It has been a busy spring and before you know it, summer will be here—I can report that in fact, here in Austin, summer is already here.
The spring conference circuit was packed with lots of great conferences and I was able to log time over at RSA, DevOps Summit, DevSecOps Dallas, DevOps Days Austin (which I also help organize), and Signal Sciences Media Security Summit in New York. This conference season was great because I was able to catch up with a lot of friends and coworkers, though I will say it often resulted in a very disorienting feeling: wait, didn't I just see you last week? I kept having that feeling with seeing friends like John Willis and Paula Thrasher in Portland and then days later in San Francisco, and of course seeing Derek Weeks everywhere, including in my hometown of Austin. While it was nice to see familiar faces, one takeaway here is that we need to add diversity of voices to the conversation.
From all these events, I have a few notes from the field I want to share.
DevSecOps is alive and well
If you have been in doubt whether security would actually turn the corner and come on board the DevOps bandwagon, fear not. Security is officially in the DevOps ecosystem, they keep coming, and the momentum is picking up steam. Now, these newcomers insist on calling it DevSecOps, which I guess we can live with. The words don’t really matter, as long as the results are still there. If you can reduce overall cycle time and throughput the system while also making it more secure, more auditable and more resilient, you can call it whatever you want. I am just fearing the day when the DBAs are going to want a seat at the table. Will we DevSecDataOps it? Most of my DBA friends are still resistant these wild notions of DevOps, so I imagine we still have a few years to make peace with it.
John Willis gave a great talk at DevOps Days Austin on DevSecOps and he referenced Shannon Lietz’s excellent work and how Intuit's security team works to put “blood in the water.” They do this through several ways, but one oft-cited way is penetration testing weekly through Red Team Mondays. This creates a feedback loop from security to developers, which is smart because security can’t scale to fix all the bugs, but we can inspire.
On the topic of feedback loops, another way to bridge between the dev-ops-sec tribes is by creating feedback from actual attackers--or as Shannon Lietz calls it adversary driven feedback. I was able to catch up with customers of Signal Sciences, and I am blown away with the types of feedback loops people are adding into their environment and the value they are getting out of our product. Many are installing us behind their CDN-based WAFs and have been surprised at how many actionable attacks we are catching and preventing. I wrote a little about this in a recent tongue-in-cheek titled article: Oops I WAFed my Cache.
Docker is boring, but that’s OK!
Rewind 2-3 years ago and you could not stop the Docker open spaces at DevOps Days. Back then we couldn’t have enough conversations about containers. This year in Austin, which is a very tech-forward, techno-hipster crowd, there were zero open spaces on Docker. Zero. Why is that? Have we moved on? Is Docker dead? You might think so if there were a bunch of open spaces on the next wave of tech, like Kubernetes or FaaS/Serverless, however there were only a couple on Kubernetes and none on serverless. All this to say, in Austin, containers and the ecosystems around containers were not worth spending valuable conference time on. I think this is a testament to the growth of devops training and security training now widely available online through producers like Lynda.com and O’Reilly in addition to the other conferences that have sprung up around these topics.
Real Problems are on the Docket
So, if people weren’t talking docker and lambda, what were they talking about? Attendees proposed open spaces on topics that really were a struggle for them. There were over 40 open spaces, but to give you an idea, the open spaces carried titles like:
Cross Pollinate DevOps and Biz School
Migrating from Traditional QA
Talk Pay / Pay Talk
The last one here was quite interesting. Attendees anonymously wrote down their current salaries and their titles on cards. The open space organizer sorted the cards into three categories: dev, ops, and other. Ops slightly outperformed devs oddly enough, however it turns out “other” was far and away the leader in salary. Several people walked away from that session saying their first task back at the office was to ask for more money because they realized they were way underpaid. Good for them! The market is definitely ripe, and is a seller’s market. If you are not getting paid well and receiving annual raises then you should definitely go looking.
We must bring in the Auditors
My last learning is that auditors need to get brought into this whole thing. Right now, we are winning the hearts and minds of security practitioners from red team to blue team, however we still have work to do to bring in the auditors. I was able to join forces with Ben Grinnell, Jennifer Brady, Rob Stroud, Sam Guckenheimer, Scott Nasello, and Tapabrata Pal (Topo) to create a new, open source initiative that we fondly named Dear Auditor. This project is Creative Commons Zero licensed and is an effort to create a risk control matrix that maps to current, best practices of DevOps. It is available at dearauditor.org and we would love your help and feedback. Check it out and let me know what you think!
This seems like as good of a stopping point as any, so until next time, keep the DevOps dreams alive!