DevOps and Security: The Five Monkeys
| DevOps |
A group of scientists placed five monkeys in a cage, and in the middle, a ladder with bananas on top.
Every time a monkey went up the ladder, the scientists soaked the rest of the monkeys with cold water.
After a while, every time a monkey would start up the ladder, the others would pull it down and beat it up.
After a time, no monkey would dare try climbing the ladder, no matter how great the temptation.
The scientists then decided to replace one of the monkeys. The first thing this new monkey did was start to climb the ladder. Immediately, the others pulled him down and beat him up.
After several beatings, the new monkey learned never to go up the ladder, even though there was no evident reason not to, aside from the beatings.
The second monkey was substituted and the same occurred. The first monkey participated in the beating of the second monkey. A third monkey was changed and the same was repeated. The fourth monkey was changed, resulting in the same, before the fifth was finally replaced as well.
What was left was a group of five monkeys that – without ever having received a cold shower – continued to beat up any monkey who attempted to climb the ladder.
The most damaging phrase in the language is: “It’s always been done that way.”
- “We’ve always done it this way”. “Why?”.
- “We can’t do that, it’ll slow us down”. “Why?”.
- “This checklist item is non-negotiable”. “Why?”.
“Why?” is not an accusation or a challenge. To solve the difficult problems we as an industry face integrating security into DevOps, there is no room for ego on either side. The people I’ve talked to that have had most success aligning their DevOps initiatives with security needs encourage each other to ask “Why?”. Keep in mind that this is not a one-way conversation. Some security requirements don’t make sense any more with modern workflows and infrastructure. Adopting DevOps does not mean you should throw caution to the wind. Let’s all work together and ask “Why?” more often.