Prior to DevOps (the continuous operational merger between developers and IT operations), we were trying to do security within our system of constraints and incentive structures, thus forcing it upon people's priority lists.
"Any strategy that's based on changing human nature is bound to fail," admitted Josh Corman (@joshcorman), CTO of Sonatype and founder of IAmTheCavalry.org, in our conversation at the 2015 Security B-Sides conference in San Francisco. "DevOps is a cultural change that's aligning incentives for mutual benefits. It’s making people faster, more profitable, more competitive.”
Corman and fellow cohort, Gene Kim, co-author of “The Phoenix Project” will be leading the first ever DevOps track at this year’s RSA Conference.
"[DevOps] is a chance to inject the best and brightest earlier in the lifecycle and we're showing them how security choices like a software supply chain can make organizations faster, more profitable instead of being a cost and an inhibitor," said Corman.
For about four years, I’ve been interviewing Kim and Corman about their rugged DevOps obsession and how the best performing companies were using DevOps. I asked Corman what he thought was the biggest change over that time.
Initially, said Corman, it was scary and new for the security practitioner. But "complexity is the enemy of security. It's also the enemy of stability and availability."
The advantage of DevOps is it’s all about instrumenting everything to give you more visibility. Change happens when you have visibility, and DevOps is constantly striving for continuous process improvement.
Be aware that DevOps is a force multiplier, noted Corman. If your people, process, and technology are sloppy, you’ll see very fast how bad they are.
Corman though strongly believes in the culture of fail fast and iterate, "Every nightmare to me is an opportunity for us to make them look better. We're a contributing member of the team to make their offerings even stronger."