SecDevOps & DevSecOps - Is there a difference?
In the world of rapid software development and adoption, security can be both a difficult and/or an easy task depending on the approach you take. It is difficult if one continues to approach security as one always does. But it can be easy if there is a fundamental rethink of security control options in this new ‘agile’ world. In the context of DevOps and Security, these are two concepts that we are consistently asked to advise on. Though these terms are quite similar, they are fundamentally different but are equally important topics. We will be distinguishing these terminologies and will discuss why this would be useful as the terms tend to be used interchangeably.
Consider a scenario where an organisation is working on a DevOps and is implementing agile ways of working adoption journey. There is a concern about security, and we are asked to advise on how to embed security into the DevOps style of operation. DevOps style follows a “secure by design” discipline. It follows techniques such as automated security review of code, automated application security testing etc.
Consider a scenario where the security operations team is considering adopting a DevOps style of security services. This method involves conceptualising, developing and deploying a series of minimum viable products on security programmes. DevSecOps has many advantages like superior speeds with agility for security teams, rapid response to changes, early identification of vulnerabilities etc.