DevOps vs DevSecOps

Technical
Written By Craig Hurt
 
 

Just as you get to grips with one IT term another appears, bringing confusion and uncertainty. And so it is with DevSecOps, the new buzzword on the block. 

Making matters worse is its similarity to ‘DevOps’. The words sound similar, but there are distinct differences in DevOps and DevSecOps. This is what you need to know. 

Similar methodologies, totally different goals 

DevOps is intended to better align development and operations teams to streamline software development. Ultimately, the goal is to enable continuous deployment for faster software updates. Security issues are identified and dealt with after development.  

DevSecOps is primarily concerned with building security into every stage of the development cycle. Yes, it borrows many concepts from DevOps – including continuous integration (CI) and continuous deployment (CD) - but the ultimate goal (more secure software) is completely different. That’s not to say DevSecOps is not ‘interested’ in increasing development efficiency, but it remains a second order priority. 

Both DevOps and DevSecOps use automation to increase productivity. In the case of DevOps, automation is applied to code testing, monitoring and high level quality assurance activities. For DevSecOps, automation is typically applied in the context of infrastructure as code (IaC). Under this model, new infrastructure and deployments are performed with code according to pre-configured security protocols. This ensures that security is applied to every code update, helping to reduce the overall risk profile of new software. 

Why DevSecOps? 

DevOps provides a much needed incentive to break through departmental barriers to improve development outcomes. However, it works best in the context of on-premise deployments. In reality, DevOps is insufficiently granular to deal with the complexities of modern hybrid cloud and multi cloud environments. 

DevSecOps brings the security team into the equation, making every software release a tri-party project. Yes, there are more stakeholders involved, but IaC and smart automation remove political concerns from each deployment. It may be the case that development cycles increase slightly – but any losses are quickly regained when developers are not diverting time and attention to security bug fixes. Or dealing with the fall-out following a breach. 

DevSecOps deals with security issues when they happen during the development phase, helping to further narrow the window of risk. This is critical when dealing with applications hosted in the public cloud where vulnerabilities are (theoretically) easier to detect and exploit. 

DevOps vs DevSecOps – is it really an ‘either/or’ choice? 

It is possible to operate a DevOps strategy in the cloud – if your business is willing to take a retroactive approach to code security. However, given that you are almost certainly already using automated cloud provisioning of some form, it makes sense to refine and improve those measures to include application security.  

As well as helping to prevent the introduction of vulnerabilities to your cloud infrastructure, these improvements have the potential to solve other issues – such as uncontrolled cloud spend. By templating deployments, you can also help to clamp down on the misconfigurations which lead to excessive resource consumption and cost. 

So yes, it is possible to continue without DevSecOps – but why would you want to? 

To learn more about DevSecOps and how it applies specifically to your cloud-based future, get in touch today.

Craig Hurt

Cloud and DevOps Lead

Previous

We are named one of the UK’s Best Workplaces™ in 2023! 
Next

Yaks volunteering day at Hampstead Heath