devOps believes in intelligent actors. Security assumes the worst of intentions. Both risk an imbalance of trust. The Prisoner’s Dilemma and the devOpsSec Dilemma, defined as a lack of cooperation that stems from a lack of trust in an hyper competitive environment, have the same flaw: There’s not a game position that’s safe for everyone because of obliviousness or malicious intent.
A low trust cooperative game state is emerging as a result. In a devOps world everyone means Everyone both internally and externally. This includes the unique identities, teams, the company they all work for, the customers that keep them in business, and even the perceived competition.
The oblivious trampling and opportunistic predation of other people and organizations are really complementary set operations that mitigate any risk associated with a perceived threat, which is what security is ultimately about. Staying in the lowest risk, highest paying game state is a decent definition of a secure bet for the short game but may not be a safe one over time. If the strategy is damaging others the competitor will eventually compete themselves out of existence.
This presentation will discuss the Nash equilibrium forming as a result of the tension between security and high trust devOps environments, the complementary set operations found outside the equilibria, and provide ecological examples of these adaptations.