The documented process is bullsh*t, a thread.

@fsmontenegro mentioning DevSecOps reminded me of every time a developer went, "yeah... well... if that's how you want to think about a pipeline, sure" before assuring me we were secure and shifting left.

(1/7) cc @fsmontenegro https://twitter.com/fsmontenegro/status/1344143188840345602

We have clearly delineated steps along the textbook DevOps process. And the common understanding is code follows this path. Cool, cool.

Plan > Code > Test > Release > Deploy > Operate > Monitor

(2/7)

In design thinking, we also have clearly delineated steps. The textbook approach is ideas flow nicely along to finished well-crafted products. Cool, cool.

Empathy > Define > Ideate > Prototype > Test

(3/7) https://twitter.com/jwgoerlich/status/1344083657405984773?s=20

Our InfoSec mind loves tidy boxes. We can take any step. Optimize the box. If we’re feeling fancy about it, wrap metrics for input/output. Put the boxes back together. Engineer the overall process.

We can add security at any step, or every step, to protect the output.

(4/7)

It’s tidy… until we actually try to engineer, optimize, or secure. It’s at that point we realize. The devs were just simplifying DevOps when explaining it to us. The product designers were just simplifying design thinking when explaining it to us. Creativity is messy.

(5/7)

"Don't mistake the galaxy for a watermelon."

Old-timer Midwesterner advice. Sure, stars are strewn across the nightsky like seeds strewn in a watermelon. It’s a delightful metaphor. It makes us smile. But don’t use it to build a spaceship.

(6/7)

Process models are an analog for helping laypeople understand the process. DevOps or design thinking, both tasty watermelons. Practitioners drop explicit models for an intuitive process.

The process is bullsh*t. It's a convenience for us, non-experts. Start security here.

(7/7)