First, I would like to give a big “thank you” to the organizers of DevOps Connect: Rugged DevOps at RSAC 2016. I applaud the team for putting together a great conference within a conference (which isn’t an easy thing to do) that resonated with the audience. With organizers hailing from devops.com, Rugged Software, and Sonatype it was a well-planned, well-executed event. I want to issue a special thanks to: Josh Corman, Alan Shimel, Derek E. Weeks, and Mark Miller.
Frankly, I was surprised to see how well received this event was with attendees. RSAC is an InfoSec conference. You know those guys, the InfoSec department. The group who still refuses to acknowledge the cloud and proclaims DevOps to be yet another buzzword added to the stack of things they ignore. I thought surely this event would be low turnout and receive backlash from the crowd.
I was waaay wrong. Security is ready to join the DevOps tribe.
To give you a feel for how well it went, I think it is easily summed up with what happened at the closing. To a mostly full room of about 500 people the question was asked, “How many of you have been here all day?” Over 80% of the hands went up. For being a conference within a conference that number is surprising, for doing that with the InfoSec crowd, it is proof that the industry culture is truly shifting.
The Presentations at DevOps Connect
Below I have tried to link in all the presentations and link to all the speakers from the event. If I’m missing a link, please leave me a comment and I will update this article. Special thanks to Mark Miller for compiling the slides in SlideShare.
- Guns, Germs and Steel of the Software Age by John Willis and Josh Corman
- What We Learned from Three Years Sciencing the Crap Out of DevOps by Jez Humble and Nicole Forsgren
- Ops Happens: Improve Security Without Getting in the Way by Damon Edwards
- 2015 in Review: Failures in Public Safety and Privacy by Kim Zetter
- Seven Habits of Rugged DevOps by Amy DeMartine
- Applying DevOps Principles to Address Dynamic Changes in Cybersecurity by Aaron Volkman and Hasan Yasar
- The Journey to DevSecOps by Shannon Lietz
- Rugged DevOps: Compliance at Velocity by Justin Arbuckle
- Building Security Controls Around Attack Models, Not Gut Feel by Stephan Chenette
- Release Engineering’s Role in Rugged DevOps by J. Paul Reed
- Silver Linings for Miles: DevOps for Building Secure Solutions by Andrew Becherer and Zane Lackey
- Security Wargames by Sam Guckenhiemer
- Lean Security: Add Business Value without Bringing Waste by James Wickett and Ernest Mueller
- Architectures, Design Patterns, and Coding for Rugged DevOps at Scale by Rich Mogull
- The R.O.A.D. to Rugged DevOps for a Major Airline by Dan Glass
Lessons Learned
There were four key things I took away from the event.
1. Compliance as Code
Rich Mogull shared a very interesting hack—put all of your security policies in markdown in git. This provides the ability for developers to quickly reference policies and tie them back to compliance standards. It also adds transparency to the really boring bits of security. Now a policy change is just a pull request away!
2. In Lean Security, processes go away, and that’s a good thing
In our Lean Security presentation, Ernest Mueller told a story about how Adrian Cockcroft at Netflix said they don’t have any processes at Netflix. When people hear that for the first time they are often confused or worried but when InfoSec and compliance departments hear it they are freaked out. It feels like the wild west. However, the truth behind that statement is that at Netflix, the system itself was the embodiment of all their processes, thus eliminating the need for written processes.
It is my belief that our industry needs to get better at having our systems embody the processes rather than just writing the processes down. The benefits are huge: outliers are easier to detect, more people adhere to the process and generally people are happier. We need to make it easy to go faster and safer.
3. Take the ROAD to Rugged DevOps
Dan Glass works as the CISO at American Airlines. The airline industry knows quite a bit about complex systems and high-risk operations. In his presentation, Dan presented the ROAD.
I could write a whole blog post on this one topic. I highly recommend taking a look at his presentation and seeing how your organization could learn from the ROAD and develop successful “common practices”.
4. Security and DevOps are still learning
Closing thoughts
It was a great conference and I look forward to seeing how the InfoSec and DevOps communities grow closer together. My hope is that we will continue to see each other as traveling companions for many years to come. If this event is an indicator, I predict we will.
Thanks for reading. If you enjoyed this article please click the little heart, that would be amazing.
I’m part of the team at Signal Sciences. We are building an industry first Next Generation Web Application Firewall (NGWAF) which was built in response to our frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. Our NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.
