This is a no-punches-pulled honest conversation about authentic dev-sec-ops and not the vendor favourite buzzwords that have become proper nouns and marketing hooks. We investigated an (updated) definition of done; how we are sometimes unknowingly still creating silos; some anti-patterns in devops; how to possibly structure your transformations and your teams; how to engage your staff; which roles to include and if any are excluded; how the 'shifting left' movement should include operations and security too; and more.

1. Dev Sec Ops
And QA, and Product, and UX,
and other team members.
Theresa Neate
30 May 2018

2. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Introductions
Theresa Neate
● Lead QA & Developer Advocate at REA Group
● Writer at DevOps Agenda (TechTarget)
● Advisory Board member at DevOps Agenda
● DevOps Girls Co-organiser
images: https://twitter.com/MillyRowboat
2

3. ©2018 theresaneate.com https://twitter.com/TheresaNeate
History of devops
2001
Agile Manifesto
2009
Velocity Conference
Allspaw and Hammond
“10+ Deploys Per Day...”
Agile conference Toronto
Debois & Shafer
“Agile Infrastructure”
2008
Origins of Lean
Goldratt
Ohno
Deming
~1940s to ~1997
devopsdays
Patrick Debois
2009
3

4. ©2018 theresaneate.com https://twitter.com/TheresaNeate
devops is not this
4

5. ©2018 theresaneate.com https://twitter.com/TheresaNeate
nor this
5

6. ©2018 theresaneate.com https://twitter.com/TheresaNeate
nor this
6

7. ©2018 theresaneate.com https://twitter.com/TheresaNeate
nor this
7

8. ©2018 theresaneate.com https://twitter.com/TheresaNeate
nor this
8

9. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Faulty interpretation of dev(sec)ops
Is that it excludes
roles or disciplines
not explicitly
mentioned.
9

10. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Just because devops doesn’t say SEC
Does not mean
Security is not
included!
10

11. ©2018 theresaneate.com https://twitter.com/TheresaNeate
dev(sec)ops is about working together
ALL of us.
11

12. ©2018 theresaneate.com https://twitter.com/TheresaNeate
How do we do that?
Because devsecops is devops which explicitly mentions
Security ...
And devops is agile infrastructure …
And agile infrastructure is about agility …
12

13. ©2018 theresaneate.com https://twitter.com/TheresaNeate
The answers lie in its origins of lean &
agility
13

14. ©2018 theresaneate.com https://twitter.com/TheresaNeate
The answers lie in lean & agile (cont’d)
14
http://agilemanifesto.org/principles.html
“Deliver working software frequently”
“Build projects around motivated
individuals. ...”
“The most efficient and effective
method of conveying information to
and within a development team is
face-to-face conversation.”
“Working software is the primary
measure of progress.”
“Continuous attention to technical
excellence and good design enhances
agility.”
“Simplicity--...is essential.”

15. ©2018 theresaneate.com https://twitter.com/TheresaNeate
How some have defined dev-sec-ops
15
http://www.devsecops.org/

16. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Theresa’s translation
16
1. Proactivity
2. Efficiency & Lean
3. Feedback
4. Systems thinking
5. Continuous
learning
6. CAMS - Culture,
Automation,
Measurement,
Sharing

17. ©2018 theresaneate.com https://twitter.com/TheresaNeate
“Done” without security (or ops) is not
DONE
17

18. ©2018 theresaneate.com https://twitter.com/TheresaNeate
A possible day in the life of dev-sec-ops
1. Work is broken into small pieces
2. Definition of done is defined,
including security and ops and
monitoring and testing
requirements for THAT story/task
a. Automated tests written
against these requirements
3. These “non functional”
requirements are coded in (as
much as possible) alongside the
functionality (security as code,
infrastructure as code)
18

19. ©2018 theresaneate.com https://twitter.com/TheresaNeate
A day in the life of dev-sec-ops (cont’d)
4. Local tests pass (bring on the early feedback!)
5. If tests pass, code is committed to CI and integrated to trunk
6. Wider automated (integration, etc.) tests are run where applicable, including
security tests as part of build pipeline
7. If required, manual tests are done, e.g. security scan, exploratory testing, etc.
8. Rinse, repeat.
It’s just how the team flows: no afterthoughts, quality is baked in.
19

20. ©2018 theresaneate.com https://twitter.com/TheresaNeate
The danger of proper noun “models”
20
https://pragdave.me/blog/2014/03/04/time-to-kill-agile.html

21. ©2018 theresaneate.com https://twitter.com/TheresaNeate
The danger of proper noun “models”
21

22. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Closing
22

23. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Thank You!
Questions?
23
(See next page for reading
suggestions)

24. ©2018 theresaneate.com https://twitter.com/TheresaNeate
Reading
The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win by Gene Kim, Kevin Behr,
George Spafford, IT Revolution Press, 2013.
http://www.devsecops.org/
http://itrevolution.com/devops-culture-part-1/
https://itrevolution.com/the-three-ways-principles-underpinning-devops/
https://devopsagenda.techtarget.com/opinion/Its-past-time-to-revisit-Agiles-definition-of-done
https://xp123.com/articles/coaching-drills-and-exercises/
https://www.agilealliance.org/the-agile-root-of-devops/
https://twitter.com/royrapoport/status/996013869230272512
https://pragdave.me/blog/2014/03/04/time-to-kill-agile.html
24