There is a persistent myth that there is a tradeoff between speed and security or quality — that going faster means less security and lower quality. This is just not true. All the data says that teams that are shipping to production multiple times per day have much lower security risk than those that take a couple of weeks (or longer) to get a new release out.
Why? The simple answer is that they’ve automated all of their quality and security checks, but a better answer is hinted at by this quote from Gene Kim’s book, The Phoenix Project, “Improving daily work is even more important than doing daily work.” True DevOps teams have taken this to heart and are constantly learning/changing to do even better. The most wonderful thing about this is that developers, unlike typical QA and security folks, love to capture that learning with more robust code for both the product itself and everything necessary to deploy and run that product in production. Anytime a problem is found, we don’t just fix it, but rather we make a change that means we’ll never have a similar problem again!
Unfortunately, a lot of nominal DevOps development teams are not getting this speed + quality and security benefit. The difference is in the details of their DevOps approach. This talk illustrates very clearly the difference between “cargo-cult” and “true” DevOps as well as provides you with a simple framework for getting the promised value out of your DevOps cultural shift.