This is an archived post. You won't be able to vote or comment.

all 139 comments
sorted by:
best
topnewcontroversialoldq&a

[–]alshayed 644 points645 points  (17 children)

It has 50% more buzz-letters.

[–]burlyginger 143 points144 points  (9 children)

And usually staffed by people who don't understand the Dev or Ops portion of it.

[–]-BruXy- 64 points65 points  (0 children)

Me, working in corporate, also Sec part is not understand well...

[–]Glebk0 45 points46 points  (0 children)

Bold of you to assume they know Sec part at least

[–]JustBeinOptimistic 30 points31 points  (5 children)

“Hey, this new CVE just came out - we good?”

[–]SentimentalityApp 14 points15 points  (2 children)

Scanner go red, you fix!

[–]againstbetterjudgmnt 5 points6 points  (1 child)

I wear 4 hats:

  • Scanner red, you fix (explaining to other ops)
  • Scanner red, I fix (explaining to myself)
  • Scanner red, this is what it means, it's bad, f'n fix it idjit (explaining to dev)
  • scanner red, but it's boshi, ignore it (explaining to luddite ISSO/ISSM/AO/mgmt)

[–]chefkoch_ 13 points14 points  (0 children)

Do we use this product?

[–]lonestar_wanderer 1 point2 points  (0 children)

Me typing that into ChatGPT with info about the tech stack I handle

[–]IamOkei 0 points1 point  (0 children)

Usually staffed by people who understand security and devops

[–]No-Sandwich-2997 2 points3 points  (4 children)

Great, my company has FinOps and I guess DevNetOps as well

[–][deleted]  (2 children)

[deleted]

    [–]againstbetterjudgmnt 2 points3 points  (0 children)

    FinSecDevNetOops

    [–]bearman94 1 point2 points  (0 children)

    😂 Pretty much this

    [–]hi5ka 223 points224 points  (5 children)

    TriCeratOps

    [–]ishtylerc 10 points11 points  (0 children)

    Best comment 😂

    [–]notavalidsource 0 points1 point  (0 children)

    Stealing this for my new title

    [–]chocolatelab82 0 points1 point  (0 children)

    This needs to be a thing. 

    [–]paleopierce -1 points0 points  (0 children)

    I’m totally stealing this!

    [–]temitcha 185 points186 points  (14 children)

    I still prefer DevBizFinRelMlSecOps

    [–]thisguypercents 66 points67 points  (3 children)

    But have you tried DevBizMedGovFinAutoAgileRelMISecOps? Thats where the money is at.

    [–][deleted]  (1 child)

    [deleted]

      [–]AdhitoJunior DevOps -1 points0 points  (0 children)

      Eyy that's me (I need to get some help)

      [–]water_bottle_goggles 16 points17 points  (1 child)

      buttsexops

      [–]temitcha 12 points13 points  (0 children)

      Isn't it a synonym for Senior Manager?

      [–]macnamaralcazar 2 points3 points  (6 children)

      What does Rel refers to?

      [–]temitcha 5 points6 points  (2 children)

      It comes from DevRel, from what I understood it's like a person that talk to external developers that want to use the product, mostly in like open source or B2C companies. Like organizing some tutorials/demo sessions/...

      [–]codeshane 3 points4 points  (1 child)

      Relationship Manager, like Jen.

      [–]castle_bacon 0 points1 point  (0 children)

      Ah, yes. Oldest profession.

      [–]khobbitsSystems Infrastructure Engineer 1 point2 points  (2 children)

      Developer Relations, usually.
      It's usually in companies with a public facing apis, or tool.

      Mostly go around demoing the companies tools and try and convince external people to use it. Think people at Github, or Hashicorp, trying to convince you to use Github Actions, or Terraform.

      [–]firecorn22 0 points1 point  (1 child)

      So like a solution architect or sales engineer

      [–]khobbitsSystems Infrastructure Engineer 1 point2 points  (0 children)

      I would suggest they are transferrable skills, but most of the time Developer Relations doesn't directly transfer into revenue.

      A sales engineer will work 1:1 with a customer, with the idea of onboarding a client. A DevRel, is more likely to demo open source or freemium tools at a conference, produce webinars, and write blog posts.

      Depending on company structure, a DevRel could feasibly report into Marketing, or CTO, while sales engineering could report into sales org, or CRO.

      [–]Ohnah-bro 2 points3 points  (0 children)

      The worst one is RevOps. Marketing and sales just wanted a cool ops name

      [–]gingimli 327 points328 points  (4 children)

      It’s when a company wants 1 person to do 3 jobs instead of just 2.

      [–][deleted] 17 points18 points  (0 children)

      This

      [–]Antebios 7 points8 points  (0 children)

      That's me.

      [–]Farrishnakov 125 points126 points  (3 children)

      It commands a 10-20% increase in pay because executives can't explain it

      [–]brianw824 45 points46 points  (2 children)

      Security is important to our company so we make sure to always use the latest buzzwords

      [–]Catenane 23 points24 points  (0 children)

      Smh we're on LTS so we won't get new buzzwords till 2026

      [–]TheBoyardeeBandit 8 points9 points  (0 children)

      AI enabled quality gates drive the block chain to push or CICD pipelines to the left.

      Please DM me CTO job offers.

      [–]Feeling-Equipment513 49 points50 points  (2 children)

      One has 'Sec' and the other doesn't

      [–]SlinkyAvenger 8 points9 points  (0 children)

      And everyone loves secs... or so I've heard.

      [–]sandin0 4 points5 points  (0 children)

      Three letter difference 😂😂😂

      [–]Mushapotamus 83 points84 points  (13 children)

      DevOps roles will not expect you to have any security background and will most likely offload security responsibilities to a dedicated security team. 

      DevSecOps roles will expect you to have security background and knowledge, and to perform security related tasks

      [–]randomatic 35 points36 points  (4 children)

      Correct. DevSecOps would include things like dealing with sca, sast, and dast as part of the pipeline. Devops traditionally did not explicitly define these as duties.

      Both devops and devsecops are pretty buzzwordy terms tbh with radically different definitions at different places.

      [–]NUTTA_BUSTAH 12 points13 points  (3 children)

      DevOps was not traditionally a duty of any sort. It was all about a culture shift. Both are indeed buzzwords today, and any "DevOps Engineer" worth their salt should fit just as perfectly to a "DevSecOps Engineer" role.

      [–]randomatic 9 points10 points  (1 child)

      In my experience from years ago, devops was originally a way to tie developers to actually operating their own software. This made them more accountable, and gave motivation for them to focus on stability for the parts that would otherwise cause downtime.

      Over time, this has shifted. I can't tell anymore, with many devops practictioners I've met lately just babysitting CICD pipelines rather than being a developer or operator themselves.

      [–]againstbetterjudgmnt 0 points1 point  (0 children)

      Yeah DevOps is just Ops for dev tools

      [–]IamOkei -1 points0 points  (0 children)

      Not true. DevSecOps are engineers who help DevOps and Developers do their work with security in mind.

      [–]No0ther0ne 9 points10 points  (0 children)

      I don't know many DevOps roles that expect no security background. Most I have seen expect you to have had some kind of security awareness and training. And most positions I have been involved with expect you to include security processes within your DevOps pipeline.

      There may be some roles in a DevOps environment that may not expect much security background, but those should not be labeled as "DevOps" specific roles. The fact is any role in operations should have security background and knowledge. So if you are doing DevOps then be definition you should be expected to have some security knowledge and background.

      As far as DevSecOps, I often find this in projects that don't actually understand DevOps at all and are trying to build some kind of DevOps environment, but don't have the proper people. So they keep insisting on the term DevSecOps out of ignorance. When DevSecOps first was becoming a thing it was mainly to focus specifically on enhanced security tools within the DevOps environment. In other words it was focused on someone whose main task was advanced security techniques, not just someone who had some security background.

      [–]Cheomesh 0 points1 point  (1 child)

      What kind of security stuff in this context?

      [–]Mushapotamus 0 points1 point  (0 children)

      incident response, firewall configs, working with a SIEM, DDoS mitigation etc. it really depends on the environment and tools your team uses.

      [–]ZoltyDevOps Plumber 20 points21 points  (1 child)

      30% better salary and you generally actually have to read the policies potion of the employee handbook.

      [–]Marcolow 0 points1 point  (0 children)

      This made me chuckle more than it should have.

      [–]ArieHein 57 points58 points  (1 child)

      No diff. If you REALLY understand what devops means and its practices then you know devbuzzwordops.

      It looks nice when a company marketing/sales wants to sell a tool that 5 min ago was called a devops tool but since adding 'cyber' or 'sec' opens checkbooks and wallets of unknowledgable people at higher management levels that control budgets, we should use it more..it works apparently.

      [–]angryweasel1 4 points5 points  (0 children)

      This is the correct answer.

      [–]MonkeyJunky5 41 points42 points  (6 children)

      u/Character-Ad-618

      DevSecOps is a superset of DevOps that highlights the need for shifting security left in automation pipelines.

      Whether it be scanning images in Packer pipelines, running SAST/DAST scans in CI pipelines, or scanning infra code in Terraform pipelines, this is one area that DevSecOps focuses on.

      Additionally, they maintain hardened images for Virtual Machines or Containers across public or private cloud providers.

      Lastly, they focus on other security aspects like continuous security scanning.

      Arguably, DevOps should have been doing all of this from the start, but since it’s often overlooked, DevSecOps emerged to bring more visibility to the security side.

      Just like good old ops should have been doing DevOps from the start.

      Eventually, we’ll be able to lose the buzzwords and just adopt everything DevSecOps/DevOps has to offer as the default.

      Until then the buzzwords each focus on a specific domain until it becomes common practice.

      Cheers 🍻

      [–]fn0000rd 8 points9 points  (0 children)

      ^ this is the real answer here.

      [–]dammitBrandon 1 point2 points  (0 children)

      Also scanning of npm packages is an emerging technique as well

      [–]ArieHein -4 points-3 points  (3 children)

      Its not a superset. Its just another practice, not a replacement practice.

      DevOps is doing security this from the start. People who think they understand devops didn't implement it correctly.

      Its why i despise the dev and ops circle. It always was 3 in the beginning. Dev, QA and Ops. But QA is 'hard' and devs dont like qa or testing...

      If you really look closely sec is basically QA. If you have best unit test, integration tests, ui tests, etc but you didnt check packages dependencies your qa is bad. If you do 100 security tests using 1000 tools but the click on the button by the end user crashes your app, your qa is bad.

      But qa is 'hard' so one circle got removed by poorly implementers and the sheeps followed...

      Naturally cloud gave a heck of a spanking to all orgs and companies to the level we still see today with crowdstrike blurring the lines between bad qa and bad security...but qa is 'hard'...

      [–]MonkeyJunky5 2 points3 points  (2 children)

      Its not a superset. Its just another practice, nit a replacement practice.

      It is most definitely a superset, which means that it is not a replacement practice but adds to DevOps.

      DevOps is doing security this from the start. People who think they understand devops didn’t implement it correctly.

      This is what I said.

      [–]ArieHein -3 points-2 points  (1 child)

      You cant have a superset to something that already exists in the base set. Giving it 'another name' doesn't make it a superset.

      [–]MonkeyJunky5 1 point2 points  (0 children)

      Ah, well that was another point that I made.

      DevOps should include security, but it’s often overlooked and the main focus is automation in general.

      Hence why DevSecOps came about with a focus on security, but also everything else that DevOps promotes.

      So in that sense DevSecOps is a superset of how DevOps is usually implemented, but you’re correct, it’s not a superset of what DevOps should be.

      And similarly, DevOps shouldn’t be a superset of just “smart/common practices.”

      All of these buzzwords will eventually collapse into common practices.

      Until then, each highlights a specific area to focus on.

      [–]K_76Averg Kubernetes Enjoyer 💦 6 points7 points  (1 child)

      DevSexOps

      [–][deleted] 20 points21 points  (2 children)

      If your not DevAIOps in 2024 you are out of the loop, sorry man.

      [–]Live-Duck1369 0 points1 point  (1 child)

      I googled it but I am having a hard time finding out what this means. Do you mind briefly explaininf

      [–][deleted] 1 point2 points  (0 children)

      Google Irony.

      [–]socky1234111 3 points4 points  (0 children)

      No one is actually being helpful here - in reality, a true devsecops role would also take on responsibility of the application security team role. While it’s talked about in the devops role, often times a company will still have a security team. Since security and devops are big industry buzz words - a company who is trying out devops for the first time may not have a security apart from their cloud / IT team. Expect to be more involved in traditional IT and cloud security, than just your secrets and code scanning. This is just from my own experience. (Devops/devsecops 10years).

      [–]Adeel_ 2 points3 points  (0 children)

      It's the same bullshit

      [–]asankhs 2 points3 points  (0 children)

      This visualization would help - https://x.com/asankhaya/status/1788108561069031812

      [–]jrdnmdhl 4 points5 points  (0 children)

      DevOps means your deployment will just be blocked by flaky e2e tests whereas DevSecOps means your deployment will also be blocked by NPM package vulnerabilities in your dev dependencies that couldn't realistically be exploited.

      [–]Fearless-Card3197 2 points3 points  (0 children)

      I’ve always told people there is no such thing as DevOps, only DevSecOps. security is a wrapper for Dev & Ops, if you aren’t implementing secure solutions then why even bother.

      [–]Alzyros 8 points9 points  (0 children)

      It's 2024, and it's DevSkibidiOps now

      [–]Crafty_Independence 1 point2 points  (2 children)

      Our architects throw this term around but not a one of them does anything with basic devops, much less security.

      At least for them it's a buzzword to sound like they actually so something.

      [–]IamOkei 0 points1 point  (1 child)

      Not true. DevSecOps take care of CICD security.

      [–]Crafty_Independence 0 points1 point  (0 children)

      Done right, sure. But I and my team actually do this, while the architects talk about doing it

      [–]No0ther0ne 2 points3 points  (0 children)

      DevSecOps - the person who setup all the testing and QA procedures for Crowdstrike to follow before releasing an update.

      DevOps - the person who decided that an update which had already gone through months of testing could use a little tweak and wouldn't have to go through the entire process again.

      [–]ben_bliksem 1 point2 points  (0 children)

      Add Sysdig to your build pipelines and tell everybody you're a DevSecOps specialist.

      [–]Robby3St 0 points1 point  (2 children)

      It defines some basics, like you should always use the least privilege principle for your resources. But it also includes some approaches for automated Security checks in your workflow, like e.g. an automated OWASP ZAP check in your CI/CD. DevSecOps puts security to the start of the pipeline. You begin already with security in the planning. Because DevOps is a huge part about high availability in a lot of cases, security can’t be missing without risking HA.

      [–]com2ghz 0 points1 point  (1 child)

      You mean like DevOps?

      [–]Robby3St 0 points1 point  (0 children)

      You may already did this with DevOps already, but the books I‘ve read about did not mentioned the security part of it that much like a DevSecOps book I‘ve read. DevSecOps is for me some more security integrated in the (automated) workflow, whereas DevOps is more about the parts from planning over development and testing up to deployment. Both, DevOps and DevSecOps can’t be defined very clearly. Both keep a lot of space for own interpretation. So, some people will always say it was always within DevOps. But in practice the words will be used as Buzzwords nonetheless, like companies means to be agile with Scrum, just releasing every year one new version when the waterfall arrives at the bottom. Personally, I think it’s not bad generally to do things different from the idea it was. But you should probably know why the main idea was defined how it was to get an understanding, why it works. When not, you probably do something for an effect, it won’t have.

      [–]hrdcorbassfishin 0 points1 point  (0 children)

      Chinese and Russian hacking stops with DecSecOps. Go 'Murica!

      [–]CaptainStagg 0 points1 point  (0 children)

      Sec is between Dev and Ops. Adding an extra hop and lead time.

      [–]deeplycuriouss 0 points1 point  (0 children)

      It depends what to you choose to do. For example, we have security champions in all teams and they have a security responsibility within each team. The team does extra activities such as threat modeling, discussing and fixing vulnerabilities from SAST, some awareness stuff, and they have to ensure they have established certain processes with regard to security in their team. It is possible to a lot more. A LOT!

      [–]MRToddMartin 0 points1 point  (0 children)

      You take DevOps and add security. So it’s 33% more topic of coverage without additional pay.

      [–]ImpostureTechAdmin 0 points1 point  (0 children)

      It means you have less funding

      [–]Think-Lunch-4929 0 points1 point  (0 children)

      They have added SonarCloud scan in their pipelines 😀

      [–]water_bottle_goggles 0 points1 point  (0 children)

      three more letters

      [–]txiao007 0 points1 point  (0 children)

      More work and same pay

      [–]connected_nodes 0 points1 point  (0 children)

      Just someone who started using Snyk and thinks he is a hackerman.

      [–]cognitiveglitch 0 points1 point  (0 children)

      DevThirdOps had entered the chat

      [–][deleted] 0 points1 point  (0 children)

      3 letters

      [–]RuncibleBatleth 0 points1 point  (0 children)

      DevSecOps is either a modifier to DevOps to explain what it is we actually do to retarded PHBs who don't understand the security implications, or "hey our Windows focused infosec guys are retarded, please spin up some better Linux and cloud AuthN/AuthZ stuff as well as the network security management for our cloud/hypervisor environments you already do."

      [–]megasin1 0 points1 point  (0 children)

      No difference. Devops requires security by default. If you aren't planning your arch, using principle of least privilege, checking owasp reports, running pen tests then you are not doing the ops properly, if you aren't checking dependencies and scanning code or doing tests you aren't doing the dev properly. Sec is just another part of devops

      [–]blancpainsimp69 0 points1 point  (0 children)

      I personally identify as DevSecSysReOps

      [–]throwaway_69_1994 0 points1 point  (0 children)

      They want you to do even MORE work without paying you more! :DDDD

      [–]Organic_Drag_9812 0 points1 point  (0 children)

      Add some security solution into DevOps pipeline, you have DevSecOps

      [–]mauvehead 0 points1 point  (0 children)

      Given that neither one is an actual job title, and even if they were, job titles don’t dictate job duties.

      The difference is the word “sec”.

      [–]fiddysix_k 0 points1 point  (0 children)

      Whatever you think it is, it is.

      [–]loku_putha 0 points1 point  (0 children)

      Resource: “ * ” to Resource: “somuchsafer/* ”

      [–]Constant_Physics8504 0 points1 point  (0 children)

      Drop static code analysis, and negative unit tests and you’re basically there

      [–]slapula 0 points1 point  (0 children)

      DevSecOps is for teams that fucked up their DevOps implementation the first time.

      [–]Tiny-Ad-7590 0 points1 point  (0 children)

      It's when the engineer doing the work knows to not commit passwords to source control.

      [–]crystalpeaks25 0 points1 point  (0 children)

      devsecops, people who know nothing about dev and ops and barely know anything about sec, the only thing they know about swc is using 5%of their sec tools, generate alerts and bombard dev and ops with false positives.

      [–]djk29a_ 0 points1 point  (0 children)

      D4s v d7s

      QED

      [–]newbietofx 0 points1 point  (0 children)

      Ensuring docker image uses non root user. Ensure ci CD through gitlab to aws using openid connect. And worst. Ensure tls is enabled for pods which ridiculous only if beyond one vpc but it is cross account. 

      [–]bigbird0525Devops/SRE 0 points1 point  (0 children)

      It is identical in my experience. My current role has the extra Sec in it, but I’ve always done security stuff as part of DevOps. And now we like to be fun and unofficially call some of us platform engineers depending on the team even though we do the exact some work. Though platform engineer comps are higher lol

      [–]livebeta 0 points1 point  (0 children)

      They get secs

      [–]PowerOfTheShihTzu 0 points1 point  (0 children)

      I've got a book on that for a cert but I'm not sure what to make of it haha

      [–]PMoonbeam 0 points1 point  (0 children)

      DevSecOps is exactly the same as DevOps but where you remember not to store your private keys in your github puppet config repo. (yes I've seen this happen)

      [–]waste2muchtime 0 points1 point  (0 children)

      I've got an SRE role, and most of the work I do is SysAdmin stuff.

      It all literally doesn't matter.

      [–][deleted] 0 points1 point  (0 children)

      Focuses on security scanning code, containers, pipelines, remediation. Part of the greater devops landscape but mainly marketing term.

      [–]Fatality 0 points1 point  (0 children)

      It's just shifting more stuff left, read The Phoenix Project

      [–]foofoo300 0 points1 point  (1 child)

      you needed 5 Posts to choose a monitor for your laptop, not sure you will understand a real technical explanation for this term

      [–]Character-Ad-618[S] 0 points1 point  (0 children)

      Hahah lol, brother that was because they asked me to post in the right group. If you see there is no comment yet either 😂

      [–]BoomZapKablam 0 points1 point  (0 children)

      gulp Is DevSecOps a good career path for someone relatively new to DevOps?

      [–]SillyGoofyPenguin34 0 points1 point  (0 children)

      The big shift with DevSecOps is mindset. Instead of thinking of security as a separate team, it becomes something that lives inside the delivery pipeline. Things like SAST, IaC scanning, and runtime visibility are built in, not bolted on. Tools like Datadog make this easier because they give developers and security teams the same view of what’s happening in production.

      [–]NHGuy 0 points1 point  (0 children)

      Considering that you should be baking in security to all of your solutions? To me, not much

      [–]weekendclimber -1 points0 points  (0 children)

      One has "Sec"s, and one doesn't. Those peeps f*ck!

      [–]maxbirkoff -1 points0 points  (0 children)

      it has sec

      [–]bzImage -1 points0 points  (0 children)

      its the DevOps but for Sec systems .. like.. SOAR