<\/p>\r\n
However…that isn’t actually true<\/strong>. And despite the storied past of speed and stability being enemies, enterprise IT is starting to understand:<\/p>\r\n …speed depends on stability, so good IT practices give you both.<\/em> We recently gave a talk about Kubernetes security, and the section our audience found most interesting – and the section that\u00a0we<\/em> found most interesting, after arguing about it a little bit – was a section addressing this very thing. We thought it would be good to distill that section into a blog post explaining our thinking about AppDev speed, agility, and security.<\/p>\r\n Security threats to enterprises via their applications are real, and there are a few likely enterprise responses. Ideally, they respond to threats in ways that help everyone see that not only is security is helpful<\/em> and not the enemy of innovation and delivery speed – but actually, security helps to\u00a0enable<\/em> innovation and delivery speed.<\/p>\r\n \u201cWe\u2019ll just ignore that there are<\/strong> security threats.\u201d<\/p>\r\n Speed in the moment: highest This approach is all too common, especially in overloaded teams with no room to think or even breathe. They can’t get their heads up above the water level long enough to see what’s coming at them – so they have to prioritize and that means ignoring security threats.\u00a0<\/p>\r\n Hopefully these teams can prioritize the actual worst threats – but it’s hard to prioritize if you don’t have time to think.<\/em><\/p>\r\n \u201cWe\u2019re afraid of everything – too afraid to make a plan. So…can you go through all of your code, line by line, and report back that there are no security issues (or other illogical, unhelpful things)?\u201d<\/p>\r\n Speed in the moment: lowest This is the other side of ignoring threats – assuming that\u00a0everything<\/strong> is a threat, and therefore trying to pay attention to…everything<\/strong>.\u00a0<\/em>Again, this tends to come from a complete lack of the ability to prioritize, which is how everything becomes the most important problem<\/em>.\u00a0<\/em>When everything is important, nothing<\/strong> is important – except you have much higher mental and emotional load from the panic.<\/p>\r\n When everything is important, nothing<\/strong> is important – except you have much higher mental and emotional load from the panic.<\/p>\r\n<\/blockquote>\r\n (And…as much as we wish it were an exaggeration, yes – some companies\u00a0do<\/strong> have multiple experts analyze every line of code for possible security issues. It’s massively expensive and no guarantee of safety – but they have to decide if it makes sense for them. Also that’s far from the goofiest security thing that’s been discussed on the internet – here are some examples<\/a>, and some more examples<\/a>.)<\/p>\r\n\r\n \u201cWe acknowledge that threats exist, and we\u2019ve made the best plan we can for proactively addressing them – and we trust that we can adapt that plan if we need to. We just\u2026 do security, built into our processes.\u201d<\/p>\r\n Speed in the moment: medium to high, especially with automation And then there’s this option – security woven into all aspects of the application development and deployment life cycle, and done with reasonable asks and enough trust that if a catastrophe occurs,\u00a0it’ll be okay<\/em>.\u00a0<\/p>\r\n …we like this one the best. Probably you guessed that.<\/p>\r\n\r\n Like so many other things in transforming organizations, successfully building an agile, high-trust environment requires clear communication<\/strong> – of advantages and goals, and also of risks and challenges.<\/p>\r\n App Dev and Architecture teams often have their own history, vocab, and understanding about the process of producing quality software. IT Security\/Data Security teams often also<\/em> have their own history, vocab, and understanding about the process of creating and running secure software. Bridging these gaps and working together<\/em> – usually with a lot of up-front clarity, and hopefully with shared goals from leadership – goes a long way toward building the successful, trusting, agile culture that fast application delivery requires.\u00a0<\/p>\r\n","protected":false},"excerpt":{"rendered":" Time to Go Fast We work with a lot of people who are implementing Continuous Delivery. We see that when various bumps and boulders get out of the way of delivering software stably and rapidly, there’s a strong push to go very very fast. When this happens, there are often barricades put up in the … <\/p>\n\r\n
– Martin Fowler, foreward to Accelerate<\/a><\/p>\r\n<\/blockquote>\r\nSpeed and Security are Allies<\/em><\/h2>\r\n
Possible Responses to Threats<\/h2>\r\n
Possible Response #1: Cover Your Eyes, Pretend it’s Not There<\/h3>\r\n
\r\n
Likelihood of catastrophes: very high\u00a0
Pain\/interruption of daily process: medium, varies with awareness of reality
Overall speed: slow<\/strong><\/p>\r\n<\/blockquote>\r\nPossible Response #2: Everything is a Threat<\/h3>\r\n
\r\n
Likelihood of catastrophes: highest – not only ineffective, but gives a false sense of \u201csecurity\u201d
Pain\/interruption of daily process: highest
Overall: slowest and most painful<\/strong><\/p>\r\n<\/blockquote>\r\n\r\n\r\n
Possible Response #3: Open-Eyes, Reasonable Priorities, Brain Space to Address Things, and Trust that Recovery is Possible<\/h3>\r\n\r\n
\r\n
Likelihood of catastrophes: lowest
Pain\/interruption of daily process: low
Overall: fastest!<\/strong><\/p>\r\n<\/blockquote>\r\nThe Importance of Clarity: Application Development\/Infrastructure\/Security Communication<\/h2>\r\n
![\"\"](\"https:\/\/lh3.googleusercontent.com\/HJ_dadNR4-d6ntsSglUx55Y5uSmOohnHzOVj705nwrqkIa7OVfvI-vSdPO4hRVDkqIFVuenYobUmbBF-ME1NwG5Vl2TCToNlWWxbkoat77ZsgK1FNhh8AK9xE3dSOt1BVxVaENvHvlY\")
![\"\"](\"https:\/\/lh5.googleusercontent.com\/V1vSp0-RWJTipZXb3GspJ62PcwO6H9gUhIQDF3EhLHlFxbs0jy3QHV1iXnTy9Zw3WNUwoz0lCYPt1DWTfo2GS6pYA8DWenCJLSX0ASCf3f-GyD8R49vKx-Z-BLqB7wpavmbg9yX1ObY\")
![\"\"](\"https:\/\/lh5.googleusercontent.com\/_lW_bE2LnsMbrTbXerXrTbR6-SqaGR_d74IiTKpDCd0wNOylke8uKTfR2dN9Dp8MHVAUw38AQeK20coCqz3-elxZ8wOylsfZV55-q9-qa04iRwFpKtr5ESE4t5g-ks1Xi3R-y5MU6SA\")