DevOps Chat: DevSecOps and RSAC 2019 with James Wickett and Shannon Lietz
RSA Conference (RSAC) is just a month away. Once again, RSA Conference promises to be the place where the world gathers around security. With upwards of 50,000 people attending, it is big by anyone’s standard.
DevSecOps will be center stage this year, literally. Shannon Lietz, the founder of DevSecOps.org, will be keynoting as well as leading a weeklong track on DevSecOps, and we recently spoke with Shannon about this year’s event. Appearing with her will be another leader of the DevSecOps community, James Wickett, who is the founder of the Rugged DevOps movement and a key member of the Signal Science team. Both James and Shannon are our guests in this DevOps Chat.
If you haven’t already registered for RSA Conference, here’s a code for $100 off a full conference pass (all sessions): 1U9DEVOPSFD. In addition, here’s a code for a free expo pass: 1U9DEVOPSXP.
In addition to the DevSecOps track, the 5th annual DevOps Connect: DevSecOps Days will be held Monday, March 4, at Moscone, as part of RSAC.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com, Security Boulevard, and you’re listening to another DevOps Chat. This DevOps Chat is actually part two of a conversation we had with Shannon Lietz and James Wickett on DevSecOps and the upcoming RSA Conference, where we’ll be doing a live DevSecOps.
So, let’s join James and Shannon right now.
James Wickett: Hey, Alan—hey, thanks for having me on. Shannon, glad you’re able to stick on for a few, here.
Shannon Lietz: Yeah.
Shimel: So, James, Shannon and I started off, of course, talking about—you know, we’re about a month out from RSA Conference. We’ve got Monday’s, you know, DevOps Connect: DevSecOps Days event for the fifth year, which promises to be the biggest one yet. It’s all coming together, a lot of great speakers, panels. And then, you know, Shannon is—Shannon, it’s about four or five years you’re doing DevSecOps tracks at RSA now, too, isn’t it?
Lietz: Yeah! I’ve been doing it for a while. It’s been pretty exciting.
Shimel: Yep. So, that, you know, it’s—so, we’ve got a full, so not only do we have a full day of DevSecOps on Monday, but we have a full week track of, I think you said about 14 speakers. [Cross talk]
Lietz: Yeah, and then also, there’s some additional stuff that’s happening at night as well with some of the constituents for helping to foster this from our vendor participants.
Shimel: Yep. There’s—yeah, there’s no lack of ________, I say, or events, that’s for sure.
Wickett: Is that the code word, there? Vendor participant things—the parties?
Lietz: [Laughter] Vendor participation—just so we’re clear. [Laughter] You call it what you want to.
Shimel: So, I—well, just to put a shameless plug in for me, this will actually be the 13th or 14th year I’m running the Security Blogger’s MeetUp and Awards, which is always the Wednesday night of RSA week. And this is like a no–marketing event, just people who write or podcast about security. And it’s—for me, it’s actually my favorite part of the whole week, because I get to see all my people from, you know, over the last 20 years who kinda started, we started this in 2004, so that’s how long it’s going on—2005, something like that.
Anyway, James, talk to us a little bit about your RSA plans.
Wickett: Yeah. Well, I think my plans probably align pretty closely with Shannon’s there, although Shannon’s got the big keynote spot, which, I’m really excited to check that one out.
Wickett: And I’m not sure how much ground you all covered on the DevSecOps talk that we’re gonna be giving together. But—
Shimel: No, we didn’t really cover them all, James.
Lietz: We didn’t cover it. We talked a little bit about diversity. You can go ahead.
Wickett: Oh, yeah. Well, I think what we’re trying to do for the track that we’ve put together—Shannon, you can add in any color, here—but we’re trying to focus on giving people not just a deep dive into any one specific technology, but help people see across different types of organizations, not just kinda the unicorns, but across lots of large enterprises that are having a lot of success in the DevOps space, and helping bring security along for the journey of DevOps, and this is the kind of thing that we’ve dubbed DevSecOps. And I think that’s really important.
Our talk, we kind of named it, “Release Your Inner DevSecOp,” and we’re hoping to bring in some of the key themes from several of the other talks in the track, but help give people a framework for understanding, you know, “Just because I don’t deploy 20 times a day, can I still do DevSecOps?” Yeah, sure, right? Or, “Just because I still have to deal with compliance, can I still do DevSecOps?” Yeah, you know?
So, helping give people some parameters and some ideas around their journey as they’re taking it and—I don’t know, Shannon, do you have any other, anything to add on that?
Lietz: I think you did a great job.
Shimel: It sounds like it’s gonna be a great—do you guys know off the top of your head when that one is scheduled?
Wickett: It’s on Tuesday, and I’m checking for the actual time, here. Let me take a look, here. It looks like it’s in the afternoon on Tuesday at 3:40 p.m.
Shimel: Fantastic. Alright, so—
Wickett: And you can reserve a seat, so, you know—
Shimel: I was just gonna mention that. For my folks listening who already have their RSA ticket or pass or maybe you’re looking to get one, when you go in, you can—once you register, you can actually reserve seats at tracks like James and Shannon just spoke about, which will, I guess, guarantee you a seat in the beginning of the event. So, if you’re not there when the track starts, when that talk starts, I think they will give it if there are people waiting to people waiting—and rightfully so.
Wickett: I think it’s—Shannon, correct me if I’m wrong, but I think it’s 10 minutes before you get the ability to get in there, and then they sort of open it up after that.
Lietz: Yeah, that’s right.
Shimel: So, for DevSecOps Days on Monday, we’re doing it a little differently this year with RSA. People don’t have to pre-register, but they express a preference, so they don’t necessarily get a reserved seat, but I think our room is gonna fit 1,500, so we’re hoping to have seats for everyone.
Lietz: That is so exciting. That is awesome.
Shimel: Yeah! It really—well, last year, I think we did over 1,200 and something last year, so let’s hope.
But anyway, you know, this sounds certainly like a can’t-miss one. But Shannon, like you said, we’ve got 14 speakers in the track all week there, right? And you and James are amazing and great speakers and it’s gonna be a great topic. But I really encourage, especially my DevOps people listening to this, if you’re in the San Francisco area and you can get to RSA—well worth your time. Well worth your time, (a) to just meet real security people and kinda empathize with what we all go through, but (b) just tremendous learning, and like Shannon said, there are some vendor—what was the term you used, Shannon? I don’t wanna misquote you.
Lietz: Vendor participation events.
Shimel: Vendor participation events at night, you might even be able to get a free drink or two. So, please, please join us for those. We’ll actually have a list on DevOps.com and Security Boulevard of some of those events, by the way.
Guys, beyond the DevSecOps, we spoke a little bit about diversity, James, before you came on. Anything else get you excited about RSA this year?
Wickett: I would say, I was actually thinking of kinda just, I wanted to mention a couple talks. So, you said beyond DevSecOps—Alan, what is beyond DevSecOps?
Shimel: Nothing is beyond DevSecOps.
Wickett: No, but I did wanna say, we do have—I’m pretty excited about a couple of the talks in our track. I mean, I think all of them are looking, are really great. But, you know, if you’re hands on or you’re dealing with a lot of things in the cloud native space, Karthik Gaekwad is gonna be there talking on Wednesday. I think that’s gonna be a really great talk. He’s one of the evangelists over at Oracle, but he does a ton of security talks, and we’re having him on the “Modern Security Series” for Signal Sciences at the end of this month. But I think that’s gonna be a good one not to miss.
There’s other ones if you’re just more plain vanilla Docker, we have a talk on that. So, you know, I feel like there’s some really good options for folks, and we’re really excited about that at the track.
So, other stuff we’re interested in in RSA? I don’t know. I mean, I feel like one of the great things about RSA is that you’re able to get together with a lot of longtime friends in the industry—and Alan, much like you, that’s what I look forward to as well, being able to connect with folks that we’ve known or worked with or seen. Even though security is big, RSA is a large environment, it still feels like a very kind of smaller form community at many of these places.
Shimel: Absolutely, it does. And it’s funny, you know, they’re expecting upwards of 50,000 people this year, and one may say, “Big? It’s beyond big—it’s 50,000 people. How can it be intimate? How can it be small?” But, you know, I don’t pretend to know 50,000 people. But the couple of hundred people that I do know and I see at RSA every year really kinda make it all worthwhile for me, and I think, James you probably feel the same way, and Shannon, you do as well.
Lietz: Oh, yeah.
Wickett: I used to—just for anybody out there that’s thinking, “Oh, you know, I don’t know if I really wanna go,” or, “I’ve never been to RSA,” I used to sort of try actively not to go to RSA, just because it’s spring time and other things. And then I realized, “Oh, you know, this is probably one of the better events that I get to go to.”
And I think it’s, I always sort of look back and I say—well, 50,000 or 30,000 or anything in the tens of thousands of people, there are conferences that make it really hard to kinda have those types of connections that you want, have the conversations that you want, to hang out with people that have kind of the same interests that you have. But I found that RSA has somehow been able to continue to be something that I’m really interested and really excited about going to and being a part of.
So, I feel like I sort of missed out several years, but I’m glad I’m kind of on the RSA, thank you for [Cross talk].
Shimel: I’m glad to hear that, James.
Shimel: Very cool. I mean, Shannon, as long as I’ve known you, you’ve been going to RSA, and I’m ashamed to tell you guys that I’ve been going to RSA since 2002, and so it’s been a while for me. [Laughter]
Lietz: I was gonna say, I’ve been going there for maybe longer. I just [Cross talk].
Shimel: Oh, you’re not that old, Shannon! [Laughter]
Lietz: Oh, yes, I am. [Laughter] I hide it well under this red hair.
Shimel: You wear it well—exactly. But yeah, it’s been a while. With that being said, I just wanted to also give a couple of plugs. From DevSecOps Days: DevOps Connect on Monday, we also have the DevOps No Whining Party, which is actually something Josh Corman started five or six—no, we’ve been doing this five years—so, six or seven years ago. And we’ve carried it on—actually, I recently communicated with Josh, and I think he may be there and I’m looking forward to seeing him.
But, so Monday night is the DevOps No Whining Party, and anyone interested in DevOps, DevSecOps I invite. If you’re listening to this, go check it out, you can get to it, again, off the DevSecOps Days page as well as the DevOps Connect page. It’s free to register. It is sponsored. It’s one of those sponsored events that Shannon talked about, and I invite folks to join us there.
I should also mention to both of you that this year, MediaOps, which is my company behind DevOps.com, Security Boulevard, Container Journal and more—we are an official media sponsor, and I actually have a broadcast booth on Broadcast Row in Moscone West, and we’ll be broadcasting hopefully near live from there pretty much all week. And actually, Chenxi Wang Shen, Chenxi is gonna take a two- or three-hour block and is doing a whole diversity set of interviews, which is gonna be really cool.
Lietz: That’s awesome!
Shimel: Yeah, and you know Chenxi, she’s a pleasure, anyway. And then Mark Miller is gonna be doing—he’s also taking a two-hour block to do some DevSecOps Days interviews, and all of our speakers from DevSecOps Days: DevOps Connect will be interviewing at some point during the week, there. Both of you are involved, anyway, but you both, feel free to come in and drop in for an interview. And anyone listening, if you have something good to add, you’d like to talk to us, please stop by and see us.
Shannon, where are you guys gonna be when you’re not actually speaking?
Lietz: Well, I tend to hang out in Moscone North a lot, and looking for technology that’s DevSecOps-related. I’m doing a lot of research around the vendor space and trying to put some parameters around that. Still finding that folks are wrapping up their technology with some DevSecOps and so, I’m trying to understand specifically things like scanner technology as well as some of the new capabilities that are emerging right now. So, you’ll probably find me there, and otherwise, you’ll probably find me at some of the vendor participation events if you’re looking for me at night.
Shimel: Absolutely. James, what about you?
Wickett: Yeah, during the day, I’ll be kind of going around to some of the talks in the DevOps and the applications security track. I’m pretty interested in the—you know, in talks around some of the Docker and Kubernetes stuff like I mentioned earlier. There’s some good chaos engineering type talks that I find interesting, other ways that people are looking at doing scoring and other types of vulnerability analysis. So, I have some of those things that I’m interested in.
I also really like to walk the trade show floor. It is a little bit tiring and a little bit exhausting at times, but especially around the perimeters—
Shimel: You’re right.
Wickett: – I like to see who’s out there, where people are going to things, how the messaging is shifting. So, I try to do those, and I can’t—you know, it’s split up into two halls and it’s very large, but I’ll try to make my way through the floors, at least in some chunks at a time.
And I’ll definitely be spending at least a little bit of Signal Sciences booth to go see my coworkers and see how things are going there, but—yeah.
Shimel: Absolutely. Look, walking that floor is a great way of getting your steps in. I mean, I usually average 15,000 plus steps a day at RSA, so it’s good exercise, if nothing else. Anyway—
Wickett: I definitely need my steps—I definitely need my steps.
Shimel: We all do.
Lietz: Yeah, everybody’s gotta get ‘em. [Laughter]
Shimel: We all need our steps, exactly. Alright. I think we’re gonna call it a wrap, then, guys. James Wickett, Signal Sciences; Shannon Lietz, Intuit—who knew that it was gonna be both of you at the same time? This was a bonus.
Lietz: That’s pretty awesome.
Shimel: Absolutely! Hey, guys, it’s a month away, we’ll see you both in San Francisco. For everyone listening—please, go register for RSA Conference. As I said, you can get a free Expo Pass and get your steps in, too. You can get a code for the free Expo Pass at DevSecOpsDays.com, or at the DevOps Connect site, which is our—meaning DevOps.com and Security Boulevard, my MediaOps site where we have all that information as well as our speaker lineup. Check out the track that Shannon’s put together with James, it’s all week long. If you have a pass, enjoy some of the sponsor activities and everything else.
James, Shannon—thank you, both.
Wickett: Okay. Thanks, Alan.
Lietz: Thank you so much, Alan. Bye for now.
Shimel: Alrighty. Hey, this is Alan Shimel for DevOps.com and Security Boulevard, and we’re looking forward to seeing you at RSA Conference in a month, March 4th, it kicks off. Take care, everyone. Have a great day.