Monday, August 19, 2019

The Secure DevOps Edge

When one can see the edges, DevOps can be both a beautiful thing as well as a beautiful experience. 

Like all beautiful things or experiences, the beauty is found and defined at the edges. The iPhone, the Chris Craft, the steep cliff.  All beautiful because of their edges and because of the edges of the experience. The feel in the hand. The wind in the hair. The looks from others.

But to see the edges and be safe, you have to have vision. The vision to see what it is or express what it can be so it can be formed in the mind of others. No one talks about an iPhone by focusing on what it is not. No one hangs off the edge of a mountain because of what it is not.

No one has ever been successful at DevOps by having a vision around what it is not.

So, Good DevOps differentiates from Just DevOps because of the edges that keep great code fast, stable and secure. There is a lot of white space there. That's just tactics.  But that’s not all. Once the vision is conceived, that vision needs to translate to getting everyone else onboard and to the finish line. 

There is a lot to worry about. The worries have nothing to do with what’s in the name. Adding “sec” to “devops” alone won’t make the executive team sleep better at night anymore than making performance important by adding “perf” to DevOps.

 It’s the edges, the feel, not the name. 

Your edges will be defined in the least obvious places. Sometimes the most obscure. 

In the tools. And the handling of legacy code. And the processes. And the standards. 

And the identification of inadequate controls.

And the questions you ask….

What if we encourage identification of edges that are “vague” instead of “good”? 

Or defined an edge at the automated promotion of code which differentiated among good code, bad code, or insecure code and did that in an equally automated way?

Or created a edge of balanced CI/CD and automated testing without neglecting either?  

Good practice everywhere is a basis for securing anything. Vision certainly doesn’t come from indecision. Safely enabling the business has to be purposeful and decisive.

Indecision blurs the edges of DevOps enough for vagueness to incrementally rot those edges away.  Then, no matter the vision, you won’t end up with a thing of beauty.  You’ll just end up with a thing. 

And who wants to do all that work for just a thing?

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment