INTELLIGENT SOFTWARE BUSINESS
The game of sport and DevSecOps
Mike Bursell from Red Hat compares how playing a game and DevSecOps are opposites and how to learn from it .
There is the World Cup , cricket , baseball , rugby , Wimbledon ; more sport around at the moment than you can shake a stick or bat , racket or croquet mallet at . I love watching various sport – an activity at which I excel , unlike my attempts to play most of them – and I was wondering the other day about ways in which sport is like the software world , and more specifically , like that useful and popular process of DevOps .
And it dawned on me that if there is one thing which is not like sport , then it is DevSecOps the philosophy of integrating security practices within the DevOps process . Let me give you some examples .
Cannot blame the goalkeeper Sorry to start with a very specific example , but it is one that is close to my heart : mainly because when we picked football teams at school , I was often the last one to be chosen and ended up as goalkeeper , everybody ’ s least favoured position . When the ball whipped or just rolled past me into the back of the net , I was always the one who was handed the blame .
Not only is this terribly bad for team morale , but it also should not be reflection of how the team works . I am always wary of the phrase : with DevSecOps , security is everybody ’ s responsibility , as not everybody is a security expert , but everybody needs to take some responsibility for understanding the correct processes and following them , and blame should certainly never be laid on just one person ’ s shoulders when something goes wrong .
And do not forget : with DevSecOps , you have every opportunity to fix what went wrong , to fix it quickly , and put in place tests to ensure that the same vulnerability is never exposed again . Go you !
Who is your opponent When you are playing sport , it is usually pretty clear who your opponent is , where they are , and what they are doing at any particular time . You may not be able to stop them on every occasion , but at least you know who they are , and what they are trying to achieve . In the case of DevSecOps , that is even less true than in the normal world of software projects , because , between you , you are developing , testing and operating multiple layers of the stack , and your opponents may be various , with differing skill-sets and resources .
The good news is the phrase – between you . If you are truly working as a team , the combined knowledge of the various experts can be applied across abstraction
Mike Bursell , Chief Security Architect , Red Hat .
With DevSecOps , security is everybody ’ s responsibility , as not everybody is a security expert .
layers in ways which are typically very difficult in your standard design , develop , test , deploy model , and which gives you broader and deeper insights into ways to improve your project ’ s security .
Rules of the game This is a tough one . When you play sport , there are rules to follow , and both sides have to follow them , or the referee takes action against the offending party . Now , it would be lovely to live in a world where our attackers were always caught and punished when they go after your infrastructure and applications , but sadly , there is no sign of that fairytale future any time soon .
Given that you are unlikely to be able to go after your opponent in real time with an active counterattack , you need to consider what mitigations you can put in place , how to apply them , and how quickly they can be brought to bear .
Importantly , this must not be an area which is left solely to the security folks on the team . Although security experts may
46 Issue 17 INTELLIGENT TECH CHANNELS