There is a great deal of confusion among Traditional Security Teams on what DevSecOps means to them? I am sure most of us are catching up with this evolution and this new trend on how we do security in DevOps world. I am sure there is lot of discussions happening around this space. Personally I believe DevSecOps means { Dev=”Developers”, Sec=”Security as Code”, Ops=”Operations”}. To an extent security must be automated as controlled gates in the process of CI/CD.
Please share your thoughts…
Devops n Sec: DEVOPS AND SECURITY 
I’m not sure I would limit the Sec portion to “Security as code”. I think it is paramount that we automate where possible but that Security still needs to be included in the DevOps process even for those tasks that cannot be automated through the use of coding.
LikeLike
I agree with you Sam.
The traditional security still applies. But, to meet the velocity of DevOps model security must be integrated into DevOps process in the beginning and this is what I referred to “Security as a Code” (SaaC). Of course, Traditional Security is still required as we cannot get the Architecture review done with SaaC Or we cannot do Threat Modelling done with SaaC. But, where possible we should consider to apply the rule of SaaC.
For example Potentially SaaC might apply to Infrastructure as a Service – This helps security professionals to enforce and validate security controls like what protocols are being used or what ports can be allowed or who has what access to the environments etc.
In short, I think we should have a Hybrid Security Model (SaaC and Traditional Security).
LikeLike