Skip to main content

Top 5 Ways That DevSecOps Isn’t Like Sport

By: Mike Bursell, Chief Security Architect, Red Hat

There’s the World Cup, cricket, baseball, rugby, Wimbledon - more sport around at the moment than you can shake a stick (or bat, racket or croquet mallet) at. I love watching various sports - an activity at which I excel, unlike my attempts to play most of them - and I was wondering the other day about ways in which sport is like the software world, and more specifically, like that useful and popular process of DevOps. And it dawned on me that if there’s one thing which isn’t like sport, then it’s DevSecOps (the philosophy of integrating security practices within the DevOps process). Let me give you some examples.

1. You can’t blame the goalkeeper
Sorry to start with a very specific example, but it’s one that is close to my heart: mainly because when we picked football teams at school, I was often the last one to be chosen, and ended up as goalkeeper, everybody’s least favoured position. When the ball whipped or just rolled past me into the back of the net, I was always the one who was handed the blame.

Not only is this terribly bad for team morale, but it also shouldn’t be reflection of how the team works. I’m always wary of the phrase “with DevSecOps, security is everybody’s responsibility”, as not everybody is a security expert, but everybody needs to take some responsibility for understanding the correct processes and following them, and blame should certainly never be laid on just one person’s shoulders when something goes wrong. And don’t forget: with DevSecOps, you have every opportunity to fix what went wrong, to fix it quickly, and put in place tests to ensure that the same vulnerability is never exposed again. Go you!

2. You don’t know who your opponent is
When you’re playing sport, it’s usually pretty clear who your opponent is, where they are, and what they’re doing at any particular time. You may not be able to stop them on every occasion, but at least you know who they are, and what they’re trying to achieve. In the case of DevSecOps, that’s even less true than in the normal world of software projects, because, between you, you’re developing, testing and operating multiple layers of the stack, and your opponents may be various, with differing skill-sets and resources. The good news is the phrase “between you”. If you’re truly working as a team, the combined knowledge of the various experts can be applied across abstraction layers in ways which are typically very difficult in your standard “design, develop, test, deploy” model, and which gives you broader and deeper insights into ways to improve your project’s security.

3. You’re not playing by the same rules as your opponents
This is a tough one. When you play sport, there are rules to follow, and both sides have to follow them, or the referee/umpire/official takes action against the offending party. Now, it would be lovely to live in a world where our attackers were always caught and punished when they go after your infrastructure and applications, but sadly, there’s no sign of that fairytale future any time soon. Given that you’re unlikely to be able to go after your opponent in real time with an active counterattack, you need to consider what mitigations you can put in place, how to apply them, and how quickly they can be brought to bear. Importantly, this must not be an area which is left solely to the security folks on the team. Although security experts may be able to give good predictions as to what attacks might take place, it is the core engineering and operations personnel who are best placed to anticipate their likely impact on the running of the system, and who should be designing the appropriate mitigations for when problems do arrive.

4. The whole team gets to play every time, all the time
In most team sports, you can only have part of your team on the field - or rink or court - at any one time. One of the joys of DevSecOps is that everybody can be involved throughout the process. The coach doesn’t have to sit on the sidelines, and can bring on the team psychologist, performance expert and technical experts whenever they’re needed. As you’ll be constantly iterating, it won’t be long before each team member has something to contribute as changes arise in the application, deployment environment or security landscapes. DevSecOps teams shouldn’t be insulated from other parts of the organisation either: if you need to bring help in for a day or two, do so. Don’t be afraid to move quickly and admit that you need help.

5. It’s OK to fail - repeatedly
When we think about sport, we think of how our teams must win every game. Actually, the best sportsmen and sportswomen, and the best sports teams, know how to lose as well, and how to come back from loss stronger. In DevSecOps, we should be encouraging our teams to fail - often and quickly - because it is only through experiencing and observing failure that our applications and projects will improve. Nobody believes anymore that systems or applications are invulnerable: it’s not a case of if you will be attacked and breached, but when. Design your processes around that: monitor for abnormal behaviour, be ready to mitigate, but most of all, ensure that you have processes to learn from what went wrong and build a better, more robust and more resilient project - and team - in the next iteration.

Wrapping up
I don’t want to pretend that there are no similarities between DevSecOps and sport: there are, of course, many overlaps. Some of the more obvious examples are how making a major change takes commitment from top-down as well as bottom-up; the importance of building a team whose members can communicate well with each other; and the ability to react to threats in real-time. I’m never going to suggest that it is all about difference. But sometimes it’s as eye-opening comparing something to an opposite than to an equivalent. Enjoy your summer of sport - and DevSecOps.


Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…