Security is the next frontier of DevOps. Its a largely unchanged area in IT over the last 10 years and is ripe for innovation. What this means, and what the title implies, will be covered in our 4-part series on the Future of DevOps and Security—this article is the first in the series. [If you follow our Medium publication Signal Sciences Labs then you should get updates when we release the next article in the series.]

The Backstory

I help run and plan DevOps Days Austin and we just had our fifth annual event. DevOps Days Austin is consistently one of the biggest—if not the biggest—DevOps Days event across the globe with over 600 attendees this year. For me personally, it was very satisfying to see how many new people we attracted this year. This year we moved to a new venue which would allow us to grow to 600 and it was great to see that we had a large number of attendees that had never been to a DevOps Days event before.

Hang with me, I promise this is all related to the the title of this article and the Future of DevOps and Security Series.

At the event we had several important talks that clarified for me the direction this whole DevOps movement is heading over the next 18–24 months. In one word: Security. Security has lagged behind and is still seen as an inhibiter of progress in most organizations. This year at DevOps Days Austin, we had three speakers that helped influence my thinking on this: Ernest Mueller gave the opening keynote on the DevOps State of the Union, Dan Glass, CISO of American Airlines discussed his organization’s journey and Shannon Lietz, Director of Security at Intuit gave an excellent talk on CI and Security. There were also several “open spaces” on security and a great talk by Matt Johansen on security and Kubernetes which echo’ed a lot of the same sentiment but more pragmatically.

Each of these talks brought clarity in their own way to the premise of this Future of DevOps and Security Series—that Security is changing rapidly. For the first three articles in the series I will be highlighting each of the talks mentioned above and add commentary. The last article in the series will be a summary of learnings and hopefully some forward-looking statements about where our industry is heading.

The DevOps State of the Union (and where DevOps is heading)

Sometimes we look to the past to inform our view of the future, sometimes you just need to look to your left and your right in the present. Every year we try to do a little bit of both at DevOps Days Austin. We review the last year with a keynote address that we have aptly dubbed The DevOps State of the Union. We were honored that this year, Ernest Mueller gave the opening keynote.

There are several areas where DevOps is growing, and Ernest highlighted the “Founding Fathers of DevOps” and where they are now. Patrick DeBois is working on bringing DevOps to mobile, John Willis is working on containers, Andrew Schaefer is moving forward on delivering on the promise of Platform as a Service, and Damon Edwards is pushing DevOps further into the Enterprise.

DevOps and Security

In the keynote, Ernest noted several positive influences in the Security space. One of which was the RSA Rugged DevOps event (which Signal Sciences sponsored) earlier this year. There is definitely a change happening in the industry. We still have a long way to go—one of my favorite quotes from Ernest during his keynote was how fundamental the problem is:

Security problems are so often a combination of application and system problems.

Read that as: this is a systemic problem at the root of all of the IT and engineering activity in an organization. Historically, we separated the security into its own silo away from engineering. For readers that have been with us for some time, this is no surprise. We have discussed the organizational silos that have divided security and the rest of the organization in several past articles. However, Ernest drove the point home with this salient comment:

The fact that over time we split out security from the people who run and build the software and systems into separate groups historically is an obvious anti-pattern and security groups [in many organizations] are now seeing that.

The next articles in the series will have more technical depth and more pragmatic advice for you, but I wanted to first highlight the cultural divide between security and the rest of the organization. DevOps was birthed out of a desire to do Agile Infrastructure and to unite the devs and the ops teams. Security shouldn’t function as a separate silo but needs to collaborate with this movement.

Watch the full DevOps State of the Union

Keep in Touch

Follow our Medium publication Signal Sciences Labs to get updates when we release the next part of the Future of DevOps and Security Series.

Thanks for reading this article. If you enjoyed it please let us know.

At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Our NGWAF was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.