Sharing horror stories is a part of dev ops culture. Who doesn’t like reliving some epic fail? One that hopefully didn’t cost you a job or threaten the survival of the company.
While sharing a beer and some war stories, Edwin Kwan, Stefan Streichsbier and DJ Schleen decided there should be a way to share knowledge in the larger community. So now there’s an entire book dedicated them. The 180-page publication from Sonatype is titled “Epic failures in DevSecOps.” Over eight chapters, a host of experts share what they were trying to accomplish, what went wrong, how they tried to resolve it as well as the final outcome and lessons learned. You can download the book, free with email registration, here.
In chapter three, “The Problem with Success,” Schleen, currently a dev sec ops evangelist and architect at a large healthcare organization, shares a tale that may sound familiar. During the implementing of four security tools for the dev ops pipeline, he ran into a problem with staggering scanning cues.
“While trying to understand why scans were taking so long, we decided to take a deeper look at the source code to determine what was happening. What we uncovered was that our dev ops teams were not only scanning the code they were building themselves, but were also scanning all of the open-source software components that their application required…As third-party open source components go, many of them have quite a few vulnerabilities and some even critical. Scanning these unnecessary libraries resulted in higher defect densities and the additional volume of source code was responsible for clogging our engines.” Schleen admits that the failure was due to lack of planning for scaling — and not communicating to delivery teams what they needed to scan for.
“We got the culture and the technique right but missed the mark with the tools,” he concludes. Other stories in the book touch on open-source tech including Node JS, Postman and BDD-Security.
I just read with great interest Edwin Kwan’s (@edkwan) chapter on his experience with #ThreatModeling in the new book on “Epic Failures in DevSecOps, Volume 1”. I really like the perspective of looking at automation, getting feedback, and focusing on security issues that matter. https://t.co/1Hi1saWC3E
— Robert Hurlbut (@roberthurlbut) January 9, 2019
The book is clearly meant to be part therapeutic, part warning. “The stories presented here are not a roadmap. What they do is acknowledge failure as a part of the knowledge base of the DevSecOps Community,” says the book’s editor Mark Miller.This is only the first volume in a series: Miller invites readers to share their own horror stories for the next one.
Check out the full book here.