Welcome to the ADC (After DevOps Connect) era of DevOps and Security


I was speaking with Britta Glade of RSA Conference after our DevOps Connect conference at RSA Conference Monday.  She congratulated us on putting together a great day of tracks and sessions (kudos to Gene Kim and Josh Corman).  But then she said something else that really struck me to my core.  She said after today there is no longer any question about security working with DevOps.

Think about it.  Three years after Josh and Gene first presented Rugged DevOps at RSA Conference. After so many papers, articles, presentations and tracks, it has finally sunk in.  Security will embrace DevOps, Security will be better because of DevOps and as importantly, DevOps will be better because of Security.

It is very fulfilling to know that this event we produced (along with Mark Miller and theNexus Community) was what finally pushed this over the finish line. For me personally it really represents one of the fundamental reasons I was so attracted to DevOps.

It was 4 or so years ago that I first met Gene Kim and over a bottle or two of wine he explained to me what DevOps was about and what he was working on with the Phoenix Project.  While DevOps may seem primarily about Dev and Ops to some, for me it was about making security work better. It seemed like such a no brainer that of course security should embrace DevOps.

But it was not that easy.  The besieged security industry faced with a never ending barrage of breaches and a continually escalating threat environment could not accept that automation, acceleration, velocity would also allow us to shift security left, leaving us more secure and more compliant. Many security people dug in their heels and said no, this wouldn’t work and they didn’t take the time to really explore it.

Monday all of that changed.  Security folk came out in droves to see people like Jez Humble (many people in the audience weren’t really familiar with Jez when he first took the stage, but they were enthralled with him by the time he stepped off. Jez finished to a standing room only crowd of close to 700. They heard Damon Edwards and Alex Honor talk. Though they were also unfamiliar to the crowd, their message resonated to the core.

When Julie Tsai of Walmart took the stage the audience heard how a “unicorn” like Wal-Mart used Agile and DevOps to be more secure. Terri Pots of Raytheon and Jessica Davita of Microsoft re-enforced the message that security needs to embrace this approach. I loved Jessica’s security org chart.  Chris Corriere who writes here on DevOps.com, Dr. Aaron Cois of Carnegie-Mellon also had great sessions.

Then names familiar to the crowd, Gene Kim and Josh Corman kicked it off with a great talk on Software Supply Chains.  Nick Galbreath had a great session. David Mortman delivered a terrific talk, Dan Cornell on web app security and more.  For me the perfect ending was when my friend Rich Mogull took the stage and demonstrated his Squirrel Monkey toolset. Rich’s scripts that he wrote himself showed how we could use automation to make our security better and easier.  People were stunned.

Throughout the day, the buzz that was coming down the big hallway was that there were some great things happening over at the DevOps tracks. People from the Cloud Security Alliance meeting next door were hopping over to check it out. Other people joined in.  By the end of the day we had given out all of the materials we had prepared.

By now I know you are wishing you were there.  The good news is the entire event was videotaped. We will have videos and slides of all of the presentations shortly so stay tuned.

We are already starting to plan next year’s event. Also, the call for speakers is now open for DevOps Connect: Rugged DevOps event @InfoSecurity Europe June 4th.  But after Monday DevOps and security will never be the same again.  No longer can security deny that they must be part of DevOps. We are and should be. We are now in the ADC (After DevOps Connect) era.