A Language to Speak Dev[Sec]Ops
April 23, 2020

Chetan Conikee
ShiftLeft

From SecOps to DevSecOps and SecDevOps, there seems to be an unending stream of new buzzwords in systems technology. With all this jargon, increasingly stories can read more like inside baseball rather than an intentional strategy.

To understand insertion of "Security" into "‘DevOps", we need to reminisce about the origins of term "DevOps". Fredric Paul of New Relic did a phenomenal job of mapping events leading to the inception of this popular term.

To appreciate DevOps, we need to deconstruct the language structure used by it's practitioners. In order to do this let's briefly detour to Denis Villeneuve's sci-fi space-encounter movie called Arrival where the primary protagonist is a linguistics professor who goes by the name Dr. Banks.

The four important concepts from linguistics that help Dr. Banks decode the language of heptapods (aka the alien ship) are

1. Discreteness
It might seem that the most important question to focus on when trying to analyze an unknown language is "what does this mean?" For a linguist, however, the most important question is "what are the units?" This is not because meaning is not useful, but because, while you can have meaning without language, you cannot have language without units.

2. The Swadesh List
A good field linguist knows you can't just jump to abstract concepts like purpose without establishing the basics first.
But what are the basics? A list of basic concepts first put together in the 1950s by linguist Morris Swadesh.
They include concepts like I and you, one and many, as well as objects and actions in the observable world like person, blood, fire, eat, sleep, and walk.

3. Minimal Pairs
A minimal pair is a pair of words that differ in meaning because one sound has changed. The existence of a minimal pair shows that the differing sound is a crucial element of the language's structure.

4. The Sapir-Whorf Hypothesis
Most simply explained as the idea that the language you speak influences the way you think. This idea is controversial, since it has been demonstrated that languages do not restrict or constrain what people are able to perceive.

In order to rationalize these concepts from a systems engineering standpoint, we would need to pay homage to the linguists of "DevOps".

1993 — Yukihiro "Matz" creates Ruby

Ruby was born in 1993, conceived in a discussion between Yukihiro Matsumoto ("Matz") and a colleague. They were discussing the possibility of an object-oriented scripting-language. Matz stated in ruby-talk:00382 that he knew Perl, but did not like it very much; that it had the smell of a "toy" language. He also discussed that he knew Python, but didn't like it because it wasn't a true object-oriented programming language. Having looked around and not found a language suited for him, Yukihiro Matsumoto decided to create his own. After spending several months writing an interpreter, Matz finally published the first public version of Ruby (0.95) to various Japanese domestic newsgroups in December, 1995

2005 — Luke Kanies creates Puppet using Ruby

Google and Amazon have long used software that automatically configures swathe of machines driving their online services. But these tools were never available to the outside world.

In 2005, Luke Kanies set out to provide Google-like IT automation for the rest of us, founding an open source project he called Puppet.

2007 — Jesse Robbins creates Chef using Ruby

Two years later, he had some competition from the man once known as Amazon's "Master of Disaster." Jesse Robbins came by the name not because he broke things, but because he fixed them. He oversaw the operation of all Amazon websites. His new venture, Opscode, grew up around an open source project called Chef.

What is the Common Strand Between These Linguists?

"Matz" created Ruby, Luke (Puppet) and Jessie (Chef) used Ruby's meta-programming constructs to reason about systems, leading to inception of Puppet and Chef respectively.

Like Dr. banks, Luke and Jessie applied —

Discreteness to reason about creating and orchestrating system units (host, storage, network, compute), The Swadesh List and Minimal Pairs to create basic concepts (provision host with compute capacity, attach storage and then network to other hosts), and The Sapir-Whorf Hypothesis leading to formation, provisioning and de-provisioning of cloud networks.

DevOps teams that deploy software are also responsible for maintaining security by design. In practice, though, teams too often neglect security or paste it on at the last moment. Thus, the idea to build security in from the start — via a process known as Dev[Sec]Ops — was born.

As J. Wolfgang Goerlich, a cybersecurity strategist at Creative Breakthroughs Inc., states roughly one in four DevOps teams integrate and automate some level of security controls. "This integration is generally performing scans and checks against the static code, the application and the underlying environment composition."

But this level of automation often requires tuning and adjustments to ensure it keeps pace with DevOps. For example, he said, traditional code-level scans take several days. "That's not effective when DevOps is changing the code on a daily or even hourly basis," Goerlich said.

Effective Dev[Sec]Ops teams secure without slowing, and they add continuous security without exceeding the team's capacity to change, he said. "It's paradoxically fast and slow, with security controls being added slowly while tuned to execute very quickly."

Inserting Security in CI/CD is beginning to look more like a Rube Goldberg Machine


It's time for us to hit the reset button and approach security from a linguist standpoint. Learning from our devops predecessors, we need to create a simple language that influences each step in CI/CD without compromising its velocity.


How can we apply these concepts of linguistics to define security of an application?

We at ShiftLeft are attempting to define — Discreteness to reason about application security units (inputs, outputs, flows, data and open source used), The Swadesh List to create basic concepts (understand a flow from an input connected to one or more outputs, with data initialized in scope, using an open source library), Minimal Pairs to represent how a flow treats sensitive data and The Sapir-Whorf Hypothesis leading to define security from the perspective of connected application topology.

*Credits to Arika Okrent, linguist and author of In the Land of Invented Languages

Chetan Conikee is Founder and CTO of ShiftLeft
Share this

Industry News

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.

November 18, 2024

Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.

Read the full news on APMdigest

November 18, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.

November 18, 2024

Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.