A throwaway comment towards the end of yesterday's blog sent me scurrying down a rabbit hole, well more of a warren really. What is DevOps and how does it relate to security innovation?
In short, as I understand it, DevOps involves integrating and tooling-up development and operations teams so they collaborate in a more effective and efficient way, thus reducing the cycle time between conventional software releases while also delivering better, more resilient and more manageable IT systems.
Sounds great, right?
Oh but hang on a moment. Haven't we seen this kind of thing before? Isn't DevOps just another movement, a buzzword not unlike Agile Waterfall Cloud Lean ITIL and more ... none of which turned out to be the Ultimate Answers their vocal proponents enthusiastically implied or claimed.
They did however deliver philosophies, strategies, elements, approaches and tools that proved somewhat useful and valuable. Truth is they all have their strengths and weaknesses, opportunities and threats, promises and disappointments. DevOps too.
The information risk and security side of DevOps intrigues me. At face value, minor incremental changes appear less threatening than revolutionary and potentially disruptive major releases, especially if the supporting infrastructure, tools and processes facilitate things such as efficent regression testing. However, some information risks may accumulate, some may change in severity and/or probability, and entirely new risks may appear as a consequence of the approach - for example there's the risk of being completely overtaken by a radically different approach or a dramatic change in the market. As a former geneticist, I see parallels here to evolution, including theories such as Lamarkism and punctuated equilibrium. The common factor is that they are theories based around models that attempt to describe relatively complex and incompletely understood activities in relatively simple cause-and-effect mechanistic ways. The difference is that scientific theories are (a) explicitly formulated in a way that is testable, and (b) actively tested, competently, by teams of professional scientists steeped in the field. Admittedly scientists also get passionately committed to their pet theories, some to the point that their human biases cloud or devalue the science. As a global community, however, bad science gets identified and outed, and the field moves ahead by consensus. Integrity overrides both confidentiality and availability.
Things are markedly different in IT. Fads (such as DevOps) are fads largely because of vested commercial interests. Various people and companies hope to make their fame and fortune through each of these fads, feeding off the seemingly insatiable desire for the Ultimate Solution. I don't. I find the very notion of searching for the Answer to the Ultimate Question of Life, The Universe and Everything just as laughable as Douglas Adams did.
So, in keeping with the Ides of March theme, I predict gloom and despondency for anyone who honestly believes DevOps is all they will ever need. Although it may not be pure snake oil, it has the hallmarks of yet another commercially-driven IT fad having its day in the limelight.
Rapid incremental or evolutionary change has appeal in other domains such as security awareness and security standards development. Do I even dare to hope that the committee behind the ISO27k standards might one day consider reducing its cycle time to approach the rate of evolution in this field? Could DevOps work its magic there? Somehow I doubt it. We are doomed, doomed I telly you, destined to the same fate as the dinosaurs. Obsolescence is so last year.