Genuine question: why is DevSecOps a thing? What is the difference between it and DevOps? Or separate DevOps and SecOps teams? Or InfraOps? At what point does it become systems administration with inflated titles? I've even seen business people call themselves "BizOps".
With the increase in rapidity and ability for developers to get code into production, a specialization has emerged.
Someone who focusses on the security aspects of the code pipeline. There's a lot to do here, which most companies are not. For example, not pulling random containers and packages from the internet, and having a trust path for auditing.
Devops/InfraOps/SRE - Engineer/Sysadmin with infrastructure experience focused on reliability. May have some security knowledge but not a security expert.
SecOps/Security Engineer - Typically focused on responding to security incidents and proactively preventing security issues. Typically this involves threat detection, pen testing, security reviews. They can often reverse-engineer malware but they may or may not be able to write a web app. Probably can't set up the infrastructure to run their security platforms.
DevSecOps - Security focused Devops engineer. Expected to have significant security experience, but probably not doing pen-tests. Likely working on container security, setting up and running security platforms. May be a security consultant for devops engineers the same way a security engineer is a security consultant for app engineers.
4 comments
[ 3.3 ms ] story [ 19.6 ms ] threadSomeone who focusses on the security aspects of the code pipeline. There's a lot to do here, which most companies are not. For example, not pulling random containers and packages from the internet, and having a trust path for auditing.
SecOps/Security Engineer - Typically focused on responding to security incidents and proactively preventing security issues. Typically this involves threat detection, pen testing, security reviews. They can often reverse-engineer malware but they may or may not be able to write a web app. Probably can't set up the infrastructure to run their security platforms.
DevSecOps - Security focused Devops engineer. Expected to have significant security experience, but probably not doing pen-tests. Likely working on container security, setting up and running security platforms. May be a security consultant for devops engineers the same way a security engineer is a security consultant for app engineers.