INTELLIGENT SOFTWARE BUSINESS
The game of sport and DevSecOps
Mike Bursell from Red Hat compares how playing a game and DevSecOps are opposites and how to learn from it.
There is the World Cup, cricket, baseball, rugby, Wimbledon; more sport around at the moment than you can shake a stick or bat, racket or croquet mallet at. I love watching various sport – an activity at which I excel, unlike my attempts to play most of them – and I was wondering the other day about ways in which sport is like the software world, and more specifically, like that useful and popular process of DevOps.
And it dawned on me that if there is one thing which is not like sport, then it is DevSecOps the philosophy of integrating security practices within the DevOps process. Let me give you some examples.
Cannot blame the goalkeeper Sorry to start with a very specific example, but it is one that is close to my heart: mainly because when we picked football teams at school, I was often the last one to be chosen and ended up as goalkeeper, everybody’ s least favoured position. When the ball whipped or just rolled past me into the back of the net, I was always the one who was handed the blame.
Not only is this terribly bad for team morale, but it also should not be reflection of how the team works. I am always wary of the phrase: with DevSecOps, security is everybody’ s responsibility, as not everybody is a security expert, but everybody needs to take some responsibility for understanding the correct processes and following them, and blame should certainly never be laid on just one person’ s shoulders when something goes wrong.
And do not forget: with DevSecOps, you have every opportunity to fix what went wrong, to fix it quickly, and put in place tests to ensure that the same vulnerability is never exposed again. Go you!
Who is your opponent When you are playing sport, it is usually pretty clear who your opponent is, where they are, and what they are doing at any particular time. You may not be able to stop them on every occasion, but at least you know who they are, and what they are trying to achieve. In the case of DevSecOps, that is even less true than in the normal world of software projects, because, between you, you are developing, testing and operating multiple layers of the stack, and your opponents may be various, with differing skill-sets and resources.
The good news is the phrase – between you. If you are truly working as a team, the combined knowledge of the various experts can be applied across abstraction
Mike Bursell, Chief Security Architect, Red Hat.
With DevSecOps, security is everybody’ s responsibility, as not everybody is a security expert.
layers in ways which are typically very difficult in your standard design, develop, test, deploy model, and which gives you broader and deeper insights into ways to improve your project’ s security.
Rules of the game This is a tough one. When you play sport, there are rules to follow, and both sides have to follow them, or the referee takes action against the offending party. Now, it would be lovely to live in a world where our attackers were always caught and punished when they go after your infrastructure and applications, but sadly, there is no sign of that fairytale future any time soon.
Given that you are unlikely to be able to go after your opponent in real time with an active counterattack, you need to consider what mitigations you can put in place, how to apply them, and how quickly they can be brought to bear.
Importantly, this must not be an area which is left solely to the security folks on the team. Although security experts may
46 Issue 17 INTELLIGENT TECH CHANNELS