What Is Devsecops

on
2 minute read

Why I’ve decided to start shouting into the void.

After six years experience in DevSecOps, the smoke of naivety has finally dissipated, and I have discovered that nobody has a damn clue what they are doing.

Powered by some well-intentioned egotism, I’m going to try and attempt to bring some normality to the world of DevSecOps.

We aren’t all Google employees, experts in the world of SRE & Cloud. We aren’t Netflix engineers trying to solve the hardest worldwide scalability issue humanity has ever faced. You don’t need to be a rockstar developer to find value in this blog.

This is a DevSecOps blog for regular people.

What is DevSecOps?

Ah, DevSecOps, the fancy buzzword that makes tech recruiters mouths water! The sketchy amalgamation of Development, Security, and Operations, which somehow manages to frustrate all three groups at once.

The bastard child of a cultural ethos and a job title, DevSecOps has grown into a hydra. To some, it’s a working practice, to others it is a synonym for Sysadmin. To those who have been around the block a few times, it means one thing;

Generalism.

In all honesty, having worked in a few industries over the course of my career, there is no standard way to describe DevSecOps. Which makes first dates beautifully difficult, as you vaguely attempt to explain what you do to the poor sod sat opposite you over a coffee in the dodgy part of town because it had free parking.

Perhaps, I should start at the beginning.

What is DevOps?

To understand DevSecOps, you need to appreciate that it stems from its co-suffering parent ‘DevOps’. DevOps started as an attempt to encourage blameless, agile cooperation between Developers and Operations engineers.

However, Developers and Operations are sworn enemies, so this hasn’t worked. Instead it has resulted in DevOps being a job title instead of a culture, a synonym for ‘Sysadmins who code’. Some places do DevOps properly, but sadly they are in the minority.

So what should DevOps be, and how can we turn it into DevSecOps?

DevOps should be a cross functional unit consisting of a mixture of Ops and Dev specialists, working towards a common goal, following the Spotify guild model…

Security slots into this nicely.

To Summarise, DevSecOps is a cohesive initiative to bring a security layer to the DevOps process. Heed my warnings newbie, you will not get far in the modern world of security driven DevOps without soft skills, and you will find your journey worryingly short if you don’t have patience (and/or healthy coping mechanisms like punch-dancing out your rage in a wooded glen).

Welcome to Unblocking Security, a DevSecOps blog for regular jaded people.