Are You a Fool with a Tool? - Security Boulevard

Are You a Fool with a Tool?

I learned about Buckminster Fuller when I was frantically drawing my way through an architecture degree in college. Fuller was quite an inspirational architect and the inventor of the Geodesic dome.

He had this saying that stuck in my head: “A fool with a tool still remains a fool.” When I hear about organizations discussing the adoption of “DevOps” or “DevSecOps” I never hear talk of culture or practice. Unfortunately, the conversation lands on tooling, and the existing tools that they have available to automate.

This approach often is an Epic Failure waiting to happen. Just because you have a tool, doesn’t mean you need to use it, nor is there a guarantee that it is the right tool to use. It’s hard to determine which comes first. The fool, or the tool.

Unintended Consequences

I had the opportunity to kick off the lightning talks at DevOps Enterprise Summit 2019 in Las Vegas a few weeks back. I decided I was going to talk about an example of using the wrong tool for the wrong job.

My goal was to build on a story that I wrote about in Epic Failures of DevSecOps where I talked about some of the hurdles that I faced while integrating security controls into DevOps pipelines. I began by painting a picture where one can place themselves into the shoes of a developer that’s just checked in code that fixes a critical security vulnerability in a piece of software.

Once checked in, the first thing that should happen is that the code is scanned for security vulnerabilities. Normally this happens without a glitch, but this time the automated build pipeline grinds to a halt – because another build has been scanning for almost 10 hours and is only at 10% (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by DJ Schleen. Read the original post at: https://blog.sonatype.com/are-you-a-fool-with-a-tool

DJ Schleen

DJ is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. DJ has worked to streamline development pipelines and practices for many Fortune 100 organizations by focusing on culture and technique. He uses this expertise to surface the right technology to serve business goals and support outcomes. He is an international speaker, blogger, instructor and author in the DevSecOps community where he encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.

dj-schleen has 10 posts and counting.See all posts by dj-schleen