t cht lk
particular time. You may not be able to
stop them on every occasion, but at least
you know who they are and what they’re
trying to achieve.
In the case of DevSecOps, that’s even
less true than in the normal world of
software projects because, between you,
you’re developing, testing and operating
multiple layers of the stack and your
opponents may be various, with differing
skill-sets and resources.
The good news is the phrase ‘between
you’. If you’re truly working as a
team, the combined knowledge of the
various experts can be applied across
abstraction layers in ways which are
typically very difficult in your standard
‘design, develop, test, deploy’ model
and which gives you broader and
deeper insights into ways to improve
your project’s security.
“
ONE OF THE JOYS
OF DEVSECOPS IS
THAT EVERYBODY
CAN BE INVOLVED
THROUGHOUT
THE PROCESS.
3. You’re not playing by the same rules
as your opponents
This is a tough one. When you play
sport, there are rules to follow and both
sides have to follow them or the referee/
umpire/official takes action against the
offending party.
Now, it would be lovely to live in a world
where our attackers were always caught
and punished when they go after your
infrastructure and applications but sadly
there’s no sign of that fairytale future
any time soon.
Given that you’re unlikely to be able to
go after your opponent in real time with
an active counterattack, you need to
consider what mitigations you can put
in place, how to apply them and how
quickly they can be brought to bear.
88
Mike Bursell, Chief Security Architect, Red Hat
the appropriate mitigations for when
problems do arrive.
4. The whole team gets to play every
time, all the time
Importantly, this must not be an area
which is left solely to the security folks on
the team. In most team sports, you can only have
part of your team on the field – or rink or
court – at any one time. One of the joys
of DevSecOps is that everybody can be
involved throughout the process.
Although security experts may be able
to give good predictions as to what
attacks might take place, it is the core
engineering and operations personnel
who are best placed to anticipate their
likely impact on the running of the
system and who should be designing The coach doesn’t have to sit on the
sidelines and can bring on the team
psychologist, performance expert
and technical experts whenever they’re
needed. As you’ll be constantly iterating,
it won’t be long before each team
member has something to contribute
INTELLIGENTCIO
as changes arise in the application,
deployment environment or security
landscapes. DevSecOps teams shouldn’t
be insulated from other parts of the
organisation either: if you need to bring
help in for a day or two, do so.
Don’t be afraid to move quickly and
admit that you need help.
5. It’s OK to fail – repeatedly
When we think about sport, we think of
how our teams must win every game.
Actually, the best sportsmen and
sportswomen, and the best sports teams,
know how to lose as well and how to
come back from loss stronger.
www.intelligentcio.com