Andrew Clay Shafer expresses his disdain for the term 'devsecops,' reflecting on the evolution of DevOps and the necessity for collaboration among developers, operations, and security. He suggests that successful DevSecOps requires cultural shifts and continuous improvement, emphasizing that security should be integrated from the start rather than treated as an afterthought. The document concludes with a caution about the challenges of adopting new practices and the resistance to change that can occur.

1. devsecops
Andrew Clay Shafer
@littleidea
the end of the beginning

2. @littleidea
Andrew Clay Shafer

3. @littleidea
Andrew Clay Shafer

4. @littleidea
Andrew Clay Shafer

5. @littleidea

6. I hate the word ‘DevSecOps’
I also hated the word ‘DevOps’
Before that I hated the word ‘Cloud’
But here we are
Get off my lawn

7. I INVENTED DEVOPS

9. This is embarrassing.

10. I didn’t invent devops.
I stole it.

11. Velocity 2009

14. 2009 Gent, Belgium Patrick DeBois

16. Spectrum of Criticality
Cat Pictures Finance Life & Death

17. devops - calms
• culture
• automation
• (lean)
• metrics
• sharing
Damon Edwards and John Willis
(plus Jez Humble)

18. what does that mean?
what am I supposed to do now?

19. tried to make these actionable

20. Culture
Automation
LeanMetrics
Sharing

21. Westrum Topology Culture

22. Manual Scripted Platform
toil effort directed
catastrophic failure disaster recovery self healing
incidents MTTR continuous partial failure
Automation (And Architecture)

23. unmonitored measured insightful
no info data SLI
ssh aggregation dashboards
never gets done secondary observability built in
Metrics

24. hidden available ambient
can’t find searchable cultivated
strong silos publish info share personally
everything is secret secret to company global community
Sharing

25. Lean Subsumes ALL the Things
ignore what a terrible metaphor manufacturing is for software

26. Continuous Improvement

27. complacent motivated inspired

28. CALMS sounds better than CAMS
¯_(ツ)_/¯

29. Culture
Automation
LeanMetrics
Sharing

30. Culture
Automation
LeanMetrics
Sharing
Security

31. lol try do
security? after the fact first principles
theatrics tools built in
hide blame own
Security

32. devops
• developers and operations can
and should work together
• system administration evolving to
look more like software
development
• evolving together as global
community sharing solutions
Legacy me - in 2010

33. devsecops
• developers AND operations AND
security can and should work
together
• security is evolving to incorporate
more software development
• evolving together as global
community sharing solutions
me - in 2019

34. super computers everywhere
connecting all human knowledge
with high speed networks
…to adversaries

35. every aspect of human performance
and experience that can be optimized
will be…
including owning you

36. optimizing human performance and
experience operating software…
and humans
with software…
@littleidea’s definition of devops™:

37. optimizing human performance and
experience securing software…
and humans
with software…
@littleidea’s definition of devsecops™:

38. WE IMPLEMENTED DEVOPS

40. we have devsecops

41. implementing devops
is not a thing

42. implementing devsecops
is not a thing either

43. devops is never done

44. security is never done either

45. everyone wants the devops
Well actually…

46. what they really want
• scalability
• availability
• reliability
• operability
• usability
• observability
• all for free
• without changing anything

47. without changing anything

48. without changing anything

49. without
changing anything

50. everyone wants the devsecops
Well actually…

51. without
changing anything

52. don’t want to forget
‘how we do things here’

55. resistance to change?

56. security:
the unfunded mandate
incentives drive behaviors
so weird…

57. people attach their
identity to their tasks
changing what they do is
an attack on their identity

58. we have to make them heroes
in the new version of the story

59. developers are under a lot
of pressure to do things…
right now

60. we have to make doing the
‘right thing’ the ‘easy thing’

62. your platform has to audit
and enforce your policy*
*risk profile

63. continuous compliance

64. when devsecops is successful
people will abuse the term
and it will splinter into
subcommunities

65. because infosec is
not one thing either

66. what are the infosec analogs
for ‘observability’, ‘reliability’,
‘resiliance’ & ‘chaos’?

67. It ought to be remembered that there is nothing more difficult to take
in hand, more perilous to conduct, or more uncertain in its success,
than to take the lead in the introduction of a new order of things.
Because the innovator has for enemies all those who
have done well under the old conditions, and lukewarm
defenders in those who may do well under the new.
Niccolò Machiavelli, The Prince

68. good luck; have fun

69. I’m not here to answer questions.
I’m here to have conversations.
Thank You