I recently caught up with Paula Thrasher, Application Delivery Lead at CSC and DevOps pioneer in government circles. In our conversation, we discussed a number of important topics including cross-functional teams, software supply chains, paying down technical debt, and her search for passionate people to hire. To succeed in managing large projects she’s taking a different approach - one you might want to apply in your own organization.
What was your presentation at the Rugged DevOps conference about today?
We had a panel about the people, process, and cultural aspect of DevOps, and the security context, as well. When you're moving to the Ops transformations, what kinds of behaviors are both challenges and opportunities?
There was a comment at the beginning session about how any sort of transformation that relies on human nature has failed. So you can't change how we work, but you can leverage how people are motivated to try and encourage the right behavior. I think that's the thing that'll resonate with the security professionals.
You're setting up a new organization and have a lot of projects that you're going to take on. Is it possible to achieve a lot with smaller teams? Do you need a big team to do Rugged DevOps?
I think the main thing that we've been focused on is creating the team that is sort of the center of the universe. I think the most important thing is to have a team that is cross-functional. A lot of times when you think of teams - this is the development team, this is the Ops team, this is the security team - the question is, do you have all the players on the same team, or are they on different teams? I think if you find yourself in a situation where any one team has to deliver to another team, instead of actually being responsible for delivery of the actual business submission function, you've got some horrible web of dependency you're going to have to untangle.
“We’ve been focused on creating the team that is sort of the center of the universe.”
The big focus of what we're trying to do in the new organization is to build that completely cross-functional team and to enable them as a team to be placed on different projects, different missions. So instead of doing single-band rotations, where a single employee moves onto a new project, we're actually trying to move full teams. As a team, they learn how they work best and how they can deliver. It makes a really powerful solution for actually solving problems. I'm really excited about that.
A lot of people at the Rugged DevOps Conference are interested in the Rugged DevOps phase because they're concerned about being left behind by DevOps. Is that a real concern for security teams: getting left behind?
Yes. We definitely see a dichotomy in the world of how security interacts with development teams between the traditional showing up at the end and inspecting versus really embedded security. It's so clearly going to this idea that you can't just inspect security. Security can't be this checkbox at the end. You really have to build it in from a computer. You have to actually make design decisions about security. You have to make sure the developers know secure coding practices. You have to have tools that scan, check all the time, and get feedback. You can't just add that at the end.
“Security can’t be this checkbox at the end.”
I think it's a real challenge to security folks, just as it was for everyone - developers and Ops people - to change how you think to that system-wide view. You can't just be a phase at the end. We actually have to be part of a whole equation, that whole systems thinking. I think that is so instrumental to what DevOps really is as a group.
One of the things that you recently talked to Mark Miller about was an idea of using pictures to help with collaboration and to get everyone on the same page. Can you tell me about that practice?
Back to this human nature piece, I think humans are inherently really visual thinkers. I also think you're asking people to bring cross-costuming across social teams. Well, if you're a security person and you're talking to an Ops person, you probably don't speak the same language. Or if you're a developer and you talk to a security person, again, you don't necessarily speak the same language. But when you speak visually, you can understand each other better. You don't bring your acronyms to the table. We're talking about a diagram.
“When you speak visually, you can understand each other better. You don’t bring your acronyms to the table.”
I also think it takes the personal element out of it a little bit. We're talking about the system. We're not talking about each other. The security team is not accusing the developers of being a bunch of renegades. They're talking to them about a process and how they process it. It keeps the conversation where it needs to be, which is on making the process better and delivering better software.
How is the growing interest in software supply chains changing the way you're thinking about DevOps?
I think simplicity is an underused tool in security. Recently, one of our DevOps teams that was going in their rapid fashion had a deployment that had a vulnerability in it. They had to respond quickly, and they actually did respond quickly. But when we unpacked it, in retrospect, we realized: "How did we get here? How did we let this vulnerability get in?"
We had all sorts of scanning. We had, supposedly, all the right things to have prevented that security flaw. Yet, how we got there was this Venn diagram of all these things overlapping. It was one of those security bugs that slips through the cracks.
We realized what happened is we had gone to over-engineering; we had over-engineered for performance. In doing that, we had overlooked the interaction of three components in a very particular circumstance. It was like an "every third Tuesday if you spun around three times" kind of bug. But I think that's exactly what happens a lot. That's super common in terms of those last defects, and there's quite a bit that comes out of that overlap of complexity.
Having fewer, more secured suppliers reduces the lift of having to upgrade updated components. It also means if you find an issue, your unpacking of that issue is a lot easier because you have a lot less things going on. All engineers need the reminder of "keep it simple." But I think that's a real powerful thing. Fewer, better suppliers, from a supply chain standpoint, is one of the mantras that I really appreciate because I just see it match. It really makes a difference.
“Fewer, better suppliers, from a supply chain standpoint, is one of the mantras that I really appreciate.”
You're working with a lot of government agencies across the board. What's their interest in Rugged DevOps practices, or just DevOps practices that you're bringing into play?
I think in the government space, and it's true for any enterprise, everything has to have security. There is not an agency that we can work with that doesn't have privacy data, or heavily secured data, in the defense and intel agencies, or just straight-up vulnerabilities from being a target. The scale of the enterprise means there's a lot of potential systems and a potential surface area for attack. You can think of all the high-profile attacks that have occurred in the federal government recently, and it's made people really alarmed!
One of the things that’s very interesting is that the whole federal government did a “cyber sprint” last summer, where they did nothing but pay down technical debt and get rid of systems and their vulnerabilities. It was wonderful! And I think every organization should do just that: spend one month a year doing nothing but eliminating old frameworks and applications. That really simple, easy thing often gets overlooked because businesses are always saying "more, more, more, more, more." However, we actually measured the metrics of the teams after the “cyber sprint,” and all of our teams' velocity increased. After we let teams upgrade legacy components, all of them had an improvement, which is sort of like a "well, duh!" But I think it's a win-win really, that if we can allow ourselves to invest in paying down our technical debt we can get better results.
“If we can allow ourselves to invest in paying down our technical debt we can get better results."
I think that in a government space, it just has to be part of the equation. So much of what we do is so instrumental to everything.
How do Sonatype and the Nexus Repository come in as part of the equation with DevOps and your practices?
One of the things we're trying to orchestrate is to build the tool chain that both enables automation and also provides that built-in governance. We're orchestrating a huge amount of IT. So I really like the solution that is being provided by Sonatype — to just know what's in there, to know “what's in the box.” Also, it allows you to set rules to say, "If we know if a system has a vulnerability, how do we know if a developer put it in or not?" Well, if we let developers do their own deployments, then we don't know. But if we have Sonatype, we can still allow a developer to deploy something but the system becomes the regulator so they don't introduce a known defect into the application.
I think the checks and balances we get out of it is really powerful. We see something very valuable in terms of helping us to deliver that reduced surface area. It's a great goal, and I do think there is a personal component of it. But it's very tool-enabled, and that's something we're really excited about.
“I think the checks and balances we get out of [Sonatype] is really powerful."
As we started off the conversation, you have a new group. You have a lot of projects that are going to get underway. Are you hiring?
Who are the type of people that you're looking for, if someone wants to get in touch with your company?
We are at CSRA.com, and if you go to our jobs and our careers website, you can see some of the openings we have. Actually, I'm really excited. One of the projects we did internally was building a whole new hiring model. We used big data. We built in some DevOps, and we're taking advantage of our own technology to do that.
Like I said, what we are really trying to do is build good strong teams, and so that's something we're very focused on. So one of the pilots we'll probably be doing shortly is a team-based hiring model where a team actually hires for themselves.
We're looking for folks who are just really passionate about solving digital government. And I think that's the main focus of us, really just being passionate about the mission we're trying to do. We're trying to help the government be that digital agency. Looking at the interactions we have with some of these Silicon Valley apps, how come we don't have that interaction with the government? That's what we want to create. So we're looking for people who are passionate about our mission and willing and interested in solving problems. Hopefully, we can build a great team.
“We’re looking for folks who are just really passionate about solving digital government.”
Excellent. Thank you.
If you loved this interview and are looking for more great stuff on Rugged DevOps, I invite you to download this awesome research paper from Amy DeMartine at Forrester, “The Seven Habits of Rugged DevOps.”
As Amy notes, “DevOps practices can only increase speed and quality up to a point without security and risk (S&R) pros’ expertise. Old application security practices hinder speedy releases, and security vulnerabilities represent defects that can leave a company open to cyber attacks. But DevOps practitioners can leap forward with both increased speed and quality by including S&R pros in DevOps feedback loops and including security practices in the automated lifecycle. These new practices are called Rugged DevOps.”