In 2021, Gitlab surveyed 4,300 DevOps pros to understand how DevOps teams handle their operations and how security fits in. Interestingly, 72% of the security pros affirmed that “strong” or “good” security is integral to their DevOps practice.
Only 6.3% of the respondents felt that the security effort was backdoored or had been completely side-lined in the DevOps flow. Surely, this is a welcome change from the times when a gulf of separation existed between security and development. That’s because security in the DevOps model is paramount to ensuring the stability, resilience, and continuity of the app or service.
According to Emergen Research, the Development, Security, and Operations (DevSecOps) market is expected to soar through the ranks and reach $23.42 billion by 2028 – up from $2.55 billion in 2020.
Indeed, the growth of DevOpsSec across industries, irrespective of the domain or size of the organization, makes it a phenomenon that needs to be understood clearly. And that’s where the confusion sets in.
DevOpsSec, SecDevOps, DevSecOps. These three terms are often misused and mistaken for each other. Little thought is given to the synonymous terminologies floating around, which hinders arriving at a proper understanding of the same.
Are They Really Synonymous?
Google Trends data shows DevSecOps to be the clear frontrunner. Yet, SecDevOps and DevOpsSec, as far as Google’s concerned, are neck-to-neck. While the principle of secure DevOps is self-explanatory, the three terms fundamentally point at different approaches to the same problem.
As the name suggests, DevOpsSec considers security right at the end of the DevOps cycle. That means security is not a part of the continuous integration (CI) or continuous development (CD) pipeline. There’s a post-development and deployment security check, thus, literally externally combining Dev and Ops with InfoSec.
DevSecOps extends the DevOps principle, where security and development are regularly combined. In a DevSecOps model, the security testing and assessment are done right within the DevOps pipeline, thus making it a seamless process.
A step further, SecDevOps is the most advanced version of DevOps, where security and development are no longer siloed from each other. Unlike integrating security processes with the DevOps cycle, SecDevOps makes security a continuous effort integral to the entire DevOps practice. So, everyone proceeds with a fine-tuned security-first posture right off the bat.
What To Adopt?
The decision to adopt any of the above-mentioned security-related DevOps methodologies is essentially based on an organization’s appetite for risk. And when that’s the case, several questions arise.
- Where does the security lie in the process, and how does it add value?
- Does the process place security and compliance at the core of development and deployment?
- What aspect of security needs to be ensured when integrating security with DevOps?
- Is the security practice insulated from other DevOps processes, and is it consistent across all deliverables?
- How does integrating a new layer of security in the pipeline benefit IT operations?
In order to understand and arrive at a suitable decision, it’s worth taking the time to assess the organization’s current security posture. But more importantly, it’s critical to understand how it can be improved upon.
On that note, let’s understand how the three methodologies fare in the above-mentioned context.
DevOpsSec – Not Recommended
Perhaps the weakest of the lot when it comes to security practice, DevOpsSec falls short on several fronts.
Security gets incorporated into the pipeline later in the cycle, which makes its value proposition questionable. That’s because the earlier the solution is implemented within the DevOps process, the more chance it has to make a difference.
In essence, security is treated as an afterthought or, worse, a distraction from day-to-day activities. And so, it causes friction further down the line, hindering the production of an optimum quality app or service.
Besides, the price of incorporating security at the end of the pipeline could be huge due to ampler system complexities.
DevSecOps – Quite Flexible
The most popular of the three, DevSecOps, is better suited to secure a continuously innovative and evolving DevOps practice.
A DevSecOps model shifts the focus on quality assurance and security left in the development life cycle. It sets a strong foundation for incremental security measures to follow, which helps cut down on unnecessary costs and time. By doing so, only the critical components of the application are deployed for production.
But there’s a catch. DevSecOps still puts a developer first, who, in turn, isn’t often equipped with a comprehensive set of security competencies required for application security. It’s a steep learning curve that requires continuous training and mentoring.
However, DevSecOps is flexible enough to adapt to different organizations and industries, as this approach covers multiple aspects of the entire DevOps process. And the aforementioned Gitlab survey serves as a testament to that.
For instance, 27.61% of the developers surveyed confirmed that they’re a part “of the cross-functional team focused on security.” Other 25.89% said that they’re “more compliance-focused.” Only 19.99% admitted that their roles aren’t subject to change or evolve with security postures.
SecDevOps – The Best
The most robust security practice out of the three, SecDevOps finds its roots in engineering a culture where security is a core discipline.
SecDevOps almost resembles DevSecOps in all aspects, including its top-down, strategic approach. However, security in this context is treated like any other discipline that’s an integral part of the entire development process. So, there’s no hierarchical differentiation between the priority lent to developers, security pros, and other stakeholders.
The “security-first” mindset is embedded in the idea of producing self-contained, well-secured apps. Considering that an average app scales to many thousands of lines of code, the onus is on security engineers to be extra vigilant and ferociously assess threats. So, the result is a highly secure and seamlessly manageable app.
Is SecDevOps the Straightforward Choice?
Not really! On a practical note, SecDevOps is undoubtedly the most capable model or approach to handling complex security scenarios across the DevOps pipeline.
The problem with SecDevOps is the necessity to have security-based decisions codified in a clear and explicit manner, literally everywhere. That means every professional involved in the process must be a security expert.
Consider this; some elements could be more inclined towards the business side of things, alongside others that focus on the technical capabilities. In that case, the security initiative is likely to run into rough waters because it’s over-engineered and unnecessarily intricate.
But many organizations aren’t looking to eliminate risk across every touchpoint but manage it instead. So, it’s critical to channelize the available resources accordingly. And it’s here that DevSecOps is expected to have the upper hand.
The Bottom Line
The debate should actually be between DevSecOps and SecDevOps. SecDevOps is the best of both worlds, with a security mindset seeping through every level or aspect of the DevOps process.
The fact that developers (the most critical part of any organization) are involved closely in the entire process makes it all the more valuable. Nevertheless, DevSecOps is the most pertinent approach when it comes to security practice, especially in organizations that emphasize agility over rigid processes.
There’s no straightforward winner, of course. It depends on how you perceive the need-to-balance security, innovation, and agility. The right choice will be the one that allows production to flourish without compromising on quality.