DevSecOps is the Krav Maga of Security

I worked for Intuit for 18 months doing DevSecOps, and I’ve drawn many parallels between it and Krav Maga.  This post provides a comparative view of DevSecOps vs. Krav Maga.

OBJECTIVES

DevSecOps' main objective is to "ensure data security" versus Krav Maga's objective to "go home safe”.  Both approaches are adapted defense systems.  They both draw similarities in the mindset of protection and doing what is necessary to continuously master defending against attackers.

GOALS

The goal of DevSecOps is to bring individuals of all abilities to a high level of proficiency in security in a short period of time. Security is everyone's responsibility.  The goal of Krav Maga is to bring individuals of both genders and of all physical abilities to a high level of proficiency in self-defense in a short period of time. Everyone can complete the basic training in about 3 months.  Both disciplines quickly empower individuals with simple tools, and a low barrier to entry so that they can collectively achieve the objective.

PRINCIPALS & CHARACTERISTICS

Both DevSecOps and Krav Maga have a number of similar principals and characteristics which support the value provided by both:

POSITIONING

DevSecOps aims to move the organization to a better security posture. Each security flaw is carefully identified and is fixed one-at-a-time to close the most urgent security gaps.  DevSecOps identifies the most vulnerable concerns ahead of time and identifies how to avoid or move away from these bad positions.  Krav Maga teaches you to move from a physically bad position to a better position. If the fight ends up on the ground (bad position), get up on one's feet as soon as you can (better position).  Practice involves learning how to move from bad positions to better positions.

RUGGEDNESS

DevSecOps teaches ruggedness. One's code has to be able to withstand the criticism of others because no code is flawless. DevSecOps strives to provide constructive feedback quickly to stay ahead of attackers. One's infrastructure and code has to be able to be re-stacked quickly while ensuring data security and availability.  Krav Maga has stood up to many years of criticism and is still leveraged by many military training organizations today because of its effectiveness and ruggedness. It has been reviewed, and went through many iterations of modifications and adaptations while staying true to its principals.

DRILLS

DevSecOps is proud to have Red Team lead the way for finding vulnerabilities and exploiting them in software. It is the closest experience that mirrors actual attackers of a real live system with less risk. Red Team is a friendly engagement that acts as a fire-drill to prove that the system is indeed flawed and needs immediate fixing.  Krav Maga encourages a good training partner to apply techniques with a good amount of pressure to put the defender in an uncomfortable, but safe, position in order to bring the best and realistic training experiences to the defender. Stress & adrenaline drills help individuals deal with scenarios simulating real-life situations.

SITUATION AWARENESS

DevSecOps always requires logging. Every resource is logged, no exceptions. Because without logs, it is like flying blind. One has to know what is happening at all times in order to be in control.  Krav Maga emphasizes situational awareness as much as the fight. If one can escape the situation without fighting, do so and get home safe. But even when one is fighting, it is key to keep the surroundings in mind, because one may not be dealing with a single attacker. Always be on the look out for a way to exit.

CHAOS

DevSecOps expects chaos to occur. A major zero-day exploit such as GHOST or ShellShock happens quite randomly and will require a lot of effort and work to remediate. This can cause surprise chaos in the organization. A series of actions has to be planned immediately to react to it.  An organization that only practices for perfection will fail and be doomed when attackers realize this frailty.  Krav Maga accepts the fact that during a fight, moves are mostly random and unpredictable. Therefore, practice sessions do not concentrate on any fixed routines; instead, techniques are prepared for all situations and used as appropriately as a reaction to gain the best outcome.

LEGAL - BONUS!

DevSecOps' Red Team is awesome and cool, but where does one draw the legal line between red teaming and violating company policies? What exactly is exploitable? When does one stop?  Krav Maga is purely self-defense and not a sport, but where does one draw the legal line of self-defense? What is a threat? What is meant by eliminating the threat? Knock out? When does one stop?

It is important to make comparisons for lessons to be well-understood.  What do YOU compare DevSecOps to?

__________________________________________

About

Fabian is a DevSecOps engineer during the day, and a Krav Maga instructor at night.  He had undergone 18 months of being a full-time DevSecOps engineer straight out of his Masters in Information Security, learning the ropes of security and experimenting his way to help mould the DevSecOps methodologies at Intuit.  Fabian also trains Krav Maga up to 5 days a week, about 2 hours each time. He recently passed his second instructor training, and is qualified to teach up to Krav Maga - Level 2. (This article is solely based on Fabian's opinion and does not represent any organization's perspective.)