The Inner Circle

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook

------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs
------------------------------

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

As a methodology that is attempting to solve a problem, could DevSecOps also be defined as a 'security solution'?

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

Original Message:
Sent: Mar 11, 2022 07:55:39 AM
From: Michael Tayo
Subject: What is DevSecOps?

In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook

------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

Hi Megan.
Conceptually it cannot be a security solution. I can't remember where I read it but there was an accurate motto that says "there is no one-size-fits-all solution for DevSecOps". The thing is that in my experience most of the customer has the opposite idea so empirically DevSecOps turns to be a solution.

------------------------------
Alejandro Bernal
Security Architect
NTT Data
------------------------------

Original Message:
Sent: Mar 11, 2022 09:24:06 AM
From: Megan Theimer
Subject: What is DevSecOps?

As a methodology that is attempting to solve a problem, could DevSecOps also be defined as a 'security solution'?

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance

Original Message:
Sent: Mar 11, 2022 07:55:39 AM
From: Michael Tayo
Subject: What is DevSecOps?

In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook

------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

We are practicing devsecops at some scale across disparate teams and, no, I would not qualify it as a "solution" so much as an engineering approach for a particular problem set (see below) and daily practice.  Like having a daily exercise routine is not a solution to anything per se; it is an enabler of better overall health and fitness but the exercise a marathon runner needs to do is very different than one that a power weight lifter needs to do.

thus the more interesting part is the "problem" you are trying to solve.  If you are not practicing automated devops (more like "gitops") then devsecops probably is a mismatch or overkill.  you only start to understand the need for devsecops when you have conversations like:

Sec analyst: "I need to capture a forensic snapshot of a container that triggered an alert 5 minutes ago - can I break glass ssh into it please?"
DevOps engineer: "no - all ssh access to all containers is disabled by design, also all containers are ephemeral and avg lifespan is about 30 seconds, whatever container you are looking for is long gone"
Sec analyst: "well can you install this utility so I can do monitoring on the next container deployment?"
DevOps: "open a PR with the terraform code and add the change you want"
Sec: "I don't know how to do that - can't you just temporarily add it manually as root or something?"
DevOps: "no  - we have OPA rules that block any image deployments that have not been PR'd and approved on the protected branch by 2 separate approvers and have a Jira ticket linked with the Security Impact Analysis checklist (and SAST and DAST) PR checks completed, and the appropriate annotation added from the policy enforcement system; and root perms is disabled on all images by another OPA policy; also our custodian drift monitoring tool will auto sandbox any container instance deployed with root or non-whitelisted processes anyways, so it would not be allowed and that itself would be an alert and TTP for you to look at so you're in an infinite do loop at that point"
Sec analyst: "so how do I see what the activity on that container was, or will be, and how to connect it to other TTPs from the VPC flow logs and log analytics data?"
DevOps: "<shrug>"

I like Michael's playbook - but - the real world looks more like a hyper-connected graph of activities that overlap, loop within loops, and branch off and rejoin.  Basically everything starts to interact with every other thing at every point in time!  while I get that you need a simplified view to start the journey, the result looks more like a Jackson Pollack painting :)

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Mar 11, 2022 09:24:06 AM
From: Megan Theimer
Subject: What is DevSecOps?

As a methodology that is attempting to solve a problem, could DevSecOps also be defined as a 'security solution'?

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance

Original Message:
Sent: Mar 11, 2022 07:55:39 AM
From: Michael Tayo
Subject: What is DevSecOps?

In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook

------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

Agreed with others that it is not a solution but an approach/methodology. It cannot be a security solution as others say, it's inherently how we do secure-by-default for our DevOps and/or development practices. For us, an organisation, one of our biggest mandatory steps is to have all our DevOps tools and environments protected by our own zero trust technology so that we will ultimately have zero trust in all networks (internet, local, host OS) which massively restricts malicious activity (internal and external - e.g., no zero days or CVE exploit, DDoS, port scans, brute force) while giving our security team strong visibility and audibility.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

Original Message:
Sent: Mar 11, 2022 09:24:06 AM
From: Megan Theimer
Subject: What is DevSecOps?

As a methodology that is attempting to solve a problem, could DevSecOps also be defined as a 'security solution'?

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance

Original Message:
Sent: Mar 11, 2022 07:55:39 AM
From: Michael Tayo
Subject: What is DevSecOps?

In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook

------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

I really like the comment on "understand what problem DevSecOps is attempting to solve". A good starting point for organizations to realistically fit Security into their Dev Sprints is to Tokenize/Mask/Encrypt the data all the way through the stack. If they can come to their Sprint Huddles with regular updates on "is the data still secure" there is the "Sec" in DevSecOps. Implementing and tuning the monitoring/observability/detection of the environments... well that's a whole other beast of it's own.

------------------------------
Eric Lloyd
Account Manager
Thales
------------------------------

Original Message:
Sent: Mar 11, 2022 07:55:39 AM
From: Michael Tayo
Subject: What is DevSecOps?

In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook

------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

Based on my experience working with multiple teams , I personally feel DevSecOps takes different forms of understanding and implementation. When application security teams owns it, their priority is to integrate Security requirements, Threat modeling, SAST,SCA, Partial DAST and other possible security testing efforts at the earliest stages (Shift Left) of the SDLC . More specifically integrating within the pipeline. This helps to detect Vulnerabilities as early possible and help remediate during the development and reduce the time taken to remediate ,if the Vulnerability is detected at the tail stages of the SDLC.
In case Operations teams owns , all operational task and its associated security activities (platform security, infra scans, risk/threat management , container security , penetration testing) are integrated into the pipe line . Both Dev and Operations will strive to automate their activities by introducing new generation tools and process, helping to reduce the time for a app/product to get released in a shorter time with all possible security controls integrated .
From an organization perspective, it looks for an effective , semi-automated, seamless implementation of Security through out Development and Operations of SDLC .

------------------------------
Sivakumar kathiresan
Senior Product Security Architect
Elekta
------------------------------

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

Wow, thanks for all the responses, everyone! This is really helpful!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------

DevSecOps is a term used to describe a new approach to software development that emphasises collaboration between developers and security professionals. The goal of DevSecOps is to speed up the software development process while ensuring that security concerns are addressed early and throughout the process.

------------------------------
Rowan Sheridan
it
it
------------------------------

Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?

Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

Thanks for your responses!

------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------