Development + Operations vs Development + Security + Operations

I have already covered basics of DevOps. Let’s see now what is DevSecOps and what’s the difference between DevOps and DevSecOps.

In the layman language, it’s just added security in the DevOps. But it means a lot in today’s dynamic world where most of the companies either already moving or started moving to the cloud.

Let’s do some fun:

Do we need Security? Obviously! → DevSecOps
Do we need order in configuration? Sure! → DevSecConfOps
And do we need to automate? Ideally yes. → DevSecConfAutoOps
Resilient? This is so important! → DevSecConfAutoResOps
Backups! We forgot about backups! → DevSecConfAutoResBackOps
Monitoring 🙂 → DevSecConfAutoResBackMonOps
Should I stop here? No → DevSecConfAutoResBackMonNoOps

So it’s not restricted to the DevSecOps, you can extend it as per your requirements.

DevOps is a culture which promotes collaboration between Development and Operations team to deploy code to production faster in an automated and repeatable way.

DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.

So in short DevSecOps says, security is everyone’s responsibility in turn its a continuous security.

What is common ?

Collaborative Culture

A collaborative culture between multiple teams is common to both.

DevOps = Collaboration between IT development team and IT operations team

DevSecOps = Collaboration between IT  development team, IT operations team and IT security team

Automation

Both DevOps and DevSecOps, use lots of tools and techniques to automate tedious tasks.

Monitoring

Monitoring actively, application data and it’s performance to drive improvements are key thing both DevOps and DevSecOps doing.

What is difference ?

Typical application release steps in DevOps+Sec

  • Idea for new feature/improvements
  • Requirements
    • Gathering
    • Brainstorming
  • Development/implementation
    • Deploy to dev env
    • Dev testing
  • Testing
    • Deploy to test env
    • Testing (Automated+Manual)
  • Build and package (executables)
  • UAT/Staging
    • Deploy to UAT env
    • UAT testing
  • Prod deployment
    • Smoke/Sanity testing
  • IT operations and monitoring
  • Security testing and monitoring

In DevSecOps, it shifts security to left

  • Idea for new feature/improvements
  • Requirements
    • Gathering
    • Brainstorming
  • Development/implementation
    • Pre-commit hooks to check code
    • Deploy to dev env
    • Dev testing
  • Testing
    • Deploy to test env
    • Testing (Automated+Manual)
    • Automated security testing
    • Source Composition Analysis (Fortify, Qualys, etc.)
    • Static code analysis or Static App Security Testing (SAST) or White-box testing
    • Dynamic code analysis or Dynamic App Security Testing (DAST) or Black-box testing
  • Build and package (executables)
    • Package security check/scan before push to the artifact registry
  • UAT/Staging
    • Deploy to UAT
    • Automated UAT testing
    • Automated security testing
    • Runtime Application Self-Protection (RASP)
      • Open end-point security monitoring
      • File integrity monitoring (FIM)
      • Vulnerability monitoring
      • Anomaly detection
      • Security check in Infrastructure (continuous)
      • Running executables/containers scanning (continuous)
    • Encryption of data at-rest and in-transit
    • Secret management
  • Prod deployment
    • Deploy to Prod
    • Smoke/Sanity testing
    • Runtime Application Self-Protection (RASP)
      • Open end-point security monitoring
      • File integrity monitoring (FIM)
      • Vulnerability monitoring
      • Anomaly detection
      • Security check in Infrastructure (continuous)
      • Running executables/containers scanning (continuous)
    • Encryption of data at-rest and in-transit
    • Secret management

In short we get following advantage using DevSecOps

  • Integrate security via Tools in each stage
  • Security as Code to automate as much as possible
  • Faster secured release cycles
  • Prevent security issues in Prod (fixing security issues in Prod is much expensive)
  • Secure application from the inside out
  • Threat modeling, doing security testing during entire application development and release lifecycle