It is heretical to state the truth. But DevSecOps is just another empty buzzword. At best for most firms it is an ‘aspiration’ of the rainbows and puppy dogs they wish to embrace. In reality DevSecOps – Development-Security-Operations, on IT projects using Agile-Scrum does not exist on most projects. It is Yet Another Buzzword or YAB.
Most firms and projects are not Google or Netflix. The vast majority of firms and projects have nothing approaching DevSecOps, and in many cases they don’t need DevSecOps. They don’t have the following:
DevSecOps is not easy and is a long-term effort and investment which must reflect the reality of the project or product, the dev-ops model being used by the firm, its culture, organisation and skill set.
What is missing from the buzzword is the reality that development/coding is quite distinct from operational management which can be very different than security of the application-database-network-perimeter-subnets and code and other repositories. It is possible of course to cross-train engineers to know about and deal with dev-ops and security issues. But this means training, a long term view and a long term product or project. In reality, most firms throw a build deployment over the wall to Operations and say ‘there you go, make sure it does not fall over’. Security may or may not have been involved in the delivery process.