Ask HN: Best DevSecOps Literature

3 points by smithza ↗ HN
I am wanting to learn more as a working SWE how to learn and implement DevSecOps best practices. Any literature recommendations?

4 comments

[ 3.3 ms ] story [ 19.6 ms ] thread
Genuine question: why is DevSecOps a thing? What is the difference between it and DevOps? Or separate DevOps and SecOps teams? Or InfraOps? At what point does it become systems administration with inflated titles? I've even seen business people call themselves "BizOps".
With the increase in rapidity and ability for developers to get code into production, a specialization has emerged.

Someone who focusses on the security aspects of the code pipeline. There's a lot to do here, which most companies are not. For example, not pulling random containers and packages from the internet, and having a trust path for auditing.

Devops/InfraOps/SRE - Engineer/Sysadmin with infrastructure experience focused on reliability. May have some security knowledge but not a security expert.

SecOps/Security Engineer - Typically focused on responding to security incidents and proactively preventing security issues. Typically this involves threat detection, pen testing, security reviews. They can often reverse-engineer malware but they may or may not be able to write a web app. Probably can't set up the infrastructure to run their security platforms.

DevSecOps - Security focused Devops engineer. Expected to have significant security experience, but probably not doing pen-tests. Likely working on container security, setting up and running security platforms. May be a security consultant for devops engineers the same way a security engineer is a security consultant for app engineers.

The deeper inquiry of mine is best practices on containerization, continuous development/integration and where security fits in the loop.