Does your team need to learn how to break things?

Steps to building tools (automation) and changing people (culture).
221 readers like this.

I don't think I need to start off by telling you that security and reliability are important in our code. We've heard it over and over and over again.

Big—scale big—problems happen when we don't bake security in at the beginning, and then, make adjustments as we go.

So, let's cut to the chase. How do we integrate security into DevOps?

1. Embrace automation: Use and/or build the tools.

2. Change the culture: Make security our friend, not our foe.

Embrace automation (tools)

Let's take the problem of stolen or weak passwords. It's a simple problem but at huge scale. "If you wait for a human being to get involved, it's not going to scale."

Vincent Danen, Director of Product Security at Red Hat explains on the latest podcast that we're seeing more, not fewer, vulnerabilities every day. We will not reach a day when security is done, reached, complete. It's as "normal as breathing now." In terms of our continuous integration and deployment processes, there's so much coming out "every day, every hour. You write code and it's deployed ten minutes later."

What to do? Get your automation tools in place and security becomes baked in. 

That's half of it.

Change the culture (people)

The other half is the mindset. The people setting up the meetings, giving direction, and telling each other what's important.

How do we get developers and operations in the kitchen together baking in some solid security?

Training exercises. At Netflix, it's chaos monkey. At Google, it's the DiRT program. The idea is to break things at massive scale so your team can a) experience it and b) study and learn from it.

It all comes down to strong, reliable, and secure code.

Security: the next level

Will user-behavior one day decide the level of security needed for access? We don't know yet, but the thing we know for sure is security matters if you want to be relevant in today's tech landscape.

For an audio and more robust discussion with people at the ground level doing this work, download the Command Line Heros podcast.

User profile image.
Jen leads a team of community managers for the Digital Communities team at Red Hat. She lives in Raleigh with her husband and daughters, June and Jewel.

2 Comments

Nice article.
Perhaps there might even develop a new area in the enterprise, let's call it the Department of Breaking Things, where the prime job of its members is to find vulnerabilities in code or maybe even various practices or habits that coders adopt.

Yep. I agree with the best way to learn about security is to have something break and then patch it up. Not only do you learn about the vulnerability, you also figure out how to fix it.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.