What is DevSecOps (or DevOpsSec, SecDevOps, or rugged DevOps)?

Updated 9/25/20

Answer

DevSecOps is the integration of security practices with DevOps.  DevOps may be a culture of automation (as Stackify says), a blend of disciplines (development and operations), or a key word in a job title (e.g., DevOps Engineer or DevOps Architect).  DevSecOps seeks to rapidly integrate security measures into development and operations and avoid security specialists working in separate and relatively isolated teams.  By having security-minded professionals in the same team, the benefits of automation can help security, and security can protect rapidly-growing server environments with Agile development.

To learn more about DevSecOps, see the following five links:

  • The DevSecOps Manifesto is here.
  • An independent definition of DevSecOps is here.
  • SANS produced a whitepaper on DevSecOps.
  • Sonatype has a PowerPoint presentation here.
  • ZDNet has an article defining DevSecOps.
  • CA Technologies used to have an article defining DevSecOps here: https://automic.com/blog/just-what-devsecops-ara

In 2012 Gartner called what we think of DevSecOps as DevOpsSec (https://blogs.gartner.com/neil_macdonald/2012/01/17/devops-needs-to-become-devopssec/).  This term persists, and there are actually two more synonymous terms in use: SecDevOps and rugged DevOps.  To learn about the term Rugged DevOps (as it is sometimes capitalized), see this link.  A leading security website, CSOonline.com, describes three of the terms (DevOpsSecDevSecOps, and SecDevOps, but not the rugged DevOps term).  A book published in 2016 clarifies that there are four different terms for the infusion of security practices into DevOps: "Whether you call it SecDevOps, DevSecOps, DevOpsSec, or Rugged DevOps..." (page 5 of DevOpsSec by Jim Bird, Oreilly Press 2016).  Another credible source confirms that there are four terms that mean the same thing (Sqreen.io).  Consider the following findings (as of 11/22/17):

  • A search for "devsecops" on Indeed.com found 192 jobs and on Dice.com found 31 jobs. 
  • A search for "secdevops" on Indeed.com found 38 jobs and on Dice.com found 3 jobs.
  • A search for "devopssec" on Indeed.com found 11 jobs and on Dice.com found 1 job.

Consider the updated findings (as of 9/25/20):

  • A search for "devsecops" on Indeed.com found 4,797 jobs and on Dice.com found 95 jobs. 
  • A search for "secdevops" on Indeed.com found 234 jobs and on Dice.com found 6 jobs.
  • A search for "devopssec" on Indeed.com found 16 jobs and on Dice.com found 0 job.

Clearly varieties of the terms exist, and there has been a tremendous growth of this concept in the past few years. The term "rugged devops" is not discernibly searchable like the other three terms.  Which of the four options should be used for the infusion of security practices into DevOps?  Here is an excerpt from a third source, a relevant TechBeacon article, acknowledging all four terms:  "People call it DevSecOps, SecDevOps, DevOpsSec, and even rugged DevOps. How can we have so many different terms to describe the exact same thing?  This gives us a hint as to the disconnect that exists within security in DevOps. It’s still the wild west [sic]. There is no standard that defines security for DevOps, and the chances of a standard ever developing is small because different organizations are doing things their own way, and can’t even agree on a standard name. And while there is a standard for the secure development lifecycle (ISO/IEC 27034-1), few organizations are ever validated against it . [sic]"

To clarify, DevOpsSec, SecDevOps, DevSecOps, and rugged DevOps are each the same thing: they are the integration of security practices with DevOps.

Arguably DevOps necessarily incorporates security with quality assurance (or QA), development, and operations; DevSecOps or synonyms such as SecDevOpsDevOpsSec, or rugged DevOps, could all be considered redundant to the term DevOps.  One difference that is undeniable in three of these terms is the three letters Sec which explicitly reminds people about security. 

Gene Kim, who is a DevOps celebrity (if such a thing exists in September 2020), started to make a name for himself when he co-founded a security software company called Tripwire.  Tripwire's main product is a host-based intrusion detection system that is focused on finding changes in files themselves.  (Host-based intrusion detection systems, HIDSes, look for intrusions on a server, by monitoring files and processes.  They do not monitor a TCP/IP network like Snort or other network-based intrusion detection systems.)  Tripwire's system can also be called security information and event management, or SIEM.

This host-based intrusion detection system approach to security concerns itself with minute changes in files.  This scrutiny of files is characteristic of code versioning systems (such as Subversion or Git) used in CI/CD pipelines.  These pipelines are a significant part of what DevOps is -- integrating development with operations.  DevOps engineers can design CI/CD pipelines to have processes triggered on the act of a new file being uploaded or committed to a repository.  A typical CI/CD pipeline will initiate a build upon the event of an existing file being modified. 

In the mid 1990s when the Tripwire security product came out, no one could have known the role configuration management tools (such as Puppet, Chef, Ansible, and SaltStack) would play in changing files across large numbers of enterprise servers.  Similarly at this time no one could have known the importance of future tools such as GitJenkins, or the DevOps movement itself.  Gene Kim became an expert at file changes and automating an event (such as logging or notification) with his security software business.  By the time DevOps became a common word, he was incredibly well-prepared for the I.T. industry to begin a transformation toward focusing on automating processes upon a file being changed.  No one would disagree that Gene Kim is one of the most well-known figures in the DevOps realm today and will be one of the biggest names in the history of the DevOps movement.   His rise to fame came from expertise of a SEIM product.  This story of Gene Kim corroborates the idea that security is necessarily infused in regular DevOps culture (with no "sec" in the word).

The opinion that DevOps necessarily includes traditional practices of development, operations, QA, and security, is substantiated by the following list (when taking the first one into account with the other individual items):

  • Devops.com shows how QA, development and operations are part of DevOps.  Consider those three areas comprising DevOps with the four links below.
  • Wired.com explains how DevOps integrates security.
  • SANS has a whitepaper that explains how DevOps helps security work.  Specifically pages 5, 10, and 11 of this paper corroborate the view that DevOps inherently incorporates DevSecOps.
  • Ron Wilson who has authored an article on DevOps.com maintains that DevOps includes security in this link.
  • OWASP sponsored a discussion from Helen Bravo that was entitled "DevOps & Security: It's Happening. Right Now."  The slides were published in 2014, you can see them by going to this link.

If you want to read more on the topic of DevSecOps, see one of the following books:
DevSecOps All-Inclusive Self-Assessment
DevOpsSec by Jim Bird, Oreilly Press 2016
Hands-On Security in DevOps
Securing DevOps: Security in the Cloud

Leave a comment

Your email address will not be published. Required fields are marked *