The 3 Shades of SecDevOps

The 3 shades of SecDevOps

We live and work in a time of Peak Ops. DevOps. DevSecOps. GitOps. And SecDevOps, to name a few. It can be confusing to discern the reality through the marketing spin. However, SecDevOps is one new form of Ops that’s worth keeping in mind as you face new and emerging security and compliance challenges as your organization pulls out of the pandemic.

Here’s what I call the three shades of SecDevOps definitions:

SecDevOps: The Ops Definition

SecDevOps — also called rugged DevOps — places security first in the development process. SecDevOps and DevSecOps differ in the order of security considerations during the software development life cycle (SDLC). It’s a nascent school of thought which goes as far as comparing SecDevOps vs. DevOps.

SecDevOps requires a thorough understanding of how the application works to identify how it can be vulnerable. Such an understanding gives you a clearer idea of how you can protect your application from security threats. Threat modeling during the SDLC is an industry best practice for gaining such an understanding.

There are two distinct parts in SecDevOps:

Security as Code

Security as Code (SaC) is when you build security into the tools and practices in your DevOps pipeline. Static application security testing (SAST) and dynamic application security testing (DAST) solutions automatically scan applications coming through the pipeline. SaC places priority on automation over manual processes. Manual processes do remain in place for security-critical components of the application. Implementing SaC is an essential element of DevOps toolchains and workflows.

Infrastructure as Code

Infrastructure as Code (IaC) refers to a set of DevOps tools for setting up and updating infrastructure components to ensure a hardened and controlled deployment environment. The same code development rules are used to manage operations infrastructure instead of manual changes or one-off scripts that often take place these days. With IaC, mitigating a system problem takes deploying a configuration-controlled server versus the old way of patching and updating servers already in production.

SecDevOps uses continuous and automated security testing starting before the application goes into production. It implements issue tracking to ensure the early identification of any defects. It also leverages automation and testing to provide effective security tests throughout the software development lifecycle.

SecDevOps: The DevSecOps Synonym 

Then again, some organizations use the term SecDevOps synonymously with DevSecOps. There’s nothing wrong here. For example, a government agency focusing on security may use the term to mean DevSecOps. It’s semantics because they want to emphasize the importance of security in their software development.

SecDevOps: The Marketing Spin Definition

The Ops market is full of competition. It’s natural for marketers to want to spin the definition of SecDevOps so that it best suits the products and solutions that their company is selling to prospective customers. The best way to digest a marketing spin definition is to define what SecDevOps means for your organization. Don’t let salespeople define SecDevOps for you.

Final thoughts

Regardless of your school of thought about the three shades of SecDevOps, it’s about the people, culture, processes, and technology. A positive outcome of our current age of Peak Ops is that we all have a lot to learn from other schools of Ops thought, so soak in the SecDevOps definition and see what you can learn from it to apply to your organization’s DevSecOps practices.