The opinions expressed herein are my own and do not represent my past, present and future employer’s views in any way. Nothing posted here should be considered official or sanctioned by my past, present or future employer or any other organization I’m affiliated with.

Vidas sem fronteiras

Stack Exchange





Prelude to DevOps - the Need for Speed

Competition and business innovation is driving the need for speed:

In business, success is often about slashing the time it takes from having a brilliant idea and getting it into the hands of customers before a competitor does — or finding out that the brilliant idea wasn’t actually good at all, and coming up with another, better idea or canceling it before the business loses too much money or customers (“fail early“). This drives product and service development to become faster and more responsive, more agile.

Heavyweight Waterfall software development has been giving way to lighter-weight, incremental Agile development approaches for some time now. Agile development methods like Scrum have become extremely popular, as organisations look for ways to speed up delivery of software products and reduce the risk of software development project failures.

But last-moving Agile teams— and the business Product Owners who are sponsoring their work and driving their priorities have become frustrated with delays in getting completed software into production and into the hands of users. In many cases, they are creating working software faster than operations can accept it. Operations have become a roadblock to business progress.

The inability of development and operations to turn around changes quickly creates other problems for many organisations when it comes to security. Security vulnerabilities are often left open for too long even though most security patches are simple to fix and implement. This gives attackers more opportunities to find and exploit vulnerabilities.

IT, which includes security specialists, developers, and operations, has to look at the complete value chain, from when an idea is created or a problem is found, so, when it gets delivered to production. They need to find ways to make learning and change easier, faster and cheaper to try out new ideas and to fix problems, without introducing new bugs or causing outages. This is what DevOps tries to achieve.

Walls of Confusion

Organisational and cultural barriers exist in most organisations between development and operations — in addition to barriers between the rest of the organisation and the lnfoSec and compliance groups. These are known as the “Walls of Confusion“. People on opposite sides of the wall have different goals and priorities and competing incentives, use different tools and follow different practices, speak different languages, and often have completely different cultures:

Take down Walls of Confusion

DevOps breaks down the ”walls of confusion”, the communications and cultural barriers between developers and operations. in the same way that Agile development tries to break down communications barriers between the business and developers. Getting rid of hand-offs and discontinuities between organisations, as well as the inefficiencies and misunderstandings and conflicts that come with a “throw it over the wall” style hand-off.

These walls of confusion are broken down by building cross-functional teams which own responsibilities for a service, from requirements and planning through to design, construction, deployment, and running in production. In some organisations, this might mean embedding Operations engineers and InfoSec professionals into development teams, or permanently flattening development and operations, and restructuring the organisation around end-to-end service delivery instead of functional lines.

Another important step in breaking down these walls is by getting developers, testers, and operations to share common tools: for tracking problems, for managing source code and configuration information, for collaboration and messaging…

DevOpsSec is about extending this to include security and compliance - so that security and compliance are not imposed from outside.

Basics of DevOps - Agility and Collaboration

Extend Lean and Agile ideas, practices and values to operations

DevOps is about developers and operations working closely together to make rapid. iterative changes to systems quickly and inexpensively. This includes changes to applications and rapid provisioning and configuration of infrastructure - in public or private clouds.

DevOps is based on a few key ideas:

Cross-functional teams involving development, operations, and lnfoSec: breaking down the “walls of confusion“ between these groups, getting them to work closer together, and sharing end-to-end responsibility for getting changes into production 8:, ensuring that they work correctly.

Agile development teams, once they start moving fast and iterating, often run into a roadblock in operations when it comes to deploying the new features that they‘ve developed. This roadblock prevents them from getting meaningful feedback and creates artificial delays delivering value.

DevOps extends Agile and Lean ideas and ways of working into operations: small learns collaborating to solve problems in an open environment, working iteratively and incrementally; minimising waste and delay; and leveraging automation to solve operations problems such as provisioning, configuring, hardening, updating, and patching infrastructure.

Basics of DevOps - Shared Ownership and Accountability

Development and Operations share end-to-end of systems:

“You build it. you run it“ (than Amazon‘s CTO Werner Vogels).

In some cases. for example at Netflix. which leverages Amazon‘s AWS for its operational platform. developers are effectively responsible for all of the work of setting up, deploying, running, monitoring and supporting the applications that they develop. This is what Netflix calls ”NoOps“.

High velocity and low cost of change enables DevOps organisations to run continuous experiments, respond to customers, pivot quickly:

DevOps Security is not priority:

Security is someone ele’s problem:

DevOps is not:

DevOps is not just about running systems in the cloud although DevOps has changed and is changing the way that systems are run in the cloud. It is not about creating “DevOps teams“ or adopting a “DevOps” toolset (which is how many yendors are repackaging IT configuration management and release management products).

Blog posts about Information Technology, Information Security Industry and Life. Whatever comes to my mind.

Information Security Technical Articles/Notes

Pages containing reviews and notes about Information Technology and Information Security technologies. Whatever I am studying and working on.


Pages containing reviews and notes about Information Technology Vendors products and services. Whatever Vendor I deal with in my professional career.