The DevSecOps Equilibrium
The DevSecOps Equilibrium
Learn how DevSecOps helps security, operations, and development form a symbiosis and work together, rather than work with rising tension.
Join the DZone community and get the full member experience.Join For Free
Easily enforce open source policies in real time and reduce MTTRs from six weeks to six seconds with the Sonatype Nexus Platform. See for yourself - Free Vulnerability Scanner.
Can you feel the tension in your organization between security, operations, and development? Does each side try to outmaneuver the other? Do they not talk for fear of conflict or being halted in their tracks? You know something needs to be done, but what to do? The answer is simple - everyone needs to be more like pitcher plants. Stay with me.
A good friend of mine from the DevOps Community is Chris Corriere. He is a fascinating guy to talk to over a bowl of ramen or anywhere you might catch him between sessions at a DevOps Days conference. He is one of those guys who search for the deeper meaning of work, relationships, and behaviors. In every conversation, you’ll learn something. Here’s an example:
In his recent talk, The DevSecOps Dilemma, at the All Day DevOps conference, Chris Corriere (@cacorriere) discusses the Nash equilibrium in relation to security and DevOps environments, shows how nature adapts to similar situations and presents how we can pull security into a trust relationship, forming DevSecOps.
Every game has a dilemma. Chris explains, “The Sec in DevSecOps means the security folks are explicitly invited to the table. The dilemma is the fact the invitation isn’t implied.”
In game theory, this fits into the Nash equilibrium -- what is commonly illustrated as the Prisoner's Dilemma. You know the setup: two prisoners (A and B) are offered deals to testify against the other, but the deal goes away if prisoner A implicates the B and vice-versa. Although if neither A nor B takes the deal, their sentences will be shorter than if they are both implicated. But, A and B can’t talk to each other before deciding.
Chris contends the better illustration is the Stag Hunt. The hunters can work together and potentially get a stag to share for food, but, say one sees a rabbit on the hunt first. They could kill the rabbit and have some guaranteed food, but it would be a much smaller amount and could leave their partner high and dry. Cooperate or compete? Oh, the dilemma!
Chris then presents what he coined the Trinary Nash Equilibria - that each relationship in nature can devolve into: commensalism, where one organism benefits but the other one neither benefits or is harmed; amensalism, where one organism is inhibited or destroyed while the other is unaffected; or, parasitism, where one benefits at the expense of the other. None of these are beneficial for both organisms.
What we want to strive for in our organization is symbiotism, a cooperative relationship with high trust and that is beneficial to both parties.
This is seen throughout nature. One example Chris gave comes from low-light, crowded swamps where plants compete for sunlight and nutrients. A species of pitcher plants is shaped so that bats can easily find them with their echolocation cries. The bats roost on the plants, relatively parasite free, and the plant eats their poop. While admittedly gross for you and me, it is a win-win for the bat and the plant.
The DevSecOps lesson for the day: become the pitcher plant - adapt and offer value to unlikely partners.
Of course, human relationships are more complex than pitcher plants and bats. Chris talks for a bit about the Cynefin sense-making Framework by Dave Snowden, which we discussed here in a previous post.
As Chris talked about jungles, ecosystems, and nature, he walked through the value of diversity in nature, making the point that diversity reduces risk, whether in nature or in organizations. Monocultures don’t survive. In DevSecOps, diversity is more than just combining development, security, and operations. It is about different skill sets, backgrounds, thoughts, beliefs. They combine to make our organizations stronger.
In the end, Chris left us with three takeaways:
- Augment humans with tech instead of replacing them.
- Spend time together. Communicate. Build trust. [hint: this is the most important one]
- Work in diverse teams with mutual goals.
Chris has some interesting illustrations from nature and math to help us better understand and improve our organizations. In addition to more examples from nature, Chris talks leans into Wardley value chain mapping, replacing Maslow’s hierarchy of needs, and Inclusive Collaboration.
Fascinated by nature stories: you can watch the entirety of his talk here.
Craving more on DevSecOps, binge-watch any of the 20 DevSecOps sessions, free of charge, from All Day DevOps here.
Opinions expressed by DZone contributors are their own.