Every year software becomes more complex, making it difficult to prevent security issues from impacting operations.
That is why most engineering departments solve this problem by moving from DevSecOps to SecDevOps, where security is integrated into every step of the development process from start to finish.
We decided to ask our SecOps engineer what is the difference between the two approaches, what are their pros and cons?
How should SecDevOps and DevSecOps be perceived?
“DevSecOps is primarily concerned with integrating security processes into DevOps cycles while maintaining efficiency, while SecDevOps prioritizes security as much as the actual steps of integrating security into the DevOps process itself.
In essence, SecDevOps means making every decision from a security-first mindset. SecDevOps doesn’t integrate security so much as cultivate a security ethos within every team member to ensure that security becomes a shared responsibility across the entire application lifecycle.”
What's wrong with security becoming a shared responsibility?
“SecDevOps believes all DevOps professionals should be security practitioners, which is a much different focus. To illustrate the difference, think of removing your shoes at an airport checkpoint.
That process is designed for security, not speed. A SecDevOps solution might be to invest in developing better detection methodologies or requiring additional scanning or pat downs, while a DevSecOps solution would likely involve better planning and processing of passengers.
The point is to illustrate security-based decisions versus business-based decisions that encompass security concerns. The hazard there is that, if not careful, SecDevOps can incorporate a significant amount of security theater. In the real-world checkpoint analogy, how many actual explosive devices have been found? That is not to suggest we should stop monitoring for those threats, but it does illustrate how SecDevOps can easily focus on the wrong thing, namely raw vulnerability counts without the proper context to understand their significance...”
In other words, does SecDevOps require developers to become security experts?
“Developers simply aren’t out-of-the-box security experts. That is not to say they lack the capability — security, like programming, is a discipline that requires its own dedication. Application security involves much more than just secure coding…Also it requires developers willing to embrace that change and learn the skills necessary to make it work…
For that reason, enterprises will find on a very human level that DevSecOps causes less churn than SecDevOps. We can pretend otherwise, but the psychology of the ‘Sec’ placement matters.”
What about DevSecOps?
“DevSecOps harnesses the power of the cloud and cloud native platforms to automate infrastructure and platform provisioning as much as possible while also meeting both business and security objectives…
DevSecOps means delivering secure software inside of processes resilient enough to recover from inevitable vulnerabilities and attacks. It doesn’t mean that a critical security vulnerability won’t impact a delivery date — that’s not the purpose — but it does help ensure that a vulnerability in a non-critical location, such as one that resides in a non-internet facing application protected by a network firewall, won’t be treated the same as one that could lead to financial ruin.”
What does security mean for you?
“Security is important enough to be treated as an equal player and integrated with DevOps processes, but that doesn’t mean that security is more important than business objectives. For organizations who protect information that could lead to the loss of life, security will outweigh business goals and objectives. But for most, DevSecOps will more than adequately address their security, delivery and business requirements…
At the end of the day, application security isn’t about eliminating risks, but managing them in a manner that both protects data and delivery schedules.”
Summary
“Enterprises ultimately find that by moving to DevSecOps and including security at each step of the process, their applications become more stable, require less patching and can be released on a faster cycle. DevSecOps is a business enabler, not an insurance policy. While SecDevOps might claim to offer more protection, the costs of that protection are significant. Obviously, there are reasons for each approach. But when choosing between SecDevOps and DevSecOps approaches, make your decision carefully.”