DevSecOps Fundamentals
DevSecOps Principles: Culture, Collaboration & DORA Metrics
65 minā¢text
Theory & Concepts
DevSecOps Principles: Culture, Collaboration & DORA Metrics
DevSecOps represents a fundamental shift in how organizations approach security-transforming it from a bottleneck at the end of development into an integrated practice throughout the entire software delivery lifecycle.
š” Why This Matters: Organizations practicing DevSecOps deploy code 208 times more frequently with 106 times faster lead times and 7 times lower change failure rates compared to traditional security approaches (State of DevOps Report). Security becomes an enabler, not a blocker.
What is DevSecOps?
DevSecOps is the philosophy of integrating security practices within the DevOps process. It means building security into every phase of the software development lifecycle (SDLC) rather than bolting it on at the end.
The Evolution: From Waterfall to DevSecOps
ā Key Insight: DevSecOps embeds security at every stage, catching vulnerabilities early when they're 100x cheaper to fix than in production.
Core DevSecOps Principles
1. Security as Code
Security policies, controls, and configurations are written as code and version-controlled, making them:
- Repeatable: Same security controls apply consistently
- Auditable: Full change history tracked in Git
- Automated: Enforced automatically in pipelines
- Testable: Security policies can be tested before deployment
Example: Security policy as code using Open Policy Agent (OPA)
python
# Security policy example: Block containers running as root# This would be written in Rego for OPA, but shown in Python for claritydef validate_container_security(container_config): """ Validate container security configuration. Returns True if secure, False with error message if not. """ violations = [] # Check 1: Container must not run as root if container_config.get('user') == 'root' or container_config.get('user') is None: violations.append("Container must not run as root user") # Check 2: Container must use read-only root filesystem if not container_config.get('readOnlyRootFilesystem', False): violations.append("Container must use read-only root filesystem") # Check 3: Privileged mode must be disabled if container_config.get('privileged', False): violations.append("Privileged containers are not allowed") # Check 4: Image must be from approved registry approved_registries = ['gcr.io/mycompany', 'docker.io/mycompany'] image = container_config.get('image', '') if not any(image.startswith(registry) for registry in approved_registries): violations.append(f"Image must be from approved registry: {approved_registries}") if violations: print("ā Security Policy Violations Found:") for i, violation in enumerate(violations, 1): print(f" {i}. {violation}") return False print("ā
All security policies passed") return True# Example 1: Insecure container configurationprint("Example 1: Testing insecure configuration")insecure_container = { 'image': 'docker.io/nginx:latest', 'user': 'root', 'privileged': True, 'readOnlyRootFilesystem': False}validate_container_security(insecure_container)print()# Example 2: Secure container configurationprint("Example 2: Testing secure configuration")secure_container = { 'image': 'gcr.io/mycompany/nginx:1.21.0', 'user': '1000', 'privileged': False, 'readOnlyRootFilesystem': True}validate_container_security(secure_container)# Output:# Example 1: Testing insecure configuration# ā Security Policy Violations Found:# 1. Container must not run as root user# 2. Container must use read-only root filesystem# 3. Privileged containers are not allowed# 4. Image must be from approved registry: ['gcr.io/mycompany', 'docker.io/mycompany']## Example 2: Testing secure configuration# ā
All security policies passed2. Shift-Left Security
Move security testing earlier in the development process-catching vulnerabilities when developers are actively working on the code.
Cost of Fixing Vulnerabilities by Phase:
ā ļø CRITICAL: A SQL injection vulnerability costs $100 to fix during development, $1,500 during testing, and $15,000+ in production (including incident response, data breach costs, and reputation damage).
3. Automation First
Automate security controls to achieve:
- Consistency: Humans forget; automation doesn't
- Speed: Security checks in seconds, not weeks
- Scale: Scan thousands of deployments daily
- Developer Enablement: Fast feedback without waiting for security team
Security Automation Pyramid:
4. Continuous Monitoring & Response
Security doesn't stop at deployment-continuous monitoring detects runtime threats and anomalies.
5. Shared Responsibility
Everyone owns security:
- Developers: Write secure code, fix vulnerabilities
- Security: Provide tools, guidance, threat intelligence
- Operations: Secure infrastructure, monitor runtime
- Product: Balance features with security requirements
Breaking Down Organizational Silos
Traditional organizations operate in isolated teams with conflicting incentives:
DevSecOps breaks these silos:
Strategies for Breaking Silos
1. Create Security Champions
Embed security expertise within development teams:
python
# Security Champions Program Structureclass SecurityChampionsProgram: """ Framework for building a Security Champions program that embeds security knowledge across development teams. """ def __init__(self): self.champions = [] self.activities = { 'training': [], 'reviews': [], 'incidents': [] } def recruit_champion(self, developer): """ Recruit a developer to become a security champion. Ideal candidate: - Passionate about security - Respected by peers - Good communicator - 20% time allocation for security work """ champion = { 'name': developer['name'], 'team': developer['team'], 'responsibilities': [ 'Security code reviews for team', 'Triage security scan findings', 'Evangelize security best practices', 'Monthly security training', 'Incident response liaison' ], 'benefits': [ 'Security training & certifications', 'Access to security team', 'Recognition program', 'Career development path' ] } self.champions.append(champion) print(f"ā
{developer['name']} joined as Security Champion for {developer['team']} team") return champion def monthly_sync(self): """Monthly security champions sync meeting.""" print(f"š
Monthly Security Champions Sync ({len(self.champions)} champions)") print("Agenda:") print(" 1. Review latest security threats & CVEs") print(" 2. Share team security wins & challenges") print(" 3. New security tools & techniques") print(" 4. Q&A with security leadership") print(" 5. Training: Hands-on security lab")# Example: Building a Security Champions programprogram = SecurityChampionsProgram()# Recruit champions from each teamdevelopers = [ {'name': 'Sarah Chen', 'team': 'Payments'}, {'name': 'Marcus Johnson', 'team': 'API Platform'}, {'name': 'Priya Patel', 'team': 'Mobile Apps'}]for dev in developers: program.recruit_champion(dev)program.monthly_sync()# Output:# ā
Sarah Chen joined as Security Champion for Payments team# ā
Marcus Johnson joined as Security Champion for API Platform team# ā
Priya Patel joined as Security Champion for Mobile Apps team## š
Monthly Security Champions Sync (3 champions)# Agenda:# 1. Review latest security threats & CVEs# 2. Share team security wins & challenges# 3. New security tools & techniques# 4. Q&A with security leadership# 5. Training: Hands-on security lab2. Embed Security in Teams
Instead of a central security team reviewing everything, embed security engineers directly in product teams.
3. Automate Security Gates
Replace manual security reviews with automated checks that provide instant feedback.
4. Unified Dashboards
Create shared visibility into deployments, security posture, and incidents.
Measuring Success with DORA Metrics
DORA (DevOps Research and Assessment) metrics are the gold standard for measuring software delivery performance. DevSecOps adds security metrics to these foundational measures.
The Four DORA Metrics
1. Deployment Frequency
Definition: How often you successfully release to production.
Performance Levels:
- š„ Elite: Multiple times per day
- š„ High: Once per day to once per week
- š„ Medium: Once per week to once per month
- š“ Low: Less than once per month
DevSecOps Impact: Automated security checks enable faster deployments without sacrificing security.
python
# Calculate Deployment Frequencyfrom datetime import datetime, timedeltafrom collections import Counterdef calculate_deployment_frequency(deployments): """ Calculate deployment frequency from deployment history. Args: deployments: List of deployment timestamps Returns: Deployment frequency metrics and classification """ if not deployments: return {'frequency': 0, 'classification': 'Low', 'per_day': 0} # Sort deployments deployments = sorted(deployments) # Calculate time span time_span = (deployments[-1] - deployments[0]).days + 1 # Calculate deployments per day deploys_per_day = len(deployments) / time_span # Classify performance if deploys_per_day >= 1: classification = 'Elite' emoji = 'š„' elif deploys_per_day >= 1/7: # Once per week classification = 'High' emoji = 'š„' elif deploys_per_day >= 1/30: # Once per month classification = 'Medium' emoji = 'š„' else: classification = 'Low' emoji = 'š“' # Calculate weekly breakdown weeks = Counter() for deploy in deployments: week = deploy.strftime('%Y-W%U') weeks[week] += 1 avg_per_week = sum(weeks.values()) / len(weeks) if weeks else 0 print(f"{emoji} Deployment Frequency: {classification}") print(f" Total Deployments: {len(deployments)}") print(f" Time Period: {time_span} days") print(f" Deploys/Day: {deploys_per_day:.2f}") print(f" Deploys/Week: {avg_per_week:.1f}") return { 'frequency': len(deployments), 'classification': classification, 'per_day': deploys_per_day, 'per_week': avg_per_week }# Example: Compare teamsprint("Team A (Traditional):")team_a_deploys = [ datetime(2024, 1, 15), datetime(2024, 2, 1), datetime(2024, 3, 1), datetime(2024, 4, 1),]calculate_deployment_frequency(team_a_deploys)print("Team B (DevSecOps):")# Generate deployments - multiple per dayteam_b_deploys = []start_date = datetime(2024, 1, 1)for day in range(90): # 90 days current_date = start_date + timedelta(days=day) # 3 deploys per day on average if day % 1 == 0: # Deploy every day for i in range(3): team_b_deploys.append(current_date + timedelta(hours=i*3))calculate_deployment_frequency(team_b_deploys)# Output:# Team A (Traditional):# š“ Deployment Frequency: Low# Total Deployments: 4# Time Period: 77 days# Deploys/Day: 0.05# Deploys/Week: 0.4## Team B (DevSecOps):# š„ Deployment Frequency: Elite# Total Deployments: 270# Time Period: 90 days# Deploys/Day: 3.00# Deploys/Week: 21.02. Lead Time for Changes
Definition: Time from code commit to successfully running in production.
Performance Levels:
- š„ Elite: Less than 1 hour
- š„ High: 1 day to 1 week
- š„ Medium: 1 week to 1 month
- š“ Low: More than 1 month
python
# Calculate Lead Time for Changesdef calculate_lead_time(changes): """ Calculate lead time from commit to production. Args: changes: List of {'commit_time': datetime, 'deploy_time': datetime} Returns: Lead time metrics and classification """ if not changes: return {'avg_hours': 0, 'classification': 'Low'} lead_times = [] for change in changes: delta = change['deploy_time'] - change['commit_time'] lead_times.append(delta.total_seconds() / 3600) # Convert to hours avg_hours = sum(lead_times) / len(lead_times) median_hours = sorted(lead_times)[len(lead_times)//2] # Classify performance if avg_hours < 1: classification = 'Elite' emoji = 'š„' elif avg_hours < 24 * 7: # Less than 1 week classification = 'High' emoji = 'š„' elif avg_hours < 24 * 30: # Less than 1 month classification = 'Medium' emoji = 'š„' else: classification = 'Low' emoji = 'š“' print(f"{emoji} Lead Time for Changes: {classification}") print(f" Average: {avg_hours:.1f} hours ({avg_hours/24:.1f} days)") print(f" Median: {median_hours:.1f} hours") print(f" Min: {min(lead_times):.1f} hours") print(f" Max: {max(lead_times):.1f} hours") return { 'avg_hours': avg_hours, 'median_hours': median_hours, 'classification': classification }# Example: Traditional waterfall with manual security reviewprint("Traditional Release (Manual Security):")traditional_changes = [ { 'commit_time': datetime(2024, 1, 1, 9, 0), 'deploy_time': datetime(2024, 1, 22, 15, 0) # 3 weeks later }, { 'commit_time': datetime(2024, 2, 1, 10, 0), 'deploy_time': datetime(2024, 2, 18, 14, 0) # 2.5 weeks later }]calculate_lead_time(traditional_changes)print("DevSecOps (Automated Security):")devsecops_changes = [ { 'commit_time': datetime(2024, 1, 1, 9, 0), 'deploy_time': datetime(2024, 1, 1, 9, 45) # 45 minutes }, { 'commit_time': datetime(2024, 1, 2, 14, 0), 'deploy_time': datetime(2024, 1, 2, 14, 30) # 30 minutes }, { 'commit_time': datetime(2024, 1, 3, 11, 0), 'deploy_time': datetime(2024, 1, 3, 12, 0) # 1 hour }]calculate_lead_time(devsecops_changes)# Output:# Traditional Release (Manual Security):# š“ Lead Time for Changes: Low# Average: 441.0 hours (18.4 days)# Median: 417.0 hours# Min: 389.0 hours# Max: 493.0 hours## DevSecOps (Automated Security):# š„ Lead Time for Changes: Elite# Average: 0.8 hours (0.0 days)# Median: 0.8 hours# Min: 0.5 hours# Max: 1.0 hours3. Change Failure Rate
Definition: Percentage of deployments causing a failure in production.
Performance Levels:
- š„ Elite: 0-15%
- š„ High: 16-30%
- š„ Medium: 31-45%
- š“ Low: 46%+
ā ļø Security Impact: Vulnerabilities deployed to production count as failures. Automated security testing reduces CFR.
4. Mean Time to Recovery (MTTR)
Definition: How long it takes to restore service after an incident.
Performance Levels:
- š„ Elite: Less than 1 hour
- š„ High: Less than 1 day
- š„ Medium: 1 day to 1 week
- š“ Low: More than 1 week
DevSecOps-Specific Metrics
Beyond DORA, track security-specific metrics:
Security Metrics Framework
python
# DevSecOps Metrics Dashboardclass DevSecOpsMetrics: """ Track and visualize DevSecOps metrics for continuous improvement. """ def __init__(self): self.metrics = { 'dora': {}, 'security': {} } def calculate_vulnerability_detection_rate(self, vulns_found_preprŠ¾Š“, total_vulns): """ Calculate what % of vulnerabilities are caught before production. High detection rate = shift-left is working! """ rate = (vulns_found_preprod / total_vulns * 100) if total_vulns > 0 else 0 if rate >= 95: status = 'š„ Elite' elif rate >= 80: status = 'š„ High' elif rate >= 60: status = 'š„ Medium' else: status = 'š“ Low' print(f"{status} Vulnerability Detection Rate: {rate:.1f}%") print(f" Pre-production: {vulns_found_preprod} vulnerabilities caught") print(f" Production: {total_vulns - vulns_found_preprod} vulnerabilities escaped") print(f" Total: {total_vulns} vulnerabilities") return rate def calculate_mean_time_to_patch(self, cve_patches): """ Calculate average time from CVE published to patch deployed. Args: cve_patches: List of {'cve': str, 'published': datetime, 'patched': datetime} """ patch_times = [] for patch in cve_patches: delta = patch['patched'] - patch['published'] days = delta.total_seconds() / (24 * 3600) patch_times.append(days) avg_days = sum(patch_times) / len(patch_times) if patch_times else 0 if avg_days < 7: status = 'š„ Elite' elif avg_days < 14: status = 'š„ High' elif avg_days < 30: status = 'š„ Medium' else: status = 'š“ Low' print(f"{status} Mean Time to Patch: {avg_days:.1f} days") print(f" Fastest: {min(patch_times):.1f} days") print(f" Slowest: {max(patch_times):.1f} days") print(f" Total CVEs patched: {len(patch_times)}") return avg_days def calculate_security_coverage(self, scanned_repos, total_repos): """Calculate what % of codebases have automated security scanning.""" coverage = (scanned_repos / total_repos * 100) if total_repos > 0 else 0 if coverage >= 90: status = 'š„ Elite' elif coverage >= 70: status = 'š„ High' elif coverage >= 50: status = 'š„ Medium' else: status = 'š“ Low' print(f"{status} Security Test Coverage: {coverage:.1f}%") print(f" Repositories with scanning: {scanned_repos}/{total_repos}") print(f" Gaps: {total_repos - scanned_repos} repos need security automation") return coverage# Example: Calculate comprehensive DevSecOps metricsmetrics = DevSecOpsMetrics()print("=== DevSecOps Metrics Dashboard ===")# Metric 1: Vulnerability Detection Rateprint("1. Shift-Left Effectiveness:")metrics.calculate_vulnerability_detection_rate( vulns_found_preprod=47, # Caught in dev/test total_vulns=50 # Total vulnerabilities)print("2. Patch Responsiveness:")# Metric 2: Mean Time to Patchcve_data = [ {'cve': 'CVE-2024-1234', 'published': datetime(2024, 1, 1), 'patched': datetime(2024, 1, 4)}, # 3 days {'cve': 'CVE-2024-5678', 'published': datetime(2024, 1, 10), 'patched': datetime(2024, 1, 15)}, # 5 days {'cve': 'CVE-2024-9999', 'published': datetime(2024, 1, 20), 'patched': datetime(2024, 1, 26)}, # 6 days]metrics.calculate_mean_time_to_patch(cve_data)print("3. Security Automation Coverage:")# Metric 3: Security scanning coveragemetrics.calculate_security_coverage( scanned_repos=45, # Repos with automated security total_repos=50 # Total repos)# Output:# === DevSecOps Metrics Dashboard ===## 1. Shift-Left Effectiveness:# š„ Elite Vulnerability Detection Rate: 94.0%# Pre-production: 47 vulnerabilities caught# Production: 3 vulnerabilities escaped# Total: 50 vulnerabilities## 2. Patch Responsiveness:# š„ Elite Mean Time to Patch: 4.7 days# Fastest: 3.0 days# Slowest: 6.0 days# Total CVEs patched: 3## 3. Security Automation Coverage:# š„ High Security Test Coverage: 90.0%# Repositories with scanning: 45/50# Gaps: 5 repos need security automationCultural Transformation Roadmap
Transforming to DevSecOps culture doesn't happen overnight. Follow this phased approach:
Phase 1: Build Awareness (Months 1-2)
Objectives:
- Leadership buy-in on DevSecOps value
- Baseline current security practices
- Identify security champions
Activities:
- Executive workshop on DevSecOps ROI
- Security maturity assessment
- DORA metrics baseline measurement
- Form Security Champions program
Phase 2: Quick Wins (Months 3-4)
Objectives:
- Demonstrate value with visible improvements
- Build momentum and enthusiasm
- Establish automation foundation
Activities:
- Implement secret scanning in Git
- Add SAST to CI/CD for 1-2 pilot teams
- Automate container image scanning
- Achieve first sub-1-hour lead time deployment
Phase 3: Scale & Standardize (Months 5-8)
Objectives:
- Roll out to all teams
- Standardize tooling and processes
- Embed security in team workflows
Activities:
- Security automation in all CI/CD pipelines
- Policy-as-code enforcement
- Integrated dashboards for DORA + security metrics
- Monthly security training for all engineers
Phase 4: Optimize & Innovate (Months 9-12)
Objectives:
- Achieve elite performance levels
- Advanced security capabilities
- Continuous improvement culture
Activities:
- Advanced threat detection (behavior analytics)
- Automated remediation for common issues
- Security chaos engineering exercises
- Achieve elite DORA metrics
Common Cultural Anti-Patterns
ā Anti-Pattern 1: "Security Theater"
What it looks like:
- Compliance checklists without real security
- Tools deployed but alerts ignored
- "Security approved" stamps without review
Fix:
- Focus on outcomes (fewer vulnerabilities) not activities
- Measure mean time to remediate, not just detection
- Incentivize fixing issues, not finding them
ā Anti-Pattern 2: "Blame Culture"
What it looks like:
- Pointing fingers when security incidents occur
- Developers afraid to report vulnerabilities
- Security team seen as "Dr. No"
Fix:
- Blameless post-mortems focused on learning
- Reward vulnerability disclosure
- Celebrate security improvements, not just catches
ā Anti-Pattern 3: "Tool Sprawl"
What it looks like:
- 15+ security tools with no integration
- Alert fatigue from duplicates
- No single source of truth
Fix:
- Consolidate to 3-5 core tools
- Integrate via APIs for unified dashboard
- Prioritize by business risk, not just severity
Success Indicators
You know DevSecOps culture is working when:
ā Developers proactively fix security issues before security team finds them
ā Security doesn't slow down deployments ā automated checks in <10 minutes
ā Cross-functional incident response ā dev, sec, ops collaborate in real-time
ā Security metrics improving ā fewer production vulnerabilities, faster patching
ā Knowledge sharing ā security training is part of onboarding and continuous learning
ā Elite DORA metrics ā deploying multiple times per day with <15% failure rate
Summary
Key Takeaways:
-
DevSecOps is cultural transformation: Technology alone won't work without breaking down silos and building shared ownership
-
Shift security left: Catch vulnerabilities early when they're 100x cheaper to fix
-
Automate relentlessly: Manual security reviews don't scale; automation provides fast, consistent feedback
-
Measure what matters: DORA metrics (deployment frequency, lead time, change failure rate, MTTR) + security-specific metrics
-
Start small, scale fast: Begin with security champions and quick wins, then expand across organization
-
Continuous improvement: DevSecOps is a journey, not a destination
š” Next Steps: In the following lessons, we'll dive deep into SDLC integration, shift-left practices, automation techniques, and the tool ecosystem to make DevSecOps real in your organization.
Practice Exercise
Exercise 1: Calculate your baseline DORA metrics
- Track your last 10 deployments
- Calculate deployment frequency and lead time
- Identify the biggest bottleneck (security review? testing? approvals?)
Exercise 2: Map your current security process
- Document where security happens in your SDLC
- Identify manual steps that could be automated
- Calculate what % of vulnerabilities are found pre-production vs post-production
Exercise 3: Start a Security Champions program
- Identify 2-3 developers passionate about security
- Define their responsibilities and time allocation
- Plan your first Security Champions sync meeting
Lesson Content
Master the core principles of DevSecOps culture, learn how to break down organizational silos between security, development, and operations teams, and measure success using industry-standard DORA metrics.
Code Example
python
# DevSecOps Principles - Hands-On Examples# Example 1: Simple Security Policy Validator# This demonstrates "Security as Code" - policies that can be tested and automateddef validate_deployment_security(deployment): """ Automated security policy validation for deployments. This would run in your CI/CD pipeline before deployment. """ print(f"š Validating deployment: {deployment['name']}") print("=" * 60) passed_checks = 0 failed_checks = 0 # Check 1: Image must be scanned and have no critical vulnerabilities if deployment.get('image_scanned'): critical_vulns = deployment.get('critical_vulnerabilities', 0) if critical_vulns == 0: print("ā
PASS: Container image scanned with 0 critical vulnerabilities") passed_checks += 1 else: print(f"ā FAIL: {critical_vulns} critical vulnerabilities found in image") failed_checks += 1 else: print("ā FAIL: Container image not scanned for vulnerabilities") failed_checks += 1 # Check 2: No hardcoded secrets if not deployment.get('has_hardcoded_secrets', True): print("ā
PASS: No hardcoded secrets detected") passed_checks += 1 else: print("ā FAIL: Hardcoded secrets detected in code or config") failed_checks += 1 # Check 3: HTTPS/TLS enforced if deployment.get('https_enabled', False): print("ā
PASS: HTTPS/TLS encryption enabled") passed_checks += 1 else: print("ā FAIL: HTTPS/TLS not enabled") failed_checks += 1 # Check 4: Security headers configured required_headers = ['X-Frame-Options', 'X-Content-Type-Options', 'Strict-Transport-Security'] configured_headers = deployment.get('security_headers', []) if all(header in configured_headers for header in required_headers): print(f"ā
PASS: All required security headers configured") passed_checks += 1 else: missing = [h for h in required_headers if h not in configured_headers] print(f"ā FAIL: Missing security headers: {', '.join(missing)}") failed_checks += 1 # Check 5: Least privilege - non-root user if deployment.get('runs_as_root', True) == False: print("ā
PASS: Running as non-root user") passed_checks += 1 else: print("ā FAIL: Running as root user (violates least privilege)") failed_checks += 1 print("=" * 60) print(f"š Security Score: {passed_checks}/{passed_checks + failed_checks} checks passed") if failed_checks == 0: print("š APPROVED: Deployment meets all security requirements") return True else: print(f"š« BLOCKED: {failed_checks} security requirements not met") print(" Fix the issues above and try again") return False# Test Case 1: Insecure deployment (fails multiple checks)print("\n" + "="*60)print("TEST 1: Insecure Deployment Configuration")print("="*60)insecure_deployment = { 'name': 'legacy-app-v1', 'image_scanned': False, 'has_hardcoded_secrets': True, 'https_enabled': False, 'security_headers': [], 'runs_as_root': True}validate_deployment_security(insecure_deployment)# Test Case 2: Secure deployment (passes all checks)print("\n" + "="*60)print("TEST 2: Secure DevSecOps Deployment")print("="*60)secure_deployment = { 'name': 'modern-app-v2', 'image_scanned': True, 'critical_vulnerabilities': 0, 'has_hardcoded_secrets': False, 'https_enabled': True, 'security_headers': [ 'X-Frame-Options', 'X-Content-Type-Options', 'Strict-Transport-Security', 'Content-Security-Policy' ], 'runs_as_root': False}validate_deployment_security(secure_deployment)# Example 2: DORA Metrics Tracking Systemprint("\n\n" + "="*60)print("DORA METRICS CALCULATOR")print("="*60)from datetime import datetime, timedeltaclass DORAMetricsTracker: """ Real-world DORA metrics calculator for DevSecOps teams. Tracks deployment frequency, lead time, change failure rate, and MTTR. """ def __init__(self, team_name): self.team_name = team_name self.deployments = [] self.incidents = [] def record_deployment(self, commit_time, deploy_time, success=True, caused_incident=False): """Record a deployment for metrics tracking.""" self.deployments.append({ 'commit_time': commit_time, 'deploy_time': deploy_time, 'success': success, 'caused_incident': caused_incident }) def record_incident(self, incident_start, incident_resolved): """Record a production incident for MTTR calculation.""" self.incidents.append({ 'start': incident_start, 'resolved': incident_resolved }) def calculate_all_metrics(self): """Calculate and display all 4 DORA metrics.""" print(f"\nš DORA Metrics Report: {self.team_name}") print("=" * 60) # Metric 1: Deployment Frequency if self.deployments: time_span = (self.deployments[-1]['deploy_time'] - self.deployments[0]['deploy_time']).days + 1 deploys_per_day = len(self.deployments) / time_span if deploys_per_day >= 1: df_rating = "š„ Elite" elif deploys_per_day >= 1/7: df_rating = "š„ High" elif deploys_per_day >= 1/30: df_rating = "š„ Medium" else: df_rating = "š“ Low" print(f"\n1ļøā£ Deployment Frequency: {df_rating}") print(f" š {len(self.deployments)} deployments in {time_span} days") print(f" š {deploys_per_day:.2f} deploys/day") # Metric 2: Lead Time for Changes if self.deployments: lead_times = [ (d['deploy_time'] - d['commit_time']).total_seconds() / 3600 for d in self.deployments ] avg_lead_time = sum(lead_times) / len(lead_times) if avg_lead_time < 1: lt_rating = "š„ Elite" elif avg_lead_time < 24 * 7: lt_rating = "š„ High" elif avg_lead_time < 24 * 30: lt_rating = "š„ Medium" else: lt_rating = "š“ Low" print(f"\n2ļøā£ Lead Time for Changes: {lt_rating}") print(f" ā±ļø Average: {avg_lead_time:.1f} hours") print(f" ā” Fastest: {min(lead_times):.1f} hours") print(f" š Slowest: {max(lead_times):.1f} hours") # Metric 3: Change Failure Rate if self.deployments: failures = sum(1 for d in self.deployments if d['caused_incident']) cfr = (failures / len(self.deployments)) * 100 if cfr <= 15: cfr_rating = "š„ Elite" elif cfr <= 30: cfr_rating = "š„ High" elif cfr <= 45: cfr_rating = "š„ Medium" else: cfr_rating = "š“ Low" print(f"\n3ļøā£ Change Failure Rate: {cfr_rating}") print(f" š„ {failures}/{len(self.deployments)} deployments caused incidents") print(f" š {cfr:.1f}% failure rate") # Metric 4: Mean Time to Recovery if self.incidents: recovery_times = [ (i['resolved'] - i['start']).total_seconds() / 3600 for i in self.incidents ] mttr = sum(recovery_times) / len(recovery_times) if mttr < 1: mttr_rating = "š„ Elite" elif mttr < 24: mttr_rating = "š„ High" elif mttr < 24 * 7: mttr_rating = "š„ Medium" else: mttr_rating = "š“ Low" print(f"\n4ļøā£ Mean Time to Recovery: {mttr_rating}") print(f" š§ Average: {mttr:.1f} hours") print(f" ā” Fastest: {min(recovery_times):.1f} hours") print(f" š Slowest: {max(recovery_times):.1f} hours") print("\n" + "=" * 60)# Simulate a DevSecOps team's metrics over 30 daystracker = DORAMetricsTracker("Platform Team - DevSecOps")# Record deployments (multiple per day - elite performance)base_date = datetime(2024, 1, 1)for day in range(30): # Deploy 2-3 times per day for deploy_num in range(2): commit_time = base_date + timedelta(days=day, hours=9 + deploy_num*4) deploy_time = commit_time + timedelta(minutes=45) # 45 min lead time (elite!) # 95% success rate (elite) caused_incident = (day == 5 and deploy_num == 1) or (day == 22) tracker.record_deployment( commit_time=commit_time, deploy_time=deploy_time, success=not caused_incident, caused_incident=caused_incident )# Record the 2 incidents that occurredtracker.record_incident( incident_start=base_date + timedelta(days=5, hours=14), incident_resolved=base_date + timedelta(days=5, hours=14, minutes=45) # 45 min recovery)tracker.record_incident( incident_start=base_date + timedelta(days=22, hours=16), incident_resolved=base_date + timedelta(days=22, hours=17) # 1 hour recovery)# Calculate and display all metricstracker.calculate_all_metrics()print("\nā
This team shows Elite DevSecOps performance!")print(" - Daily deployments with sub-1-hour lead times")print(" - Low change failure rate (<15%)")print(" - Fast incident recovery (<1 hour)")print(" - Automated security in pipeline enables this velocity")Section 1 of 20 ā¢ Lesson 1 of 5