As DevOps adoption continues to grow, organisations are increasingly evaluating how to secure development pipelines by integrating security principles and practices. We know first hand at SMEx Digital how challenging and complex a task this is. When you’re new security, the initial learning curve can seem steep. Which approach do you use? DevSecOps, DevOpsSec or SecDevOps? This article breaks down these terms to get you started on your DevOps security journey.
At the core of these three approaches is the need to better integrate three functions;
- Development (Dev) – Application development practice, aiming to deliver working software as quickly as possible.
- Operations (Ops) – Operational support and maintenance practice in charge of ‘keeping the lights on’ for the line of business applications and infrastructure.
- Security (Sec) – Cybersecurity practice in charge of application, infrastructure, endpoint and data security.
DevSecOps: Development, Security, Operations.
DevSecOps focuses on Development, then Security, and finally Operations. While this approach helps to secure DevOps pipelines, it still doesn’t solve the current issue with security principles and practice. Security is often still de-prioritised over getting functional software into production.
DevOpsSec: Development, Operations, Security.
With DevOpsSec, Security is handled on a ‘catch and patch’ approach. Software is released to Production as early as possible, and bugs are patched as soon as the are identified. This approach is extremely risky, often resulting in software not being fully tested. It is also difficult to keep up with patching bugs.
SecDevOps: Security, Development, Operations.
SecDevOps, takes a Security first approach. Security principles and practices are included in the Continuous Integration and Continuous Deployment pipeline. A security first approach takes security requirements into account before development begins. Security teams are involved throughout the application lifecycle.
While these terms are used interchangeably, the outputs of the approaches vary quite significantly. Each prioritizes security at a different point in the development lifecycle. At SMEx, we’re in favour of the SecDevOps approach, ensuring security requirements are are baked into the product from day one. This minimizes security risks and vulnerabilities, to optimise the DevOps pipeline.