DevOps and Security: The Five Monkeys


August 31, 2015 | DevOps | Dustin Collins

August has been a busy month for me as the developer advocate at Conjur. I gave a talk at DevOpsDays Pittsburgh, organized the monthly Boston DevOps meetup and just got back from DevOpsDays Chicago. I have the opportunity to talk to a lot of people and learn about how they align DevOps and security. It’s a hard problem. Today I’d like to share with you a story about monkeys. It’s relevant, I promise. Read on.

The Five Monkeys story is a popular tale of a scientific experiment performed in the late 1960s. It goes like this:
A group of scientists placed five monkeys in a cage, and in the middle, a ladder with bananas on top.

Every time a monkey went up the ladder, the scientists soaked the rest of the monkeys with cold water.

After a while, every time a monkey would start up the ladder, the others would pull it down and beat it up.

After a time, no monkey would dare try climbing the ladder, no matter how great the temptation.

The scientists then decided to replace one of the monkeys. The first thing this new monkey did was start to climb the ladder. Immediately, the others pulled him down and beat him up.

After several beatings, the new monkey learned never to go up the ladder, even though there was no evident reason not to, aside from the beatings.

The second monkey was substituted and the same occurred. The first monkey participated in the beating of the second monkey. A third monkey was changed and the same was repeated. The fourth monkey was changed, resulting in the same, before the fifth was finally replaced as well.

What was left was a group of five monkeys that – without ever having received a cold shower – continued to beat up any monkey who attempted to climb the ladder.

Grace Hopper best sums up the outcome of the experiment in this quote:
The most damaging phrase in the language is: “It’s always been done that way.”
Here’s the funny thing about the experiment: it’s not true. Someone at some point took the research of G.R. Stephenson and added in the ladder and bananas to prove their point. But, does it matter if it’s true? No. The way this story has spread only proves its point: we tend to accept what people say at face value and don’t bother with due diligence. There are blog posts and conference talks about The Five Monkeys; it’s part of the conversation now. It has given itself meta-relevance.


What does this have to do with DevOps and security? It’s relevant because there are a lot of assumptions on either side of the DevOps + security conversation. Assumptions like “We have to do this to remain compliant” or “There is no way we can audit our chatbot the way you want”. Often these assumptions are baseless – we follow them because no one wants to be the one to ask “Why?”.


  • “We’ve always done it this way”. “Why?”.
  • “We can’t do that, it’ll slow us down”. “Why?”.
  • “This checklist item is non-negotiable”. “Why?”.


“Why?” is not an accusation or a challenge. To solve the difficult problems we as an industry face integrating security into DevOps, there is no room for ego on either side. The people I’ve talked to that have had most success aligning their DevOps initiatives with security needs encourage each other to ask “Why?”. Keep in mind that this is not a one-way conversation. Some security requirements don’t make sense any more with modern workflows and infrastructure. Adopting DevOps does not mean you should throw caution to the wind. Let’s all work together and ask “Why?” more often.




Keep up-to-date on security best practices, events and webinars.

Share This