Overview of Topics covered
What is DevOps SIMPLY explained
Here is my simplified definition of what is DevOps:
What it really comes down to eventually is:
“DevOps is anything, any tool or concept, used to remove any bottlenecks on the way of releasing and delivering changes to the end user fast and with minimum bugs”
This applies whether it’s application or infrastructure changes ☝️
So naturally if security is a bottleneck, that should become part of DevOps issue that we have to eliminate this show stopper.
So DevOps naturally should include security, but as I often say:
“Reality and theory or how it’s supposed to be are 2 different scenarios". 🤷🏻♀️
So in practice, it so happened that DevOps left out security. It focused on development and fast release cycle, but security teams and external pen tests stayed outside the DevOps cycle.
Security as Afterthought in DevOps
Now, when we implement DevOps processes in our organization, we end up with streamlined and efficient process of the application development and release, which is happening at a fast pace.
So we are releasing fast, or trying to release fast, but all those attempts get blocked by having a manual, slow security checks right before the release.
These security checks are usually done by security engineers or compliance team or even external pen testers.
And this may take weeks or months ⏳
So we are just aggravating the security bottleneck with DevOps.
This is Why DevSecOps is so important
So as a reminder, to highlight the importance of security in DevOps, DevSecOps emerged.
Also as we saw, security is overarching the entire software development lifecycle (SDLC), all parts and layers. And as you also know, DevOps affects entire software development lifecycle too.
So DevSecOps is taking that overarching security and integrating it in all DevOps steps from start to finish, from automated tests to building and deploying steps:
So DevSecOps is really: DevOps that doesn’t forget about security.
So the responsibility of fixing security issues and secure implementation still lies with individual teams, who have the expertise in those specific areas, but DevSecOps creates an over-stretching CI/CD process and automated processes that measure what’s called the "security posture".
Basically giving us a visibility of how secure your systems are.
That's what is meant by "DevSecOps" 💡
Now how does DevSecOps do this? How does it integrate security into the DevOps workflows, like a complete CI/CD pipeline? 🤔
One core part is integrating automated security checks into the CI/CD like this:
Snippet from the DevSecOps bootcamp.
DevSecOps as part of DevOps
So instead of DevSecOps vs DevOps, we now learned that DevSecOps is really the same as DevOps in theory. 💡 It just emphasizes and re-introduces the integration of security in the whole DevOps workflow in practice.
So overall, this makes the process fast again by
✅ reducing the feedback cycle on any security issues, by
✅ infusing the security checks throughout the pipeline,
instead of having it as a big task right before the release.
🤓 Learn DevOps before DevSecOps
And that's why if you want to learn DevSecOps, you need to first learn the DevOps principles and technologies:
You need to learn the core of DevOps, which is building fully automated CI/CD pipelines
You need to learn technologies, like Dock
er, K8s, Jenkins etc.
You need to be able to configure infrastructure on cloud platforms etc.
And as the most important skillset of a DevOps engineer, you need to be able to automate all DevOps tasks, using tools, like:
Terraform for automated infrastructure provisioning or
Ansible for automated server configuration
Python for various DevOps automation tasks.
These DevOps skills are becoming more and more demanded in the IT world, but are also one of the most complex to learn. You need a proper structure and guidance to learn these technologies in combination to build end to end DevOps processes, with real-life DevOps projects to learn how to use them in practice.
And not only learn the tools but really understand all the concepts behind every configuration. Plus you want to learn this in simple words and visuals, instead of heavy technical terminology that makes understanding concepts even more difficult 🙇🏽♂️
That's why we have 1,000s of engineers 🧑🏽💻👩🏼💻 every year, learning these skills in our DevOps bootcamp to learn the actual real, hands-on DevOps skills. They become Certified DevOps Engineers, who can directly apply the skills in any DevOps project. And learn all the complex topics in-depth, but with the simplest explanations and visuals.
📖 Our Proven DevOps Bootcamp Learning Schedule / Roadmap:
🥷 Add advanced DevSecOps skillset
Now only after you have built a strong knowledge of DevOps, you can add the advanced DevSecOps skillset on top of that.
Because just like DevOps, DevSecOps is a concept affecting the entire software development lifecycle. That's why you need to learn the basic level of DevOps and then move on to the next level of adding and infusing security in that complete lifecycle.
And that's why we also recommend all our engineering students completing our DevOps bootcamp first and then doing DevSecOps bootcamp. There is no shortcut to success, but with the right resources and guidance you can definitely speed up the journey significantly and reduce the pain in the process 😊
📖 Our Proven DevSecOps Bootcamp Learning Schedule / Roadmap:
If you are completely new to DevSecOps, you can also start by first understanding what DevSecOps is and what it encompasses using a completely free resource to give you clarity on the topic in less than 20 minutes: FREE DevSecOps Course ✅
Official Resources:
[Official DevSecOps manifesto: https://www.devsecops.org/]
[AWS Cloud Security: https://aws.amazon.com/security/]
Share the article on LinkedIn with your engineering network 😍 👇