I get what the whole DevSecOps movement is trying to accomplish. I really do.
Because they’re right:
The “traditional” approach to security is well and truly broken. We have proof of this every day from the trenches, let alone the headlines.
And so, we need to “Shift left!”
“Shift left…shift left…shift left…”
It’s a mantra. A call to arms.
But doesn’t it kinda remind you of a zombie movie? Here, let’s add the sound effects:
“Uhgggnnnngg….shift…left….nnnnnnnnggggg….shift…left”
No?
Like I said: I agree with the general idea.
But what I don’t agree with are the ways it’s been put into practice.
Back towards the end of last year, I did a talk at the annual COSAC security conference and the official SABSA World Congress in Ireland. And that talk was about how you can apply SABSA in an agile manner.
Now, this isn’t just theory. I’ve done it, both internally here in Archistry, and with some of our customers and coaching clients—if they’re ready.
But here’s the first thing wrong: it talks about “distributing security decisions at speed and scale to those who hold the highest level of context.”
Which is…interesting…and pragmatic if you have a pretty traditional view of security as the “release police” that just hold things up because they try and retroactively apply policies nobody bothered to read…
…and the project grinds to a halt.
So, sure. We need to fix that.
And we need all the tooling support we can get to make sure correct and relevant polices are supported and implemented.
But even real waterfall has a set of feedback loops, but nobody cares about real waterfall. Fake waterfall has been entrenched in our minds as much as has the fake news on TV and the inter webs.
But just because it’s popular doesn’t mean its right.
Now, this may seem like I’m bashing DevSecOps, and…in fairness, that might be true a little bit. But I want to be quite clear that what I’m bashing isn’t a lot of it. I just think it needs a bit more around the edges to keep it focused and be even more effective.
Enter the next issue of Archistry’s new paid newsletter, Security Sanity™. The August issue will go to the printer on the 31st of July to do its part in destroying the environment by using real paper, and being actually physically shipped to your door instead of destroying the environment by consuming computer resources for it to be hosted, accessed and downloaded.
And it will be talking about what I believe truly Agile Security is all about, and how we can leverage the good of what we know – including DevSecOps – and do an even better job of making sure that those billion deployments per day actually are based on security decisions that align with the business and fuel metrics reported to the board to confirm that fact.
And TODAY is the official launch of the newsletter. Once the content goes to the printer, then that’s it. You’ll have missed it.
Now, you may have seen my earlier email to the “inner circle” of the existing mailing list subscribers earlier today that included the inaugural issue as a PDF download. And this issue is also available immediately to new subscribers of the list on the new front door of the Archistry website.
So you can have some idea of the depth and quality of what you can expect from the August issue.
Mind you, I won’t be able to cover everything in 10-20 pages, but the point is practical steps—not theory, so I suspect that the subject will feature in a future edition—I just don’t know when.
Therefore, the clock has officially started ticking to subscribe before the end of the month.
It’s not cheap. But if you think about it $97/month is less than $4/day, and I don’t think you’ll find anything quite like this serving our community anywhere else—and certainly not from my perspective and experience.
Now for you, that might be a good thing, or it might be a bad thing. You’ll just have to decide.
I’m ok either way, because this newsletter is intended for OPERATORS. And by “operators” I mean people with the influence, leverage and fortitude to actually get things done…to change their teams for the better of the whole organization.
If that’s you, then head on over to this shiny new link armed with ye olde credit card to sign up:
And if you’ve somehow missed the download of the sample issue and you’re already on the list, then just shoot me an email, and I’ll sort you out.
Oh, and…with this, there’s no guarantee, and all sales are final. Of course you can cancel at any time if you decide it’s not working for you or they’re just stacking up on your desk and not getting put to use.
It’s up to you.
There’s also a couple of perks for subscribing, and I have something big planned in the pipeline in the near future—but it’ll only be available to subscribers to the newsletter. Ever.
Here’s the link again:
And I’m looking forward to seeing you on the other side.
Cheers,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.
