Note from the editor: This is the introduction to our new book, Epic Failures in DevSecOps. We'll be publishing excerpts from each chapter during the coming weeks and interviewing the authors on the DevSecOps Days Podcast Series. If you like what you see, get a free digital copy of the book when you join the community. Put your email address in the form on the right. You'll immediately be shown a link to the download of the entire book. -- Mark Miller, Editor-in-Chief, DevSecOps Days
We learn more from failures than we do from successes. When something goes as expected, we use that process as a mental template for future projects. Success actually stunts the learning process because we think we have established a successful pattern, even after just one instance of success. It is a flawed confirmation that “This is the correct way to do it”, which has a tendency to morph into “This is the only way to do it.”
Real learning comes through crisis.
If something goes wrong, horribly wrong, we have to scramble, experiment, hack, scream and taze our way through the process. Our minds flail for new ideas, are more willing to experiment, are more open to external input when we’re in crisis mode.
That’s where the idea for this book came from. When I was in Singapore for DevSecOps Days 2018. Edwin Kwan, Stefan Streichsbier and DJ Schleen were swapping war stories over a couple of beers. The conclusion of their evening of telling tales was the desire to find a way to get those stories out to the community. They spoke with me about putting together a team of authors who would tell their own stories in the hope of helping the DevSecOps Community understand that failure is an option.
Yes. You read that right. Failure is an option.
Failure is part of the process of making the cultural and technological transformation that needs to happen in order to keep innovating. It is part of the journey to DevSecOps. The stories presented here aren’t a roadmap. What they do is acknowledge failure as a part of the knowledge base of the DevSecOps Community.
This is the first in a series of books tracking changes and discoveries within the DevSecOps Community. The stories are by people who have been sloshing around in the swamps of software development for years, figuring out how things work, and most importantly, why things didn’t work.
Chris Roberts starts us off with how the industry as a whole has failed us when it comes to software security. DJ Schleen, Edwin Kwan, Aubrey Stearn, Fabian Lim and Stefan Streichsbier provide a practitioner’s view of being up to their waists in the muck of an epic failure. Caroline Wong and Chetan Conikee bring another view, peering into the murky waters of DevSecOps from a management perspective.
Each chapter follows a specific format:
· Overview, what were you trying to accomplish
· What went wrong, how bad was it
· How did the team try to resolve the issue
· What was the final outcome
· What were the lessons learned
Following this type of format, we should be able to create a series of stories, surfacing patterns we as a community can use to safely push the boundaries of software development.
The DevSecOps Community is still in its formative stages. There are some, like Shannon Lietz, the Godmother of DevSecOps, who have been working on the concepts of DevSecOps for years. She and the team at DevSecOps.com have provided us with a manifesto for DevSecOps that is the foundation for the mission and purpose of this community.
We include the DevSecOps Manifesto as the preface of this book so everyone can understand the determination and commitment needed to have security become an integral part of the software development process.
The days of stand-alone security teams isolated from the real process of development are coming to an end. Paraphrasing Caroline Wong, “Security needs to be invited to the party, not perceived as a goon standing at the front door denying admission”. With DevSecOps, security is now part of the team.
After reading these stories, we hope you will realize you are not alone in your journey. Not only are you not alone, there are early adopters who have gone before you, not exactly “hacking a trail through the swamp”, but at least marking the booby traps, putting flags next to the quick-sand pits and holding up a ‘Dragons be here’ sign at perilous cave openings.
On DevSecOpsDays.com, we’ll be expanding the ideas and concepts talked about in this book. We look forward to your participation in the community, whether as organizers of regional DevSecOps Days events, as article contributors to DevSecOpsDays.com or as an author of your own Epic Failure on your journey through DevSecOps.
What would your warning sign say? We ask you to join our journey as we continue to learn from your Epic Failures.
Founder and Editor in Chief, DevSecOpsDays.com
Co-Founder, All Day DevOps