams working collaboratively.
SecOps. IT security (Sec) and operations (Ops) teams working collaboratively.
DevSecOps. Development (Dev), security (Sec), and operations (Ops) teams working collaboratively.
The more important takeaway is the collaborative and agile nature of these different Ops terms. They all focus on breaking down silos and working with agility. Feedback loops are shortened, responsibility is shared, and processes are automated. The collaborative and agile ideals are the important takeaways. Knowing the labels simply helps you explain them better.