DevOps and DevSecOps

Both movements are really helpful for explaining to people that they should automate everything. They also create discipline. For most situations, it’s okay to provision a server for several hours. But there’s a catch: if it takes over 10 minutes, you’ll be tempted to do some step manually. And you’ll do it manually. This is how slow-moving chaos begins in an organization. It generates huge losses over time.

DevSecOps is welcome because it can resolve the conflict between DevOps and security.

In DevOps product pipeline, different people measure different things. For example, retention (product managers), usability (developers), response times (operators). Those metrics boil down to satisfaction of the customer. This is the metric everyone aligns their goals against.

In contrast, security teams count unpatched vulnerabilities and security incidents. That means security team’s focus goes inward (to their environment), but the company’s focus goes outward (to customers). A security team wants to protect the existing value, and the company wants to increase the value. Both sides are necessary, but the difference in views hurts communication and efficiency. DevSecOps done properly can fix it.

The best thing in DevOps is Infrastructure as Code. It enables all other DevOps principles.