DevSecOps vs SecDevOps 2.0
I ruffled some feathers with this one. I said the following:
Security for DevOps > SecDevOps
Development for SecOps > DevSecOps
Apparently, I stepped on the Shannon Lietz’s toes (sorry). Some of the responses I got include:
Howard Holton’s (technically my boss if I wasn’t a contractor)
Tom Le’s surprising defense of Gartner terminology
Anton Chuvakin’s attempt to ameliorate the hurtful comment with a smiley face
But really, most comments I got are challenging “insertion” vs “prepending”. You insert Sec in DevOps, so you get DevSecOps. You don’t prepend Sec to DevOps to get SecDevOps (even though it sounds like Secure DevOps, which is the point)
Most people already know and agree with inserting Security in DevOps. However, my point with this is to highlight a Dev approach to SecOps, which people don’t talk about.
SecDevOps
If we look at Development for Security Operations, we refer to:
➡️ Writing detections using code via Python, Sigma, YAML, PySigma, etc
➡️ Writing automation scripts and third-party integrations using code
➡️ Codifying the SIEM deployment and put it in a code repository
➡️ Interacting with the tools via APIs, CLIs, SDKs, config files
So you can use repositories and version control systems to store and manage scripts for alert engines, playbooks, connectors, or whatever, using infrastructure as code, managing everything in a CI/CD fashion
DevSecOps features are predominantly available in SIEMs, like CrowdStrike, Hunters. Panther, Datadog, Microsoft Sentinel and others
DevSecOps
And for SEO purposes, I will also re-define what DevSecOps means, which boils down to shifting security left:
⬅️ S/D/IAST
⬅️ Automating security testing as part of the CI/CD pipeline
⬅️ Software composition analysis
⬅️ API scanning
⬅️ IaC Security such that infrastructure configurations are secure and compliant with policies before deployment.
Folks that can help make sure you don’t hardcode your credentials include Snyk, Wiz, Veracode, Aikido Security, among others
So that people don’t have to remind me that I’m not Gartner, here’s my corrected image.
