Index ¦ Archives ¦ Atom

Security's need to be named

An argument against DevSecOps (SecDevOps?) & secure development lifecycles

This might be just a matter of semantics, but it seems the security industry has a thing for making sure we're named.

Current efforts around "DevSecOps" feels like security companies & individuals (mostly security vendors and marketers, but I've seen it elsewhere) injecting themselves into a broader trend in an effort to stay relevant or maintain mindshare. In some ways, it feels similar to parts of the "secure development lifecycle" movement.

There's definitely improvements to be gained from deeper integration of security elements into broader development lifecycles & operational processes. And I get it, the security industry is working to do this, and to change things for the better.

Security has gained priority within modern business by necessity. But it's okay and I'd argue even beneficial for that to be implicit in our language & labels. Continuing to linguistically "security" all the things could well strengthen silos, decelerate integration, & confuse ownership.

How do the results really differ between DevOps vs DevSecOps, or SDLC vs SDL? It comes down to much more than just a name. How about we quit hijacking the nomenclature and focus on doing good security work or providing good security product inside whatever organization/process we're part of, regardless what it's called?

© Jamie Finnigan; opinions my own and not my employers. Built using Pelican. Modified from theme by Giulio Fidente on github.