Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Success Requires Reflection on DevSecOps Failures

August 23, 2019 By DJ Schleen

It was just over a year ago on an extremely hot and humid day in Singapore when a group of DevSecOps nomads gathered to share our stories at DevSecOps Days. We represented Australia, Jakarta, Singapore, and the United States. The more we listened to each other speak, the more we realized that the challenges we thought we were facing individually were, in reality, shared experiences.

Little did I know that these conversations would be fruitful and eventually become a book. The best compliment? “Finally, a book that doesn’t blow sunshine up my a$$”!

As I would discover, the process of crafting a book shares parallels with a shift to DevSecOps.

Accidental Discoveries

After the microphones were turned off and the lights fell we all headed out for a celebratory drink and got to know each other. Even though the views from the top of the Marina Bay Sands Hotel were truly epic we decided to head to Chinatown for dinner. We explored some of the best street food that Singapore had to offer and the best we’d ever eaten.

We sat down at a picnic table where our other friends were eating some amazing looking Chinese cuisine. It was there that Stefan Streichsbier, Edwin Kwan, Fabian Lim, and I continued our discussion of how challenging it was to start the journey on the road of DevSecOps adoption. We shared many horror stories. We had all experienced some massively epic failures. Epic Failures of DevSecOps.

I can’t recall exactly which one of us mentioned that we should write a book about our experiences but I clearly remember Sonatype’s Mark Miller coming over to us after overhearing our conversation and quickly saying “I can make that happen.”

...and he sure did.

Herding Cats and Crowdsourcing

There are so many books on how to succeed, but none about the major challenges and headaches that will ultimately occur when beginning a DevSecOps journey. This made writing the book an unforgettable experience.

The project started on August 3, 2018 when Mark created a Slack Channel for us in order to collaborate. Then he brought in more authors: Aubrey Stern, Chetan Conikee, Caroline Wong, and Chris Roberts. We now had eight authors in seven time zones, all with different areas of expertise from countries around the world. The amazing thing was that we were all going through the same challenges in our organizations, no matter where we were in the world! It showed that DevSecOps was, and still is, being adopted everywhere. Security is increasingly becoming more of a priority for software developed today. Security isn’t added at the end but baked in from the beginning.

By the time August 24th came around we all had our outlines and chapter first drafts done. The promotion of the book and chapter revision began with vigor. Like any DevSecOps project, we had to collaborate, give our best, and lean into different people’s skillsets to really produce something valuable. When the first week of September came, we opened up the process further. We put the call out for volunteer proofreaders and we were amazed at how many people volunteered for the effort, and their enthusiasm. These individuals made the quality of our writing even stronger with their comments, grammatical corrections, and questions.

It was quite an experience to see people I didn't even know from across the world commenting on my chapter, correcting my grammar, and informing me that I wasn't explaining certain aspects of the toolsets and processes I was describing very well. Sometimes it was humbling, but that’s part of the process.

At last, the finished book made its debut!

The Rewards of Humility

It's hard to believe how successful the book has become. Many people have come up to me and told me how much they've enjoyed the book. As I travel around from city to city around the world speaking about adopting DevSecOps practices, I see that the book struck a chord. Why? I think it’s because, like many things, what looks easy “on paper” can be surprisingly challenging to implement in real life. It’s important to be honest about that because it helps all of us improve our skills and refine our approach. DevSecOps is a work-in-progress.

So, when your DevSecOps project or transition feels frustrating, or impossible, know that this is part of the process, too. Lessons you learn will be yours to keep. They will also be yours to share!

Failure is Inevitable

It was an honor being a co-author of this reference material. We fail fast, fail often, and learn on a daily basis. If we weren’t challenged and didn't learn, our jobs and our work would be extremely boring.

So stay tuned for more stories of failure because this was only Volume One. Maybe I'll suggest we collaborate on the next volume, a book called “Epic Disasters of DevSecOps”.

Maybe you can share your stories…tweet me yours at @djschleen.

 

Tags: DevOps Culture, devsecops, maturity model, featured, DevSecOps Maturity model, Post security/devsecops, DevSecOps best practices

Written by DJ Schleen

DevSecOps Advocate