Chapter 24. Why InfoSec Practitioners Need to Know About Agile and DevOps

Fernando Ike

The release of the Agile Manifesto in 2001 was the consolidation of something that had already happened with many methods for application development such as extreme programming, Scrum, pragmatic programming, etc. They develop more efficient and robust features that the organization needs within a reasonable lead time. The Agile Manifesto was one of the foundation stones along with the internet revolution in the growth of digital-native organizations.

Over two decades after the Agile Manifesto, development and delivery features have become quicker than ever. This pressures operations IT teams to change their mindset and how they work, in order to know what developers and product managers were planning to deliver. Good communication and breaking silos have become essential skills.

In 2009 two events happened that changed how IT Operations must work:

  • John Allspaw and Paul Hammond presented “10 Deploys a Day: Dev and Ops Cooperation at Flickr” at the Velocity Conference.1

  • Patrick Debois and others organized DevOpsDays in Ghent.2

Since then, we have seen new technologies, methods, and concepts concerning development, products, and operations. One key source organized by DORA Research and partners is the State of DevOps Report series.3

The 2019 DevOps State Report, organized by Google, show us the four keys metrics to software delivery performance and the values of elite performance organizations:

Metric Value
Deployment frequency On-demand (multiple deploys per day)
Lead time for changes Less than one day
Time to restore service Less than one hour
Change failure rate 0-15%

A big challenge for any organization is how to grow fast and improve software engineering. How can one execute that many deploys per day or recover quickly after a failure in one hour or less and execute security tasks? How do we implement tests within the pipeline with security tools like SAST, DAST, Dependency Check, etc., without increasing the lead time for commit? Adding more tests in the pipeline is an option that security people need to think about together with developers to find a good balance in the “Test Pyramid.”4

People in security IT roles must involve the product or service phase and create a checklist for product teams to fill out. Now, more than ever, security IT professionals must participate in upstream sessions like Design Sprint or Lean Inception. These sessions are an opportunity for shared security concerns about products, services, and compliances; all in these sessions share responsibilities.

Soft skills are essential for security practitioners in high-performance organizations because they need to advocate for developers, sysadmins, testers, product managers, etc. Another important concept that needs to be advocated is the shared responsibility model that AWS establishes with its customers and users.5 Security must be a concern for everyone in an organization.

Like ops teams that develop products or services as self-service platforms for developers to use, it will be more common for security teams to build platforms, so developers have a feedback loop about development time security issues.

Agile and DevOps are strongly influenced by Lean and the Toyota Production System. It’s crucial for InfoSec people to learn how these concepts influence your discipline and the whole software engineering industry.

An example of how Lean influences the software engineering industry: pipelines (continuous delivery) are core to the value stream for elite organizations because it’s their place to automate the process and inspect the build artifact for the next release. For instance, when you find anything that does not follow the quality expected or something that breaks a release in the pipeline, the pipeline is stopped and one checks what’s broken and takes on tasks to fix the issue like the Andon Cord on the Toyota assembly line.

1 John Allspaw and Paul Hammond, “10+ Deploys a Day: Dev and Ops Cooperation at Flickr, Velocity 2009, https://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr.

2 DevOpsDays Ghent 2009, https://legacy.devopsdays.org/events/2009-ghent/.

3 State of DevOps Reports, https://www.devops-research.com/research.html#reports.

4 Ham Vocke, “The Practical Test Pyramid,” martinfowler.com, February 26, 2018, https://martinfowler.com/articles/practical-test-pyramid.html.

5 “Shared Responsibility Model,” https://aws.amazon.com/compliance/shared-responsibility-model/.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.236.147.122