http://www.secvalve.com/Catherine (Kate) Pearce2018-08-06T01:08:19+00:00Information Security Specialist and moreKate Pearcehttp://www.secvalve.com/Jekyllhttp://www.secvalve.com/DevOps-1/DevOps Explained Graphically2014-03-26T00:00:00+00:00phlow<p><em>First post - I’ll get better, I promise!</em></p>
<p>I started out writing about DevSecOps, and came up with a tldr; diagrammatic description of what DevOps is. So, here it is on it’s own:</p>
<p><em>Devop isn’t about technology,it’s about ownership and responsibility. While DevOps is usually enabled and implemented via good technology, <strong>if you think it’s about technology you’re missing the point!</strong></em></p>
<p><strong>Devops is culture/management, not technology.</strong></p>
<ul>
<li>DevOps is <a href="https://en.wikipedia.org/wiki/Vertical_integration">Vertical Integration</a> of Technology Systems.
<ul>
<li>We don’t go we don’t separate responsibilities across time</li>
<li>We do not separate responsibilities by tech stack layer</li>
</ul>
</li>
</ul>
<hr />
<h1 id="in-pictures-devops-the-union-of-development-and-operations">In Pictures: DevOps, The Union of Development and Operations.</h1>
<h2 id="first-there-was-a-stack">First, there was a stack</h2>
<p>Most technologies are built or running on other technologies, themselves built or running on other technologies.</p>
<p><img src="../images/stack_simplified.png" alt="Simplified Software Stack - Infrastructure + OS + Virtual hardware + App Platform + Application" /></p>
<h2 id="next-specialization-divides-up-the-pie">Next, specialization divides up the pie</h2>
<p>Most companies like to split out the responsibilities for these layers to different specialized people or parts of the company.</p>
<p>For instance,</p>
<ul>
<li>Information technology (IT) runs the Hardware and Supplies the Operating Systems (OS),</li>
<li>database administrators (DBAs) run the databases</li>
<li>systems administrators (sysadmins) configure and run the OS Infrastructure.</li>
</ul>
<p>Finally, developers do their thing with the application.</p>
<p><img src="../images/stack_simplified_responsibilities.png" alt="Simplified Stack With Responsibilities split between IT, Sysadmins, DBAs, and Developers" /></p>
<h2 id="life-cycle-maturity-phases">Life cycle Maturity Phases</h2>
<p>Life cycles and Pipelines Gonna Flow</p>
<p>So, put the stack aside for now because we have another dimension to think about: <strong>Time</strong>.</p>
<p>Many systems are developed and operated in a linear pipeline or development process. First they are in a “development” state, then they move to a “test/QA state”, and finally to a “production state”.</p>
<p>A component can be in each of these states, and often owned by different people and operated in separate environments depending on the state it is in.</p>
<p><img src="../images/pipeline_simplified.png" alt="Simplified Stack" /></p>
<p>Note the colors indicating the life cycle state, they’ll be important in a moment.</p>
<h2 id="there-be-dragons---but-theyre-not-my-responsibility">There be dragons - But they’re not my responsibility!</h2>
<p>Specialization/Separation up and down the stack, combined with Specialization/Separation across the deployment/operations states gives you this:</p>
<p><img src="../images/stack_doom_responsibilities.png" alt="Stack layers across a life cycle gives all sorts of weird combinations" /></p>
<p>Who owns and is responsible for each thing at each time? Good luck figuring that out without a <a href="https://en.wikipedia.org/wiki/Responsibility_assignment_matrix">RACI</a>.</p>
<h2 id="devops-to-the-rescue">Devops to the rescue?</h2>
<p>Devops simply gives the whole thing to the same team, in both dimensions.</p>
<p><img src="../images/stack_responsibilities_devops.png" alt="Devops gives responsibilities over time and over stack layers to the same team" /></p>
<ul>
<li><em>Who is responsible for X?</em> - <strong>Developers</strong></li>
<li><em>Who is blocking it because of Y</em> - <strong>Developers</strong></li>
<li><em>Who decides to take risks around Z?</em> - <strong>Developers</strong></li>
</ul>
<p>Developers, Developers, Developers. <a href="https://www.youtube.com/watch?v=Vhh_GeBPOhs">Steve Ballmer would be proud!</a></p>
<hr />
<h2 id="a-couple-of-devops-readings">A Couple of Devops Readings:</h2>
<ul>
<li><a href="http://conferences.computer.org/stc/2013/papers/0001a071.pdf">Why Everyone Needs DevOps Now: My Fourteen Year Journey Studying High Performing IT Organizations</a> - Gene Kim</li>
<li><a href="http://cdn.oreillystatic.com/en/assets/1/event/80/Automation%20and%20DevOps%20Best%20Practices%20Presentation.pdf">Automation and DevOps Best Practices</a> - Rob Hirschfeld, Dell & Matt Ray, Opscode</li>
</ul>
<h2 id="prologue-musings-is-specialization-an-antipattern">Prologue musings: Is specialization an antipattern?</h2>
<p><em>No specific claims here, just leaving some thoughts. - feel free to <a href="discuss with me on twitter">https://twitter.com/secvalve</a></em></p>
<p>While writing this, thinking of DevSecOps, and discussing with a friend, it occurred to me that specialization might itself be an antipattern in many situations…. After all,</p>
<ul>
<li>It’s not common to have dedicated experts in UX, performance, or accessibility, so why is it so common to have a security person?</li>
<li>The aim is to manage the emergent property, you don’t care how it gets there</li>
</ul>
<p>Specialization has positives and negatives:</p>
<ul>
<li>Pluses: specialists tend to be better at the specific thing, and have a more specific responsibility that is theoretically less open to conflict of interest.</li>
<li>Specialists may not be useful to the team outside of their specific expertise, and can be somewhat unconcerned with the holistic interest of the whole system over the whole life cycle.</li>
</ul>
<hr />
<p>Kate P</p>
2014-03-26T00:00:00+00:00