RSA Conference (RSAC) 2019 is just a month away. Once again, it promises to be the place where the world gathers around security. With upwards of 50,000 people attending, it is big by anyone’s standard.
DevSecOps will be center stage this year, literally. Shannon Lietz, founder of DevSecOps.org, will be keynoting as well as leading a weeklong track on DevSecOps. Shannon is our guest in this DevOps Chat.
Part 2 of this chat where we are joined by Rugged DevOps founder, James Wickett will follow this chat next.
If you haven’t already registered, here’s a code for $100 off a full conference pass (all sessions): 1U9DEVOPSFD. In addition, here’s a code for a free expo pass: 1U9DEVOPSXP.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com, Security Boulevard, and we’re talking DevOps Chat. We’ve got a DevSecOps-flavored chat for you today. Speaking of DevSecOps, we’re with the godmother, the queen of DevSecOps, if you will, [Laughter] Shannon Lietz.
Shannon Lietz: [Laughter]
Shimel: Shannon, welcome!
Lietz: Hi, there.
Shimel: How are you?
Lietz: Hi, there. Thanks for having me here today.
Shimel: Oh, it’s my pleasure as always, Shannon. You know, and I say it tongue-in-cheek, but just to give, maybe some folks in our audience are not familiar with you and your background. You actually sort of founded DevSecOps.org.
Lietz: I definitely founded DevSecOps.org, yes, along with a core bunch of people, yes.
Shimel: Yep, and that was—I’m gonna guess that had to be about four years ago now, five years ago?
Lietz: About—well, there’s definitely been iterations. The website went up around 2012.
Shimel: Okay, so, going on sixth onto the seventh year.
Shimel: Boy, time flies when you’re having fun. But, Shannon, that’s of course not all you do. You also run a team at Intuit.
Shimel: And what was interesting, I remember the first time I listened to you at a conference is, your DevSecOps team, it was a team of developers, if you will.
Lietz: Yeah, I’ve got a team of developers that also do security and ops.
Shimel: Yep, which, at the time was kinda radical, right?
Lietz: Yes, I love radical work.
Shimel: And maybe still a little radical.
Lietz: I think so. I think I’m still pretty radical. I don’t think I’ve outgrown radical.
Shimel: I hope you don’t ever, Shannon.
Lietz: I like being radical. It’s kinda fun.
Shimel: Yeah, one day you wake up and you’re old, so don’t outgrow radical.
Lietz: [Laughter] Oh, no, no—I’m old, I’m just fighting it every step of the way.
Shimel: We all try. We all try, man. Anyway, but I wanted to talk to you a little bit about, you know, we’re coming into RSA season. We’re like one month, a little over a month away from RSA, which is always a big day.
Lietz: Yep. I’m psyched about it, as usual.
Shimel: Mm-hmm. Yeah, so am I. So are we, here. You know, for the fifth year, we’re gonna be putting on DevOps Connect: DevSecOps Days on the Monday of RSA week. Mark Miller, you know, works with me and he’s put together—Mark kinda picks the speakers. So, he’s helped with speaker selection. We have what I think is our best, strongest lineup of speakers yet. I think you’re involved as a mentor?
Lietz: I don’t know if I am, but I know—I think I’m on a panel this year.
Shimel: Yes! That’s right, you are on one of the panels this year. We have a real expert panel with some really great brain power up there, so that should be a good one. We also have some great mentors and introducing some new speakers to the community, and that is the Monday of RSA week, so I believe that’s March 4th, exactly a month from when we’re recording this, and anyone listening, by all means, check us out. If you have any kind of RSA badge, you can get in to Moscone Center to watch it. It starts at 9, runs ‘til 4.
If you need a free Expo Pass, which will get you into this, you can get one on—I think on DevSecOpsDays.org, or DevSecOpsDays.com, as well as on our DevOpsConnect.com page, so highly, highly recommend it.
But Shannon, Monday isn’t your total involvement in RSA and DevSecOps and RSA Week. Let’s talk about what else you have on the docket for that week.
Lietz: Yeah, there’s a ton of stuff on the docket that week. We have a DevSecOps track, and in the track, we have some amazing speakers. Everybody is practitioner-based, and we have a select number of them that are really enticing and intriguing, at all varieties of levels. So, we have stuff for beginners all the way through our advanced folks that are looking for a few more pointers in the direction of things like precision and metrics and what do you do with things like DevSecOps around culture.
Shimel: Excellent. Can you share some of the speakers’ names?
Lietz: You know, I am—[Laughter] I don’t have those right with me at the moment, but I’d be happy to, once I crack open my laptop, provide them to you. I know—
Shimel: Well, you know what, I’ll—
Lietz: – actually, I do know a few. I actually do know a few, that’s right.
Shimel: Go ahead.
Lietz: I know that Julie Tsai is gonna be talking about containers and APIs.
Lietz: I also know that James Wickett is gonna be presenting as a side-by-side with me.
Lietz: And then I also know that we are fortunate that we actually got John Willis to sign up as well.
Shimel: Very cool.
Lietz: And we’re looking forward to some of the folks that are gonna expand our knowledge around what to do, specifically, with things like Kubernetes. And so, there’s a really nice, wide range of folks that are gonna be presenting.
We’ve also got a lot more women in the track this year.
Shimel: That’s nice.
Lietz: So, we really put ourselves to the task of trying to increase the number of women that will be talking this year. And I’ve seen some of those presentations already, and I think it’s gonna be really amazing.
Shimel: Yeah. I mean, so, diversity is something that, frankly, the folks at RSA got a bit of a bad rep last year, I think. And I’ve worked with the RSA Conference people for 20 years. They try really hard, Shannon, to promote diverse—
Lietz: Oh, there are amazing—there’s a lot of amazing women behind the RSA Conference that I don’t think people really know.
Shimel: Exactly. I don’t think people realize that it’s actually run by women, but in any event …
Lietz: It’s primarily run by women, actually. There’s a ton of diversity behind the scenes with the program committees and the program itself.
Shimel: I know.
Lietz: I will tell you, I’ve never seen so many women that run a security conference before, so I’m proud to be part of that sisterhood. And I understand what happened last year. I think that there’s a lot changing in the industry. Specifically, I think one of the things that we’re really trying to impart now is that vendors need to be looking for women in the industry that they can partner with to be able to have more representation, and not just focus on the key male talent in those companies.
Lietz: So, this year, you can tell there’s a lot more partnership in how we’re thinking about it.
Shimel: You can see it. You can see it in the lineup, frankly, of keynotes and everything else. But I think, you know—look, it shone a light on the issue and they’ve responded. But suffice to say—look, this wasn’t a problem of their choosing or doing. The effort’s always been there. It hasn’t always been there from the entire security industry, I mean, the entire tech industry, but that’s changing, too.
But I don’t want to make this about that, Shannon.
Shimel: I think, suffice to say, we’re doing a good job this year, come check it out and see for yourself.
For people, Shannon, who are listening and maybe they can head over to the RSA Conference website, it’s an entire track within the RSA content, correct?
Lietz: Yes, it is. It’s a full track. We have “DevSecOps and Applications Security,” and you’ll find that there’s a good mixture of both of those topics.
Shimel: Fantastic. So, and it’s not just one day, it’s throughout the week.
Lietz: It is throughout the week, and it’s actually the same as every other track. So, we have about 14 speakers.
Shimel: Fantastic. Good stuff. Shannon, let’s talk a little bit, if you don’t mind, let’s talk about the DevSecOps Days. We have a little stage squeaky door there, I thought it was a ghost.
Shimel: Shannon, [Laughter] DevSecOps Days and that whole movement is something you’ve helped foster from DevSecOps.org and working with some of the folks you and I work with. Any exciting news or developments you want to share on that?
Lietz: Yeah. We’re in the middle of finishing up a rebrand of the website, and we are also working on a book, and so—
Shimel: “The DevSecOps Handbook.”
Lietz: – the book is—yeah, we’re working on that. It’s gonna be probably about a year out, but I’m super excited because it’s been a lot of work, pretty hard and difficult to put together. So, that means there’s a lot of great thinking in it, and we’re still working with different folks on use cases, and I think that the knowledge that’s gonna be pulled together is, you know, just—it’s a language of love from the industry.
Shimel: Yes, it is. I’ve spoken to several folks besides you who are working on it, and it sounds like exciting stuff.
Shannon, you know, one of the big things—and you and I, right, we’ve both been trying to preach that DevSecOps to our security peeps now for a number of years via RSA and other conferences. There’s still a group of security people out there, you know, and a lot of them are, the attitudes just annoy the heck out of me, frankly. But it’s this holier-than-thou, that, “Oh, it’s all b.s., right? DevOps is just about giving developers carte blanche, and they don’t care about security, and only security people are about security, and DevSecOps isn’t a thing, if you will.”
What do we gotta do, Shannon? I mean, we keep working. You do—you work hard at it, I work hard at it, a lot of our friends work hard at it. But what do we need to do to convince these doubting Thomases?
Lietz: Well, I think on the development side, what I would say is, don’t avoid security conferences. Start showing up. You know, the security folks can only do better by understanding the diverse perspectives of everyone involved. So, I know that it would be great to see more folks that I work with participate in RSA and other security conferences.
You know, there’s an opportunity from the security side to reach across to the people with you and not make it about, you know, SQL injection or cross-site scripting, but more about—how do we impart the knowledge and the wisdom to be able to make better security decisions sooner in the process, line up the tools and the capabilities (there’s still way too many false positives coming out of tools) and really approach the problem from a different perspective. So, I know that that’s really kind of key on my mind.
You know, also, just bringing more of the precision element to bear. I think having better metrics in this space can also help to really push us forward so that folks start to understand the mathematics behind the decisions that they’re actually making.
Shimel: Absolutely. So, you know, it sounds like a job for education as well as tools.
Lietz: Oh, absolutely.
Shimel: What about the culture, though?
Lietz: Well, the culture, you know, it’s interesting, because what I find is that if you have the right tooling and you have the right metrics and you have the right understanding, the culture comes along. Culture tends to be about change management, and really, whether or not somebody’s doing the right thing when it comes to providing value that they’re performing every day.
So, you know, you might have a more difficult time trying to convince somebody to do security if it’s not part of their day-to-day work. And so, I think that’s really another element of it.
Shimel: Absolutely. And it’s something—you know, so I think one of the not mistakes but, you know, a time waste that we’ve gone through in DevSecOps is, we tend to focus on one or another of these elements, almost at the expense of another, without really recognizing and realizing that one helps the other, right? So, when you have better tools, you have better metrics. When you have better metrics, you have more affinity for each other’s jobs, right? You have more empathy.
Shimel: And when you have more empathy, you have better culture, for the most part, right? It’s like—you know, it’s the circle of life here, right? They all kinda help each other, right? You have better culture, we understand what you’re gonna need in the way of metrics, and if I understand what you’re gonna need in the way of metrics, I can design better tools, right?
Shimel: It’s a circle. And, you know, sometimes I just feel like we get stuck in each individual silo, if you will, without recognizing the interdependency of it all.
Lietz: Well, I think there’s a lot of focus right now on speed. So, I don’t know if I feel the same way that we’re getting focused on one versus the other. I’ve heard a lot of different focus across the industry. So, we’re pressing on all of them, it’s just—everybody has different challenges depending on where they are, so there’s no one-size-fits-all.
And I think, to your point, maybe just the folks that you’re surrounding yourself with could be focused on tools. I’ve actually seen a lot of different variation myself. I’ve probably gone out and just sought it myself. And what I’ve found is that there is a lot of folks that are having different problems at different companies, and the variation is—it doesn’t mean that it’s not working, it just means that everybody is going through some portion of it.
You might have, you know, at some companies, have folks with bigger skill sets; other companies may have really great team strategies. You know, everybody’s got something and there’s always a different perspective and different way to actually go about something.
So, from my perspective, I’m not seeing radical focus; I’m seeing variation that suggest that when companies are embracing this strategy of DevSecOps that they’re either coming at it from a Dev perspective, a security perspective, some of it’s being driven by the cloud adoption and some of those things.
Shimel: Yeah. Yeah, I don’t disagree with that. I don’t disagree. I think it’s not that everyone is tools-focused or everyone is metrics-focused or everyone is culture—I think there’s a variety. But what I don’t see is how people recognize the interdependency of these. How this is really all—it’s just what, holistically, it’s one thing that we’re trying to do. And it is as developer-focused as it is security-focused as it is Ops-focused. It’s not one’s superior or leading the way to the other two or—
Lietz: Yeah, I agree with you.
Shimel: You know, and I think that is something to get on, here. Hey, it sounds like we have a surprise guest joining us to wrap up things, here. Could that be James Wickett?
James Wickett: This is him.
Shimel: James, you’ve got Shannon Lietz on with Alan.
Wickett: Hey! How are you guys doing?
Lietz: Good, thanks.
Shimel: So, James, we were just wrapping up a podcast with Shannon, but being that you’re both on, this is a great segue where I can wrap up Shannon’s and introduce yours, but maybe we can get a little of the both of you. Shannon, do you have to run, or do you have a couple minutes?
Lietz: I got a couple minutes.
Shimel: Alright, let’s do this. So, you know, surprise here in Mr. Alan’s Neighborhood, we’ve got James Wickett just popping in to join us, and of course, James is the founder of the Rugged DevOps movement, an important person in the DevSecOps and DevSecOps space community, as well as one of the principal folks over at Signal Sciences. James, welcome!
Hey, everyone. We’re gonna end part one of this conversation right now. This is Alan Shimel for DevOps.com and Security Boulevard. Check out the rest of our conversation with Shannon and James Wickett in part two in the next DevOps Chat episode. Until then, this is Alan Shimel—have a great day.