Alan Shimel on DevOps, Security’s Last Best Hope

Andre Pino: In today’s episode, I’m joined by Alan Shimel, the cofounder and editor-in-chief of DevOps.com and SecurityBoulevard. Welcome, Alan.

Alan Shimel: Thank you, Andre. It’s a pleasure to be here.

Andre: So Alan, DevOps.com – how long has that been online now?

Alan: You know, it’s funny you ask, Andre. Actually March 14th – excuse me, March 11th of 2014 is when we officially re-launched the site as it is now. So it’s been about four years, believe it or not.

Andre: Wow, and how has the audience grown over those years?

Alan: Oh, I think when we first launched, Andre, you know, if we had a thousand visitors a day, at first, we were very happy. And today we get about, I don’t know, 200 or 250,000 people a month that come to DevOps.com. So numbers-wise it’s incredible. But I think an even better indication of the DevOps community and the popularity of DevOps is the geographic spread. When we first launched, in that first year or so, you know, we had about a 65-70 percent U.S. visitor rate. So, you know, two thirds of our visitors were from the U.S. And today, only about 36 or 37 percent of our visitors are U.S.-based. We get a slightly less amount – 31, 32 percent are from Europe – eight or nine percent from UK alone. 15 percent of our visitors come from India. And then the rest of the world – you know, beyond Europe, U.S. and India, make up the rest of the visitors.

So it’s really a worldwide community, a worldwide DevOps community. And you know, Andre, I’m sure you probably see that at CloudBees. Right? DevOps knows no borders.

Andre: Yeah. And so based on those numbers that you mentioned and the change that you’ve seen over the years, would you say that DevOps has really achieved a mainstream IT movement at this point?

Alan: Oh, no doubt. Compared to where it was four years ago, it’s definitely crunched the chasm and it’s gone mainstream. But we are in what I call right now a golden age for DevOps, where DevOps awareness, DevOps adoption is achieved – let’s say a super majority of organizations. So something probably north of 60, 65 percent of organizations are at least either dabbling in DevOps or have plans within the next six months to initiate some DevOps type of projects and so forth. However, probably ten percent or less of organizations are, let’s call it, end-to-end DevOps. So they’ve adopted DevOps through and through and they’re really doing DevOps. So what does that mean? That means that, you know, virtually – not every organization, but a majority, an overwhelming majority of organizations are either starting to do DevOps or are planning to do DevOps, which is great.

But the bulk of them, 90 percent of them, still have a ways to go on their DevOps transformation lifecycle, right? And so that presents tremendous opportunity for companies like CloudBees, who are helping those companies who are starting their transformation. But they’re going to need the right tools, the right setups, to really go end-to-end with their DevOps. And Andre, that’s probably similar to what you’re seeing, where you get – organizations maybe download Jenkins and they’re using a Jenkins server. And then as their transformation progresses, they start needing multiple Jenkins servers. They need the enhanced features that a CloudBees enterprise Jenkins situation gives them, right? And that’s where the big growth is, I think, over the next 3-5 years. Not companies necessarily adopting DevOps for the first time, but companies expanding their DevOps patterns end-to-end within the organization. Make sense?

Andre: Yeah, I think that’s absolutely right, Alan. And what we’re seeing in the Jenkins community and the CloudBees community is we’re reaching a point now where organizations are trying to figure out how to scale out their use of continuous delivery automation. They’ve sort of achieved that, “Okay, we understand what it takes now, but now how do we distribute and scale this across the organization,” as they invest in more development and project teams. So I think you’re absolutely spot-on with that observation. And you know, it’s interesting, because you see that from a DevOps.com perspective and we’re seeing it from a commercial business perspective.

Alan, one of the interesting things about you is you have a very strong background in security. How did you get into security? What was that security experience like?

Alan: Sure. So, you know, I guess I – as you get older, you can say these things, Andre – I’ve had a very interesting life history. I actually went to law school and passed the New York Bar and I was 23 years old. I hated law, always loved technology and computers were my hobby. So I had my own little network at home, and like so many other of your listeners out here who are a little on the geeky side, you know, you like to tinker with computers and software and hardware. For me it was about trying to break things and then fix them, which is a very common pattern in security, actually. When you ask a lot of security people how they got into security, they’ll tell you it was because they like to break things. And then they fix them.

So I got into computers as a hobby, and then when the Internet went commercial – right, ’96? Around then, Netscape comes out. I started what became a web hosting company, which I then was lucky enough to sell within 18 months or so to another company which then went and did the whole dotcom IPO thing and all of that. And what we morphed into from beyond just hosting was managed services, among which was managed firewall. So this is, Andre, pre-cloud, pre-virtualization. It’s a different world. We were selling managed checkpoint firewall. And that’s when I really started getting into security, around this time. The tools were very primitive compared to what we have today. But frankly the threats were primitive too, right? The hackers were kiddie scripters who hacked into things because they can. Not because they were trying to bring down critical infrastructure or steal a lot of money or something like that. It was a different world.

Andre: Yeah, it wasn’t malicious. They were just trying to see what they could break.

Alan: Yeah, they did it to see if they could. So I became very involved in that. And then after 9/11, some of my friends and I started a company which became known as StillSecure, and it was out of Boulder, Colorado. And we developed software for intrusion prevention, vulnerability management and network access control. And you know, StillSecure was an interesting player early on in the – we didn’t even call it cybersecurity then. It was infosec. In the infosec world, we sold a lot of product to the U.S. Department of Defense and the various armed forces. We also protected a lot of major enterprises. And through my StillSecure years I became much more enmeshed within the security community, much as I have within the DevOps community, right? I tend to get involved like that. And I became somewhat of a community member. Still am. I started things like the Security Bloggers’ Network about 14 years ago, where we had 400 different blogs about security in an aggregated feed.

It’s a long story, but I – Google was running it, and then they had asked me to put it together, and then they didn’t know quite what to do with it, and they said, “Would you take it back?” I said, “Yeah.” And to this day the Security Bloggers’ Network still has 350, 400 blogs in it that generate 50 or 60 articles a day on – we call it now cybersecurity. And that’s probably the largest collection of security-related content in one place, on a daily basis.

Andre: That’s pretty amazing.

Alan: Yeah, it is. And it really is the – it’s the backbone of what we launched about four or five months ago now, another site called SecurityBoulevard.com. And it’s the home of the Security Bloggers’ Network.

Andre: So tell us a bit about SecurityBoulevard.com.

Alan: So SecurityBoulevard really represents the culmination of two long-time goals that I had. One was, when I originally started the Bloggers’ Network, as I mentioned, it was for Google. It was actually pre-Google; it was for a company called FeedBurner, run by a guy named Dick Costolo, who went on to become the CEO of Twitter, actually. And ever since I took it back from FeedBurner and Google, my idea was one day to create this community around the Bloggers’ Network. You know, for the last 14 years at RSA Conference, which is RSA Conference, we make a huge bloggers meet-up and awards for the best blogs. And it really is a tremendous community of some of the top, top people in the security space. So I’ve always wanted to create an online community site around that, and it just was the lack of time, frankly, to do it, and the bandwidth.

On top of that though, you know, the reason I originally got into DevOps, when I first met Gene Kim, who comes from the security world himself – you know, he was the founder of Tripwire – I always thought DevOps was security’s last, best hope. Right? “Help me Obi Wan.” And so that was why I got into DevOps, was to help with security. And then, over the course of the last 3-4 years at DevOps.com, we’ve seen the rise of DevSecOps as probably one of the two or three hottest segments of the DevOps community, if you will. Right? What are people asking about? What are people struggling with? What are people wanting information on? DevSecOps is a big – you know, a big piece of that.

So, you know, SecurityBoulevard represents for me the culmination of these two things. It gives my Security Bloggers’ Network a real home, as well as gives us an outpost where we can really dive deeper into DevSecOps and related technologies. You know, DevOps.com cannot be DevSecOps all of the time.

Andre: Right.

Alan: There’s continuous testing, there’s software lifecycle management, CI/CD/ARA. There’s so many different aspects of DevOps that we cover the culture and everything. Where, SecurityBoulevard, we really go deep on DevSecOps as well as other cybersecurity – I mean, cybersecurity right now is such a huge topic worldwide, as I’m sure most of our listeners know. You know, between election hacking and financial fraud and social media taking all of your background info and using it, it’s just on the top of everyone’s mind. So it’s a very, very relevant and hot area of the technology. And not only technology. I mean, it’s mainstream news today, Andre.

Andre: Sure, of course. So Alan, with respect to DevSecOps – so it seems like between DevOps.com and SecurityBoulevard you’ve got sort of a foot on each of the hottest topics in IT today. And DevSecOps is sort of that area that spans both of those worlds. You know, the whole DevOps movement is based on process and automation, as well as culture. But primarily a lot of it’s based on process and automating that process, so that you can achieve the continuous delivery and continuous deployment aspects in a way that is consistent every time you make a change. So with respect to DevSecOps, where is DevSecOps today? Is it process? Is there automation? And is it to the level of automation that some of the other areas are at, such as testing?

Alan: Yeah, so that’s a great question. So we would like it to be. We would certainly like it to be. There’s a couple of issues that present themselves though when we talk about DevSecOps. So number one, in order to keep up with the velocity of today’s continual use delivery pipelines and so forth, right – you have to automate as much as you can with security. So, you know, we talked about – shifting security left, you know, further into the CI/CD pipeline process. And we talk about automating a lot of this security kind of testing and so forth. I would say in that regard we’re making great progress. A lot of the traditional security vendors are joining in here. And then a lot of the DevOps vendors and tool guys are adding security into the mix. So when we look at things like let’s say Chef and Puppet are doing, they’re adding – a lot of their code inspection is actually security testing. A lot of the compliance vendors are building that in.

So, from a pure technology point of view, Andre, we’re seeing that automation, we’re seeing that shift left, and it’s a good thing. The issue, I think, that we have in DevSecOps is more of a cultural one. And this is not unlike what we saw in DevOps itself, right? It’s about culture, it’s about people, it’s about process. And in security it’s a little bit harder, because – you know, for 25 years, security in many organizations, the infosec team was not part of the IT team. It was part of risk. And since it was CFO, it was independent. It was, what I call “other,” right? There’s us and there’s them, and security was definitely a them. Right? Security were the people who said no. Security were the people who didn't let you do what you wanted to do, because it didn’t match some compliance statute or it wasn’t – it wasn’t secure enough, bad things can happen.

So we have this long history of being different, of being the people who say no. Now all of a sudden with DevSecOps, we’re saying, “Oh no, security, we want you to have a seat at the table. We want you to be more involved earlier on.” And the security guys saying, “Wait a second, I’m the security guy. I’m not supposed to be that,” right? In a lot of organizations, a lot of infosec people don’t consider themselves part of that continuum.

Alan: All right. So Andre, when it comes to DevSecOps, you know, to me the RSA Conference is a great indication of what we’re seeing and kind of some of the struggles we had around culture. RSA is the biggest security show in the world. This year we’ll draw about 50,000 people. And for the fourth year, in partnership with the RSA Conference, we’re putting on our DevSecOps Conference within the Moscone Center on the Monday of RSA week. And we have some of the leading people from both the DevOps community and the security community coming together and talking about DevSecOps. And we put this on as DevOps.com, in partnership with RSA, and this year SecurityBoulevard as well. And Andre, I think the first year we had maybe 400 people, 600. This year we’re expecting about 1,500 people to come to DevSecOps. And we have, you know, everyone in the past we’ve had Gene Kim, Josh Garman, John Willis, Damon Edwards, as well as a whole bunch of security people you probably wouldn’t know.

This year, John Willis, Shannon Lietz, Chenzi Wang – we have an amazing lineup of speakers. But more than the speakers, the community is really coming around it. I feel like we’re getting somewhere with the cultural aspect of making security people understand and feel welcome as part of the larger DevOps community. You know, a lot of people say, “Why should we have DevSecOps?” Right? “We don’t have DevTestOps, we don’t have DevHROps, we don’t have DevBizOps. Why does security need a DevSecOps?” And you know what? There is only one DevOps. DevOps is DevOps is DevOps. But by putting that Sec in, it puts out the welcome mat for the security community, who for too long were shunned from the traditional Dev and Ops teams. So that’s why we put the Sec in DevSecOps. Right? It’s to remind people that security belongs right there in the middle of it.

And, as I mentioned, it’s a cultural battle that we’re waging here, more than a tools battle. The tools are great. The technology for doing automation with security has never been better and it’s getting better everyday. But we need to work harder culturally to make security people part of the team, part of the mix, part of the community. And that’s what I try to do. Make sense?

Andre: You know, Alan, I think that makes perfect sense, and I think that’s very much parallel to what we’ve seen happen with QA organizations over the years. You know, QA used to be this organization that developers would toss their code over to and hand it off to them, and now over the years the movement has been to push left for QA, to get QA involved earlier on, get the tests developed earlier on in the development cycle. And so that developers were catching problems earlier on. I think it’s a strong parallel here to what’s happening in the security world as well. And I think that for the success of DevOps as a movement and a way for organizations to implement their digital strategy, I think that unless security gets a real seat at the table, that DevOps is never going to achieve the success that it really needs to, because there will always be that question about, you know, is the code secure? And especially if you’re rolling out code faster and faster, but once it goes into production you have security problems. That’s not going to fly. So I think it’s an important movement.

Alan: Yeah. I mean, it does parallel the QA story, Andre. I think culturally – where in QA, the big – you know, when I first got into DevOps, Andre, the big thing with QA was, “Is QA going to exist in a DevOps world?” right? Everybody thought they were going to lose their jobs. So that was I think the biggest hurdle we had to overcome – that QA is not going away, testers are not going to lose their jobs. You know, we’ll all automate where we can and we automate as much as we can, but that doesn’t mean we don’t need testers. Where with security people, security’s not going away and neither are security jobs. We can’t hire enough security people.

Andre: Right.

Alan: We just need to integrate it in.

Andre: So Alan, for organizations – so one thing I wanted to mention was that, you know, DevSecOps is becoming such a big topic amongst the DevOps community that we’re adding actually a whole track on DevSecOps at Jenkins World this year, so folks can look forward to that and learn a lot from the speakers we’re going to have at Jenkins World related to DevSecOps. But beyond that, for organizations that started their DevOps journey and are now looking for best practices and other experiences of people who have integrated security into their DevOps transformation, is there a specific area of SecurityBoulevard that you would point people to?

Alan: Sure. So there’s actually sections of both DevOps.com and SecurityBoulevard that focus on DevSecOps. On SecurityBoulevard there’s a whole DevOps section that’s all DevSecOps. And on DevOps.com there’s actually a DevSecOps or a security section that focuses on DevSecOps. But I will also mention, Andre, you know I’m one of the co-founders of the DevOps Institute, and we are just rolling out now our DevSecOps class, written by a few friends of mine in the security space, and reviewed by them. It’s an excellent, excellent course for anyone who is interested in learning more about DevSecOps and really becoming a practitioner there. And I will also announce it here on your show – you know, I’ve been working with John Willis, you know, coauthor of The DevOps Handbook, as well as Mark Miller and the fellows over at Sonotype, who were behind All-Day DevOps. And we are beginning to roll out something called DevSecOps Days, which is sort of built on or based on or modeled after DevOps Days. And John is behind this, I’m helping.

And we are going to be a DevOps Days type of DevSecOps Days series of events around the world. I think we’re going to kick off the first one in June, in London, right after Gene Kim’s DevOps Enterprise Summit. We’ll be doing a DevSecOps Days in London. You can get more information as it becomes available on DevOps.com. But we’re really trying to bring this to mainstream, to the world – a place where, you know – more outlets where you can find out more about DevSecOps.

Andre: That’s great. I think that’s a great idea, and I think that doing more things like making DevSecOps mainstream, such as DevSecOps Days will help to get the message out there and help people to implement those best practices and the automation associated with it into their DevOps practices overall. Alan, thanks very much for joining us. It was a great discussion, and we’ll look forward to seeing you at the next event.

Andre: Thanks, Alan. Have a good one.