Secure by Design vs. DevSecOps: Same Security Goal, Different Paths
While both secure by design and DevSecOps aim to integrate security into software development, they differ in their approach. Here's how.
If you pay close attention to software development buzzwords, you've likely heard the terms "secure by design" and "DevSecOps" frequently in recent years. And you've likely wondered what makes them different from one another.
After all, designing software to be secure by default is similar to the key goal of DevSecOps, which is integrating security into the software development process.
This begs the question: Are "secure by design" and "DevSecOps" simply fluffy buzzwords that mean more or less the same thing? Or do they refer to distinct and specific concepts and practices that can benefit developers seeking ways to improve application security?
To find out, let's unpack the meaning of both terms and compare what they actually imply.
What Is 'Secure by Design' in Software Development?
Secure by design is an approach to software development that emphasizes making security a key priority during the application design process. Rather than tacking security onto an application after it has already been designed and/or implemented, software engineers choose application architectures, API architectures, data processing models, and other elements that maximize security.
The secure by design concept is closely associated with government agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. Government Security initiative .
Related:AI Code Generation Creates Blind Spots in DevSecOps Security
What Is DevSecOps?
DevSecOps is a philosophy that advocates close collaboration between software developers, security teams, and IT operations teams. Similar to the secure by design initiative, the goal behind DevSecOps is to make security an integral part of the software development life cycle , rather than treating security as a separate, "siloed" process.
Over the past decade or so, DevSecOps has become a popular buzzword among software vendors. Many software security companies tout the ability of their products to enable DevSecOps by integrating security tools or controls (such as security scanning) into the development pipeline — and many producers of software development and DevOps tools highlight the security-friendly nature of their products.
Secure by Design vs. DevSecOps: Similarities and Differences
At a high level, the "secure by design" movement and DevSecOps seem to boil down to the same core principle: that security should be an integral part of software development, rather than something that organizations handle separately.
Arguably, however, the two concepts approach this goal using somewhat different practices and from different angles. Here are the main distinctions between secure by design and DevSecOps.
Related:DevSecOps 2.0: How Security-First DevOps Is Redefining Software Delivery
1. Practice vs. philosophy
Although the "secure by design" initiative offers limited guidance on how to make an application secure by default, it comes closer to being a distinct set of practices than DevSecOps.
The latter is more of a high-level philosophy that organizations must interpret on their own; in contrast, secure by design advocates specific practices, such as selecting software architectures that mitigate the risk of data leakage and avoiding memory management practices that increase the chances of the execution of malicious code by attackers.
2. Scope
Whereas DevSecOps focuses on all stages of the software development life cycle, the secure by design concept is geared mainly toward software design. It deals less with securing applications during and after deployment.
Perhaps this makes sense because so long as you start with a secure design, you need to worry less about risks once your application is fully developed — although given that there's no way to guarantee an app can't be hacked, DevSecOps' holistic approach to security is arguably the more responsible one.
3. Government vs. industry
Even if you conclude that secure by design and DevSecOps mean basically the same thing, one notable difference is that the government sector has largely driven the secure by design initiative, while DevSecOps is more popular within private industry.
Related:Guide to DevOps Topologies
There is some overlap, of course; you can find examples of software companies talking about how they prioritize being secure by design , and government agencies are not adverse to discussing DevSecOps . By and large, however, secure by design seems to be a government thing, while DevSecOps is an industry buzzword.
Conclusion: Is There Really a Difference?
To me, any differences that exist between secure by design versus DevSecOps is too small to merit careful attention. What matters most is simply ensuring that security is top priority during application development, regardless of how you choose to label the practice.
About the Author
Technology analyst, Fixate.IO
Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, "For Fun and Profit: A History of the Free and Open Source Software Revolution ," was published by MIT Press.
You May Also Like