Intelligent Tech Channels Issue 17 - Page 47

INTELLIGENT SOFTWARE BUSINESS be able to give good predictions as to what attacks might take place, it is the core engineering and operations personnel who are best placed to anticipate their likely impact on the running of the system, and who should be designing the appropriate mitigations for when problems do arrive. Team play In most team sports, you can only have part of your team on the field at any one time. One of the joys of DevSecOps is that everybody can be involved throughout the process. The coach does not have to sit on the sidelines, and can bring on the team psychologist, performance expert and technical experts whenever they are needed. As you will be constantly iterating, it will not be long before each team member has something to contribute as changes arise in the application, deployment environment or security landscapes. DevSecOps teams should not be insulated from other parts of the organisation either: if you need to bring help in for a day or two, do so. Do not be afraid to move quickly and admit that you need help. Sometimes it is as eye-opening comparing something to an opposite than to an equivalent. Fail and fail again When we think about sport, we think of how our teams must win every game. Actually, the best sportsmen and sportswomen, and the best sports teams, know how to lose as well, and how to come back from loss stronger. In DevSecOps, we should be encouraging our teams to fail – often and quickly – because it is only through experiencing and observing failure that our applications and projects will improve. Nobody believes anymore that systems or applications are not vulnerable: it is not a case of if you will be attacked and breached, but when. Design your processes around that: monitor for abnormal behaviour, be ready to mitigate, but most of all, ensure that you have processes to learn from what went wrong and build a better, more robust and more resilient project – and team – in the next iteration. Fast forward I do not want to pretend that there are no similarities between DevSecOps and sport: there are, of course, many overlaps. Some of the more obvious examples are: Ÿ Ÿ How making a major change takes commitment from top-down as well as bottom-up Ÿ Ÿ The importance of building a team whose members can communicate well with each other Ÿ Ÿ Ability to react to threats in real-time I am never going to suggest that it is all about difference. But sometimes it is as eye-opening comparing something to an opposite than to an equivalent. Enjoy your season of sport and DevSecOps.  47