At Collabify, we've seen our fair share of buzzwords come and go, but one that seems to be sticking around is DevOps and DevSecOps. And while we're all for integrating development, security and Operations into a streamlined well oiled machine, we can't help but notice that the term is being thrown around a bit haphazardly.
What it isn't
You see, DevSecOps isn't a job title. It's a philosophy. Yet, over the past few years, we have seen more and more job postings popping up for "DevSecOps Engineers" or "DevSecOps Managers." Let us tell you, friends, that this is like calling yourself a "Vegetable-Eater" and expecting to get paid for it. Sure, you may eat vegetables, but that doesn't make it your job.
The same goes for DevSecOps. Just because you're a developer or an operations person who cares about security, and trying to integrate and spread the word in the other teams, it doesn't mean you're a
DevSecOps professional. And just because a company is hiring for a "DevOps" or a "DevSecOps" role, doesn't mean they truly understand the philosophy or are implementing it correctly.
In the past, we have spoken to companies who were hiring for these job titles, and in reality, the actual role ranged between a "regular" developer to "regular" operations engineer (without the need for scripting or automation experience) all away to SRE (Site Reliability Engineer).
What it is
So, what is DevSecOps, exactly? Well, it's the integration of security considerations into the development and operations process. It's about breaking down silos and fostering collaboration between the development, operations, and security teams. And about shifting security left, so that security is considered from the beginning of the development process, rather than tacked on at the end.
It's also about embracing a culture of continuous improvement and experimentation. DevSecOps is about automating as much as possible, including security testing and validation. It's about embracing the principles of Continuous Delivery and Continuous Deployment, so that code can be pushed to production faster and with more confidence.
At the end of the day, DevSecOps is about delivering secure software, quickly and repeatedly.
So, why do we keep seeing "DevSecOps" job postings? Well, in all likelihood, it's because companies are trying to keep up with the latest trends and buzzwords. And in order to optimize our SEO we're guilty of it ourselves. They see "DevSecOps" and think, "Hey, we should have someone in charge of that!" But just because a job title sounds trendy, doesn't mean it's the right fit for your organization.
Doing the right thing
Instead of hiring for a "DevSecOps" role, companies should focus on fostering a culture of collaboration and continuous improvement. They should work on breaking down silos and encouraging cross-functional teams. They should invest in automation and embrace the principles of Continuous Delivery.
In short, they should focus on being DevSecOps, not hiring for it.
So, the next time you see a job posting for a "DevSecOps Engineer" or a "DevSecOps Manager," remember: it's not a real job. It's a philosophy, a mindset, a way of doing things. And instead of trying to hire for it, companies should focus on living it.