DevOps Vs DevSecOps

DevOps Vs DevSecOps
Image design by freepik

What is DevOps?

The term DevOps (Development + Operations) has risen in popularity quite fast in the IT industry since around 2008. The idea behind its culture is to enable software developers to seamlessly deploy new features and fixes blazing fast. This was achieved by laying down a set of automated processes called pipelines that function independently and perform specific tasks and its entirety usually follows a software development cycle.

The common set of pipelines include (and is usually in the following order):

  1. A pipeline to do testing
  2. A pipeline to package/build the software
  3. A pipeline to deploy the built software to the infrastructure

Having all of these in place, software engineers no longer have to worry about manually performing these repetitive tasks but are then ensured that once they push those fixes and/or new features in their respective repository, the automated pipelines will handle the rest. Aside from this, operations teams can also expect that only quality code gets out to the end-users thanks to the automated testing.

Monolithic vs Microservices Architecture

Over the years software applications have evolved immensely. Back then, we built software as a singular massive structure that is able to handle all the business logic required in order to function. For the most part, this worked since most software applications were used by individuals or even by businesses internally with minimal and manageable number of users. Fast forward to the present, most of these software applications are now available in the cloud straight to your browser with potential to reach millions and billions of users. With this, stability, scalability and performance became a challenge.

Microservices is a software architecture and the idea is to split a very large singular software application into several miniaturized components all working and communicating together. This solves a lot of challenges encountered with the monolithic approach. For example, if a single component goes offline, it doesn’t take down the entire application. And if some part of the application is experiencing heavy traffic, you can then easily scale up that single component without further increasing your overall cost.

Software in Containers

Software nowadays is served in containers. All of the dependencies required for it to run are packed in a single entity and can be passed around as well as easily replicated for stability and scalability. Containerization allowed microservices architecture to gain traction in popularity in the majority of new and old software businesses. However this came with a caveat, complexity and security. As you decouple and increase the number of components for your application, so do the number entry points for a potential security breach. A software security breach of any kind is devastating specially for fintech companies, making security to become also a top priority for software businesses.

DevSecOps to the rescue

As software development moves towards microservices architecture, it has become apparent that security also needs to be given an equal amount of importance and attention.

This is where DevSecOps (Development + Security + Operations) comes in. The word “Sec” in the name refers to security. It is also important to note the position of the word being between “Dev” and “Ops” This means that it is a collaboration between development, security specialists and operations. This adds a layer with an emphasis on security and ensures that before any software is provided to operations, it will need to go through an extensive implementation of the best and updated security practices in order to ensure quality and serviceability of the software.

However, this comes with downsides as well. You see, software security in essence is not a simple task nor is it a single all-in-one implementation. There are a lot of areas to take care of when we are talking about security. Here are just some of the common ones that needs to be covered in most modern software applications:

  • Applied security on the actual software application
  • Containers
  • Bare Metal and Cloud platform
  • Container orchestration like Kubernetes or Docker Swarm

The primary goal is to be able to introduce and integrate all the best security measures without compromising on the speed of software delivery. This can be achieved by having another layer of an automated pipeline specifically tasked to perform system hardening and continuous security checks. This is not to say that DevOps doesn’t provide any form of security at all; it may be present but not entirely the focus. Compared to DevSecOps where security is of utmost importance.

Now that we’ve understood the meaning of DevOps and DevSecOps, we can then summarize the differences between the two.


Continuous Integration

Continuous Delivery

Security

DevOps

Yes

Yes

Yes, also to some extent but not the primary focus

DevSecOps

Yes

Yes

Yes, with an extensive emphasis

Conclusion

Whether DevOps or DevSecOps, security in any software business is crucial. Aside from providing quality software for your users. It is also important to protect your software and your users from potentially devastating cyber-attacks. Given how fast-paced the IT Industry is, it is possible that there will sprung a new set of software culture or maybe we’ll see them merged into one. At the end of the day, the goal in mind is to provide the best software for businesses and end-users alike.