One thing I have noticed is that each industry comes up with their own terms and acronyms. Unfortunately, these inventions often vary depending on the person you speak to due to a lack of a governing body that decides on an exact definition. At times, acronyms can even overlap, causing further confusion. Therefore, when it comes to definitions, I always look to ask a variety of persons from across industries on how they would define certain terms. In fact, I took to Twitter and asked those in the industry to submit some responses to a study conducted on Survey Monkey a few results are below. (If you would like to add your definition(s), the survey is still open here) The survey results are presented below.
How would you define DevOps?
- “It is supposedly a culture where dev and ops work side by side to deliver digital products within a timeframe that brings value to the business.” –anonymous
- “DevOps is a combination of practices and tools that help an organization increase its capacity to evolve and improve products continuously and efficiently as well as to deliver IT services at high velocity.” –Zied TURKI
The above definitions were of interest to me because the first conceptualization separates the development team from the operations whereas the second viewpoint discusses the development team and their practices. To me, DevOps is essentially a team of developers designing, building, deploying, and maintaining software of any kind. The goal of this team is to do this efficiently and in a manner that’s aligned with a set standard decided by the organization. Speed is a piece of this, security another, but it’s the holistic approach through which the developers proceed that is important here.
How would you define NetOps?
- “No clue.” –anonymous
- “More like the combination of DevOps and network operations.” –anonymous
- “Simply put – the network team.” –Evan Mintzer
- “Apply DevOps principles to improve agility and performance of network services. Program and automate the ‘softwarized’ network infrastructure.” –Zied TURKI
This group of definitions made me smile, I personally have never heard NetOps used within an organization I worked for. I have used operations teams, network management, network architecture, and more, but never NetOps. However, as networking shifts from hardware to software focuses, I can see how this term could begin to grow. If I consider Cisco’s intent-based networking, its DevNet side and certifications along with the definitions provided by those above, I arrive at the following definition: NetOps is the networking team working with similar principles and practicing standardized practices but in reference to resilient networks.
How would you define DevSecOps?
- “Security is included in the DevOps culture so that business value is delivered with lowest risk.” –anonymous
- “The merging of development and security teams for coding into production. However, DevOps should be dealing with security.” –Evan Mintzer
- “DevSecOps is about incorporating Security into DevOps at the beginning of the software development lifecycle to bridge security and agility. It’s about shifting security to the left.” –Zied TURKI
When I started working closer with development teams, advising on best practices and standards in regard to security, we were practicing what I would call SecDevOps. To me, the security piece come first. Wherever you put the word “security,” however, DevSecOps is at its heart a collaboration of development and security with the goal of creating resilient software for consumers.
What stands out uniquely between the above definitions to you?
- “Less manual, traditional ways is doing things operationally.” –anonymous
- “The terms above are newer, but they represent teams that have been around for a while.” –Evan Mintzer
- “Being agile for better served customers.” –Zied TURKI
What is DevOps, NetOps, DevSecOps, and why does it matter? Truthfully, the overall definition of the term isn’t important; it’s the actions these teams take that does. To me, DevOps is a team that doesn’t simply build software. It’s a team that works holistically.
Whilst speaking at GOTO Berlin, I had the privilege to attend Oliver Drotbohm’s talk “REST beyond the obvious – API design for ever-evolving systems.” In this presentation, Oliver discussed the responsibility of working together across the teams and of not lumping work onto others by making it easier for yourself only. To me, that essentially defines what DevOps is.
Team autonomy, local optimisation, can cause backwards compatibility breaking change – don't forget about the other teams! @odrotbohm #gotober pic.twitter.com/1cjEcVjzMr
— ZoRo (@RoseSecOps) October 23, 2019
As a Network/Security person, I'm well enjoying @odrotbohm's #gotober talk! #logic but now I want to go into development #unintendedConsequences #coupling #connascence pic.twitter.com/tXgWQwovKC
— ZoRo (@RoseSecOps) October 23, 2019
When talking about NetOps, I tend to adopt a similar mindset as the one I described above for DevOps. However, as the network is the silent backbone to all business operations, the scope is a bit broader to include not only the Network, Operations, and Technology teams but also departments with different access needs and bandwidth requirements. NetOps includes the offensive and defensive security teams, the compliance and change management teams, and more. To me, it is the idea that as a business, you are all working together to make a more secure, privacy-focused solution that doesn’t ‘just work’ but works efficiently, covering all the requirements to empower consumers to enjoy the tech they work with daily.
Now, what about DevSecOps? Obviously, it includes security on top of development. However, to me, this is not different than being a part of the DevOps team. This is because all solutions—big, small, agile, waterfall, temporary, or permanent—must include security and privacy from the start to be called holistic and inclusive solutions. Creating anything else is not inclusive; it’s not working with your consumers and teams to identify the requirements and needs properly. It’s not respecting the sensitive data you are provided access to via the solution. It’s not enough.
Typically, I stick with using DevSecOps because security as a constant is my jam. However, no matter which terms you use, whatever teams you’re a part of, the vital piece of each is embedding a standard practice for inclusion, operations, polices, procedures, privacy and security from the beginning. Why is this vital? If you’re creating software or even network deployments, the point is to both build something that will help the required systems and services reach the desired goals and to continue providing these throughout the lifecycle of the solution. Therefore, it’s important to leverage security, privacy, and standardization to achieve this resilient solution.
About the Author: Zoë Rose is a highly regarded hands-on cybersecurity specialist, who helps her clients better identify and manage their vulnerabilities and embed effective cyber resilience across their organisation. Zoë is a Cisco Champion and certified Splunk Architect, who frequently speaks at international conferences. Recognised in the 50 most influential women in cybersecurity UK for the past two years, and the PrivSec 200, Zoë is quoted in the media, has presented on National News, has been featured in Vogue Magazine, and was the spokesperson for Nationwide’s Over Sharing campaign that had a reach of 306 million citizens.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.