DevOps and DevSecOps – Two of the Biggest Topics in Cloud

Two of the biggest topics in Cloud today are DevOps and DevSecOps. What makes them so important now and how organizations can leverage them are key questions. For the answers, we must jump back to look at their origins and how these methodologies developed.

What is DevOps

Historically developers built things and operations kept them running in production environments. The process to move from Dev to Ops was often referred to as “throw it over the wall”. The wall was initially conceived as a separation of duties, which certainly made sense. Unfortunately, this led to silos and difficulties for Ops. They were being handed applications and resources they had no part in creating, while Dev teams didn’t have the responsibilities to maintain the applications once they went over the wall. This would mean long development cycles, persistent bugs, and some level of frustration for all the teams. The handoff was always a bottleneck with both teams trying to get into sync, and the biggest frustration was felt by the business. As the final consumer, it knew there had to be a better way.

Development and production

The first step in improving the system was to remove the wall and make Development connected to Operations. This gave Development the ability to increase speed to deployment, as the over the wall knowledge transfer was now removed. This led to bugs having a shorter lifespan and more rapid deployments, which led to Continuous Integration (CI) making releases arrive at the point of delivery faster. CI is the merging of code from feature or other named branches to the main branch for release. Then the obvious next step would be to speed up delivery, so this is where Continuous Delivery (CD) came into the process. CI and CD combined into CI/CD created the most rapid and efficient path from Dev to Prod. Most people believe this to be DevOps. Elevated frequency of deployments isn’t a requirement of CI/CD. It is common in mature organizations to have multiple deployments per hour, but they are quite mature and refined. The journey begins when you merge the code and have an automated path to deploy it. As part of automated testing, you’d likely implement linting or more advanced static code analysis in addition to some test-driven development.

Once automated flows were taking code from the developer to production, it became clear that the more automated things were, the more repeatable they became, and the more likely processes were to adhere to standards and achieve success. This then led to the evolution of DevSecOps.


What is DevSecOps

In DevSecOps, a phrase encountered often is Shift Left, which means shifting a process from one side of a flow diagram to the other. In the case of DevSecOps, it means moving Security practices and processes earlier in the DevOps workflow, making them a core part of the development process. Instead of testing for security gaps late in the DevOps cycle, those processes are included from the start. The entire development process becomes rooted in security, so things are created in a truly secure manner. This can help identify patterns, antipatterns, and insecure decisions that can all be identified through tests and design decisions.


Leveraging DevOps and DevSecOps

Accomplishing a transition to DevOps or DevSecOps methodologies starts with assessing the current state of your organization, particularly in terms of organizational maturity and the ability to manage change without disrupting current operations. Secondly, determine where you are regarding the technologies for the steps from version control to testing and security pipelines. Finally, determine where your staff is on the spectrum of DevOps/DevSecOps- do they have the skill sets and understanding of the methodologies and practices they will need?

These three things tell you how much change and about how much time it might take to arrive at the automation you desire. This sample Gantt chart shows a possible assessment process.

Assessment process

Taos has solutions to help you every step of the way, from planning to implementing to training. If you’re considering DevOps or DevSecOps we’d love to begin that conversation with you, learn more at