INTELLIGENT SOFTWARE BUSINESS
be able to give good predictions as to what
attacks might take place, it is the core
engineering and operations personnel who
are best placed to anticipate their likely
impact on the running of the system, and
who should be designing the appropriate
mitigations for when problems do arrive.
Team play
In most team sports, you can only have
part of your team on the field at any one
time. One of the joys of DevSecOps is that
everybody can be involved throughout the
process. The coach does not have to sit on
the sidelines, and can bring on the team
psychologist, performance expert and
technical experts whenever they are needed.
As you will be constantly iterating, it
will not be long before each team member
has something to contribute as changes
arise in the application, deployment
environment or security landscapes.
DevSecOps teams should not be insulated
from other parts of the organisation either:
if you need to bring help in for a day
or two, do so. Do not be afraid to move
quickly and admit that you need help.
Sometimes it is
as eye-opening
comparing
something to an
opposite than to
an equivalent.
Fail and fail again
When we think about sport, we think of how
our teams must win every game. Actually,
the best sportsmen and sportswomen,
and the best sports teams, know how to
lose as well, and how to come back from
loss stronger. In DevSecOps, we should
be encouraging our teams to fail – often
and quickly – because it is only through
experiencing and observing failure that our
applications and projects will improve.
Nobody believes anymore that systems
or applications are not vulnerable: it is
not a case of if you will be attacked and
breached, but when. Design your processes
around that: monitor for abnormal
behaviour, be ready to mitigate, but most
of all, ensure that you have processes to
learn from what went wrong and build
a better, more robust and more resilient
project – and team – in the next iteration.
Fast forward
I do not want to pretend that there are no
similarities between DevSecOps and sport:
there are, of course, many overlaps. Some
of the more obvious examples are:
How making a major change takes
commitment from top-down as well as
bottom-up
The importance of building a team
whose members can communicate well
with each other
Ability to react to threats in real-time
I am never going to suggest that it is
all about difference. But sometimes it is as
eye-opening comparing something to an
opposite than to an equivalent. Enjoy your
season of sport and DevSecOps.
47