mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-26 21:30:55 +08:00
Update and rename sources/tech/20200715 What-s the difference between DevSecOps and agile software development.md to translated/tech/20200715 What-s the difference between DevSecOps and agile software development.md
翻译提交
This commit is contained in:
lisong
GitHub
parent
899c987c93
commit
30f119cbd3
@ -1,97 +0,0 @@
|
||||
[#]: collector: (lujun9972)
|
||||
[#]: translator: (windgeek)
|
||||
[#]: reviewer: ( )
|
||||
[#]: publisher: ( )
|
||||
[#]: url: ( )
|
||||
[#]: subject: (What's the difference between DevSecOps and agile software development)
|
||||
[#]: via: (https://opensource.com/article/20/7/devsecops-vs-agile)
|
||||
[#]: author: (Sam Bocetta https://opensource.com/users/sambocetta)
|
||||
|
||||
What's the difference between DevSecOps and agile software development
|
||||
======
|
||||
Are you focused more on security or software delivery? Or can you have
|
||||
both?
|
||||
![Brick wall between two people, a developer and an operations manager][1]
|
||||
|
||||
There is a tendency in the tech community to use the terms DevSecOps and agile development interchangeably. While there are some similarities, such as that both aim to detect risks earlier, there are also distinctions that [drastically alter how each would work][2] in your organization.
|
||||
|
||||
DevSecOps built on some of the principles that agile development established. However, DevSecOps is [especially focused on integrating security features][3], while agile is focused on delivering software.
|
||||
|
||||
Knowing how to protect your website or application from ransomware and other threats really comes down to the software and systems development you use. Your needs may impact whether you choose to utilize DevSecOps, agile development, or both.
|
||||
|
||||
### Differences between DevSecOps and agile
|
||||
|
||||
The main distinction between these two systems comes down to one simple concept: security. Depending on your software development practices, your company's security measures—and when, where, and who implements them—may differ significantly.
|
||||
|
||||
Every business [needs IT security][4] to protect their vital data. Virtual private networks (VPNs), digital certificates, firewall protection, multi-factor authentication, secure cloud storage, and teaching employees about basic cybersecurity measures are all actions a business should take if it truly values IT security.
|
||||
|
||||
When you trust DevSecOps, you're taking your company's security and essentially making it tantamount to continuous integration and delivery. DevSecOps methodologies emphasize security at the very beginning of development and make it an integral component of overall software quality.
|
||||
|
||||
This is due to three major principles in DevSecOps security:
|
||||
|
||||
* Balancing user access with data security
|
||||
* [Encrypting data][5] with VPN and SSL to protect it from intruders while it is in transit
|
||||
* Anticipating future risks with tools that scan new code for security flaws and notifying developers about the flaws
|
||||
|
||||
|
||||
|
||||
While DevOps has always intended to include security, not every organization practicing DevOps has kept it in mind. That is where DevSecOps as an evolution of DevOps can offer clarity. Despite the similarity of their names, the two [should not be confused][6]. In a DevSecOps model, security is the primary driving force for the organization.
|
||||
|
||||
Meanwhile, agile development is more focused on iterative development cycles, which means feedback is constantly integrated into continuous software development. [Agile's key principles][7] are to embrace changing environments to provide customers and clients with competitive advantages, to collaborate closely with developers and stakeholders, and to maintain a consistent focus of technical excellence throughout the process to help boost efficiency. In other words, unless an agile team includes security in its definition of excellence, security _is_ an afterthought in agile.
|
||||
|
||||
### Challenges for defense agencies
|
||||
|
||||
If there's any organization dedicated to the utmost in security, it's the U.S. Department of Defense. In 2018, the DoD published a [guide to "fake agile"][8] or "agile in name only" in software development. The guide was designed to warn DoD executives about bad programming and explain how to spot it to avoid risks.
|
||||
|
||||
It's not only DoD that has something to gain by using these methodologies. The healthcare and financial sectors also [maintain massive quantities][9] of sensitive data that must remain secure.
|
||||
|
||||
DoD's changing of the guard with its modernization strategy, which includes the adoption of DevSecOps, is essential. This is particularly pertinent in an age when even the DoD is susceptible to hacker attacks and data breaches, as evidenced by its [massive data breach][10] in February 2020.
|
||||
|
||||
There are also risks inherent in transferring cybersecurity best practices into real-life development. Things won't go perfectly 100% of the time. At best, things will be uncomfortable, and at worst, they could create a whole new set of risks.
|
||||
|
||||
Developers, especially those working on code for military software, may not have a thorough [understanding of all contexts][11] where DevSecOps should be employed. There will be a steep learning curve, but for the greater good of security, these are necessary growing pains.
|
||||
|
||||
### New models in the age of automation
|
||||
|
||||
To address growing concerns about previous security measures, DoD contractors have begun to assess the DevSecOps model. The key is deploying the methodology into continuous service delivery contexts.
|
||||
|
||||
There are three ways this can happen. The first involves automation, which is [already being used][12] in most privacy and security tools, including VPNs and privacy-enhanced mobile operating systems. Instead of relying on human-based checks and balances, automation in large-scale cloud infrastructures can handle ongoing maintenance and security assessments.
|
||||
|
||||
The second element involves the transition to DevSecOps as the primary security checkpoint. Traditionally, systems were designed with zero expectation that data would be accessible as it moves between various components.
|
||||
|
||||
The third and final element involves bringing corporate approaches to military software development. Many DoD contractors and employees come from the commercial sector rather than the military. Their background gives them knowledge and experience in [providing cybersecurity][13] to large-scale businesses, which they can bring into government positions.
|
||||
|
||||
### Challenges worth overcoming
|
||||
|
||||
Switching to a DevSecOps-based methodology presents some challenges. In the last decade, many organizations have completely redesigned their development lifecycles to comply with agile development practices, and making another switch so soon may seem daunting.
|
||||
|
||||
Businesses should gain peace of mind knowing that even the DoD has had trouble with this transition, and they're not alone in the challenges of rolling out new processes to make commercial techniques and tools more widely accessible.
|
||||
|
||||
Looking into the future, the switch to DevSecOps will be no more painful than the switch to agile development was. Firms have a lot to gain by acknowledging the [value of building security][4] into development workflows, as well as building upon the advantages of existing agile networks.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/20/7/devsecops-vs-agile
|
||||
|
||||
作者:[Sam Bocetta][a]
|
||||
选题:[lujun9972][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://opensource.com/users/sambocetta
|
||||
[b]: https://github.com/lujun9972
|
||||
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/devops_confusion_wall_questions.png?itok=zLS7K2JG (Brick wall between two people, a developer and an operations manager)
|
||||
[2]: https://tech.gsa.gov/guides/understanding_differences_agile_devsecops/
|
||||
[3]: https://www.redhat.com/en/topics/devops/what-is-devsecops
|
||||
[4]: https://www.redhat.com/en/topics/security
|
||||
[5]: https://surfshark.com/blog/does-vpn-protect-you-from-hackers
|
||||
[6]: https://www.infoq.com/articles/evolve-devops-devsecops/
|
||||
[7]: https://enterprisersproject.com/article/2019/9/agile-project-management-explained
|
||||
[8]: https://www.governmentciomedia.com/defense-innovation-board-issues-guide-detecting-agile-bs
|
||||
[9]: https://www.redhat.com/en/solutions/financial-services
|
||||
[10]: https://www.military.com/daily-news/2020/02/25/dod-agency-suffers-data-breach-potentially-compromising-ssns.html
|
||||
[11]: https://fcw.com/articles/2020/01/23/dod-devsecops-guidance-williams.aspx
|
||||
[12]: https://privacyaustralia.net/privacy-tools/
|
||||
[13]: https://www.securitymagazine.com/articles/88301-cybersecurity-is-standard-business-practice-for-large-companies
|
||||
@ -0,0 +1,97 @@
|
||||
[#]: collector: (lujun9972)
|
||||
[#]: translator: (windgeek)
|
||||
[#]: reviewer: ( )
|
||||
[#]: publisher: ( )
|
||||
[#]: url: ( )
|
||||
[#]: subject: (What's the difference between DevSecOps and agile software development)
|
||||
[#]: via: (https://opensource.com/article/20/7/devsecops-vs-agile)
|
||||
[#]: author: (Sam Bocetta https://opensource.com/users/sambocetta)
|
||||
|
||||
DevSecOps和敏捷软件开发有什么不同
|
||||
======
|
||||
你更专注于安全性还是软件发行,或者说你两者都很关注?
|
||||
![Brick wall between two people, a developer and an operations manager][1]
|
||||
技术社区中存在一种趋势,经常互换地使用DevSecOps和敏捷软件开发这两个术语。尽管它们有一些相似性,例如都旨在更容易地检测风险,但在改变团队的工作方式层面有很大不同。
|
||||
|
||||
DevSecOps建立在敏捷开发建立的一些原则上。但是,DevSecOps特别专注于[集成安全功能][3],而敏捷开发则专注于交付软件。
|
||||
|
||||
知道如何保护你们的网站或应用程序免受勒索程序和其他威胁的侵害,实际上取决于你使用的软件和系统开发。这可能会影响您选择使用DevSecOps,敏捷开发还是两者兼而有之。
|
||||
|
||||
|
||||
|
||||
### DevSecOps和敏捷软件开发的不同之处
|
||||
|
||||
两者的主要区别可以归结为一个简单的概念:安全性。这取决于你的软件开发实践,你们公司的安全措施-以及何时,何地以及由谁实施,都可能会有很大不同。
|
||||
|
||||
每个企业都[需要IT安全] [4]来保护其重要数据。如果企业真正重视IT安全,一般都会采取虚拟专用网(VPN)、数字证书、防火墙保护、多因子身份验证、安全的云存储,包括向员工介绍基本的网络安全措施。
|
||||
|
||||
当你完全相信DevSecOps时,意味着可你正在保护公司的安全,并从本质上使其等同于持续集成和交付。 DevSecOps方法论在开发之初就强调安全性,并使其成为整体软件质量不可或缺的组成部分。
|
||||
|
||||
基于DevSecOps安全性的三大原则:
|
||||
* 平衡用户访问难易程度及数据安全性
|
||||
* 使用[VPN]和SSL的[加密数据] [5]可防止数据在传输过程中受到入侵者的攻击
|
||||
* 使用可以扫描新代码的安全漏洞并能通知开发人员该漏洞的工具来预测防范未来的风险
|
||||
|
||||
尽管DevOps一直打算包含安全性,但并非每个实践DevOps的组织都牢记这一点。DevSecOps在DevOps的演进形式中,可以提供更加清晰的信息。尽管它们的名称相似,但这两个[不应混淆] [6]。在DevSecOps模型中,安全性是团队的主要驱动力。
|
||||
|
||||
同时,敏捷开发更专注于迭代开发周期,这意味着反馈不断集成到持续的软件开发中。 [敏捷的关键原则] [7]是拥抱不断变化的环境,为客户和使用者提供竞争优势,让开发人员和利益相关者紧密合作,并在整个过程中始终保持技术卓越作为重点,用以提升效率。换句话说,除非敏捷团队在其定义中包括安全性,否则安全性在敏捷敏捷中算是事后思考。
|
||||
|
||||
### 国防机构面临的挑战
|
||||
|
||||
如果要说专门致力于最大程度地提高安全性的组织,美国国防部就是其中之一。在2018年,美国国防部发布了软件开发中的[伪造敏捷指南] [8]或“仅以名称命名的敏捷”指南。该指南旨在警告国防部高管有关编程不正确的问题,并说明如何发现它以避免风险。
|
||||
|
||||
使用这些方法不仅可以使国防部受益。医疗保健和金融部门还[持有大量] [9]必须保证安全的敏感数据。
|
||||
|
||||
国防部通过其现代化战略(包括采用DevSecOps)来改变防范形式至关重要。尤其在这个国防部容易受到黑客攻击和数据泄露的时代,这一点在2020年2月的[大规模数据泄露] [10]中已经得到了证明。
|
||||
|
||||
将网络安全最佳实践转化为现实发展仍然还存在固有的风险。事情不可能100%完美地进行。最好的状况是稍微有点不舒服,最坏的情况下,它们可能会带来全新的风险。
|
||||
|
||||
开发人员,尤其是那些为军事软件编写代码的开发人员,可能没有对DevSecOps的[所有上下文的理解] [11]都能有透彻的理解。学习曲线会很陡峭,但是为了获得更大的安全性,必须承受这些必不可少的痛苦。
|
||||
|
||||
|
||||
### 自动化时代的新模式
|
||||
|
||||
为了解决对先前安全措施日益增长的担忧,国防部承包商已开始评估DevSecOps模型。关键是将方法论部署到持续的服务交付环境中。
|
||||
|
||||
应对这个问题,出现了三个方向。第一种涉及到自动化,自动化已在大多数隐私和安全工具中[广泛使用][12],包括VPN和增强隐私的移动操作系统。大型云基础架构中的自动化无需依赖于人为的检查和平衡,可以自动处持续维护和进行安全评估。
|
||||
|
||||
第二种专注于对于过渡到DevSecOps很重要的安全检查点。而传统上,系统设计初期对于数据在各个组件之间移动时依旧可以访问是不做期望的。
|
||||
|
||||
第三种也是最后一种涉及将公司方法用于军事软件开发。国防部的许多承包商和雇员来自商业领域,而不是军事领域。他们的背景为他们提供了为大型企业[提供网络安全] [13]的知识和经验,他们可以将其带入政府部门职位中。
|
||||
|
||||
|
||||
### 值得克服的挑战
|
||||
|
||||
切换到基于DevSecOps的方法论也提出了一些挑战。在过去的十年中,许多组织已经完全重新设计了其开发的生命周期,以适应敏捷的开发实践,在不久之后进行再次切换看起来令人生畏。
|
||||
|
||||
企业应该安下心来,因为即使国防部也遇到了这种过渡带来的麻烦,他们在应对推出新流程使得商业技术和工具广泛可用的挑战上并不孤独。
|
||||
|
||||
展望一下未来,其实切换到DevSecOps不会比切换到敏捷开发更痛苦。而且通过将[创建安全性的价值] [4]添加到开发工作流程中,以及利用现有敏捷开发的优势,企业可以获得很多收益。
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/20/7/devsecops-vs-agile
|
||||
|
||||
作者:[Sam Bocetta][a]
|
||||
选题:[lujun9972][b]
|
||||
译者:[译者ID](https://github.com/windgeek)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://opensource.com/users/sambocetta
|
||||
[b]: https://github.com/lujun9972
|
||||
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/devops_confusion_wall_questions.png?itok=zLS7K2JG (Brick wall between two people, a developer and an operations manager)
|
||||
[2]: https://tech.gsa.gov/guides/understanding_differences_agile_devsecops/
|
||||
[3]: https://www.redhat.com/en/topics/devops/what-is-devsecops
|
||||
[4]: https://www.redhat.com/en/topics/security
|
||||
[5]: https://surfshark.com/blog/does-vpn-protect-you-from-hackers
|
||||
[6]: https://www.infoq.com/articles/evolve-devops-devsecops/
|
||||
[7]: https://enterprisersproject.com/article/2019/9/agile-project-management-explained
|
||||
[8]: https://www.governmentciomedia.com/defense-innovation-board-issues-guide-detecting-agile-bs
|
||||
[9]: https://www.redhat.com/en/solutions/financial-services
|
||||
[10]: https://www.military.com/daily-news/2020/02/25/dod-agency-suffers-data-breach-potentially-compromising-ssns.html
|
||||
[11]: https://fcw.com/articles/2020/01/23/dod-devsecops-guidance-williams.aspx
|
||||
[12]: https://privacyaustralia.net/privacy-tools/
|
||||
[13]: https://www.securitymagazine.com/articles/88301-cybersecurity-is-standard-business-practice-for-large-companies
|
||||
Loading…
Reference in New Issue
Block a user