I had the opportunity tonight to sit down with a coworker I hadn’t seen in about a year and half. Since we’ve seen each other we’ve both been on fairly different journeys in our work life. He just delivered a project that he designed and architected into production — an enterprise strength solution for authentication and identity assurance that to be honest I never thought was even possible.

Myself… Well I’ve gone the way of the “DevOps” bird.

Let's be Realistic

Sometimes I think that I have such an idealistic view of how infrastructure and applications should be deployed into production that I miss what happens in the real world and the reality that casts a shadow on it as it passes me by. You see, the product he’s been working on really has the ability to change the way our organization handles authentication and identity in general. I was intrigued.

We proceeded to have a deep discussion about the challenges both he and his team faced as they rolled the product out into production The solution was deployed onto a virtualized environment — a traditional ecosystem that consists of multiple virtual machines and massive amounts of hardware. Issues were percolating into view though… Memory usage was slowly creeping upwards and local resources were becoming starved. Performance slowly became an issue, and reality was starting to sink in. The application was only in limited release.

I asked him what the underlying design was. What operating system was it running on? What language was it written in? What database did it use? What was the base operating system? Then I asked him point blank, trying not to be a jerk about it–”When was the last time you needed a Bluetooth driver to run a web service?” As he laughed, he mentioned that he designed and architected the solution with the vision that it could be containerized — but currently it was developed and deployed on solutions that once powered web 1.0. It was just what was available to utilize. Scalable, elastic, and virtual infrastructure? Not really an option at the time.

I believe that there is a plethora of different reasons for this. Organizations have made significant investments in technical infrastructure and technologies. One can’t really just change this overnight. Even more troubling is that the underlying problem may be that technology advances faster than organizations can purchase and provision infrastructure and not blow their budgets. In my opinion though, this method of operating introduces major financial and technical risk and contributes to the acquisition of unnecessary technical and infrastructure debt.

We all know what the solution is here. It’s elastic, virtual, disposable, quickly hydratable, and scalable virtual infrastructure. It’s the cloud. It’s containerization. It’s pay as you “grow”. Unfortunately this approach is usually thought of after a product has been delivered. It’s not the first solution to problems, but ultimately it becomes the final destination.

The Solution is in All of Us As evangelists of DevOps and DevSecOps we owe it to our stakeholders to explain and simplify viable solutions for the organizations we represent. If we reduce the size of a runtime we conserve resources. More importantly — at least from a security perspective — when we reduce the footprint of an application we ultimately reduce our attack surface. When we deploy containers rapidly to production our teams have the ability to react in a more agile fashion. Introduce a bug? Good on ya — you can wear a tie to the office tomorrow — but fix the build and ship it in the next ten minutes, ok?

Let’s get back to my coworker.

When we caught up on what we had been up to in the past few months we began to see solutions. I saw an opportunity to breathe agility and additional security (yes — I just put those two words together) into his solution. He saw the opportunity to learn new ways of doing things. A concrete way where we can use information to understand our product, our flow, and the stages and gates our solutions pass through on their way to our consumers. Ego and fiefdoms? Whatever. Let’s just do some cool sh*t together.

Think about it…. It doesn’t matter if we are part of a security team, a developer, a tester, or have an operational role where we deploy solutions into production environments. We are all part of enterprises that sometimes surround our ideas with barbed wire fences. This is where we all have to have a serious conversation with our executives and stakeholders — and each other — about where the risk really lies.

Break free, lead with the explanation of your ideas and…

Turn your vision into DevSecOps solutions.