Some often used buzzwords in software development are Agile and DevOps. So what is the difference between these things, really? Let’s get right to the point, because they are two very different things!
Agile, as laid out in the Agile Manifesto, is a set of values. “We value”:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
A team behaving in a manner that puts these values first is “Agile”. Full stop.
In practice, living a value system can be hard to do consistently. To help the value system spread more easily they were turned into repeatable patterns of behavior called Agile methodologies and frameworks. These are nothing more than a prescribed set of actions or behaviors that instruct teams what to do in order to live the values out day-to-day. An example of an Agile methodology would be Scrum. A team can follow the patterns defined in Scrum and automatically be a little more Agile without having to invent their own processes through trial and error.
The purpose of methodologies and frameworks is to help a team behave congruently with the listed Agile values. In other words: if a team behaves in a way that is aligned to the Agile values, then they are Agile.
There are many Agile frameworks that a team can adopt and utilize. But, being Agile is about living the value system, not about following an Agile methodology.
Here’s the crux of the matter: agility is important because when a team is Agile, they deliver more value by staying relevant to an ever-changing market through a short feedback loop. Agility is actually about putting the customers’ needs first by adapting work as quickly as possible as customer needs change!
Agility can be summed up with the phrase: Build the right product
Defining DevOps and DevSecOps
To define DevSecOps we must begin first look at its precursor: DevOps.
DevOps is a set of practices that combine software development and IT operations. In other words, if you build it, you support it. You, the developer, own your product holistically.
DevSecOps is an extension of DevOps which seeks to integrate security into every aspect of the DevOps model.
I tend to use the terms a little sloppily, interchanging the two but expecting security not to be forgotten.
DevSecOps has many of the same benefits of Agile (increased speed of delivery, higher quality products) but is distinctly different and can scale throughout an organization easily unlike some Agile methodologies. DevSecOps, by its nature, encourages cross-functional teams which have the effect of breaking down silos across the full organization of teams using this model. There may be a “Security Community of Practice” or a small group of Security experts in their own siloed team, but a successful DevSecOps model will have a team composed of a mixture of roles such as:
- Front-end developer
- Back-end developer
- Database admin (if DB is part of the tech stack)
- Security professional
- Operations professional
- Mobile developer
- and more…
This is a list of roles or functions on a team. This is not a list of titles and a single individual may wear multiple hats and fill more than one role. The team as a whole is expected to be able to own its portfolio holistically and needs to have the cross-functional skills necessary to do development and support of its applications.
Unfortunately, many organizations continue to separate specialties such as DBA or Security out into their own teams. Other times, organizations create cross-functional teams and give them access to all environments except production. This allows only some of the benefits of DevOps to be realized but is better than not following a DevOps approach at all.
DevSecOps is all about optimizing engineering processes and deploying software more often, in a reliable and secure way through automation.
DevSecOps can be summed up with the phrase: Build the product right
What Should I Do?
DevSecOps and Agile are two distinctly separate things and a company is free to use one or the other, or both at the same time! By combining the two models, we get the best possible outcome for our product and customer. However, this requires that leaders in the company lead their teams differently. The people closest to the work must make the critical decisions!
If you have a rapidly changing market, then being Agile and responding to change is important. Almost every software product has this requirement because technology and business needs change rapidly.
DevOps, on the other hand, is something every team can benefit from. Following a DevOps approach requires that a team be cross-functional. This will reduce organizational silos and increase the rate of information flow through the organization. As a result, software changes happen more rapidly and the lead time for changes also decreases. Additionally, DevOps improves a team’s ability to handle unplanned work by enabling the whole team to contribute to resolving incidents as they occur.
Taking DevOps to the next level with DevSecOps also ensures that maintenance and security patches take priority in the work. This further reduces security risk for the products in the team’s portfolio.
In short, a modern software delivery team should follow both approaches to be high-performing: be Agile and follow a DevOps model. This may not be the case for all teams in all industries, but it is true for the vast majority of them.