If there’s one thing the DevOps cultural and professional movement taught us, it’s to question the status quo for the betterment of our customers, businesses, and ultimately, our teams. The combination of improved tooling, questioning structural barriers between teams, and a “shared outcome” culture have been powerful forces to date. Granted, we’ve seen the most […]
Deputizing Everyone for Security – Building Agile Assurance
Those of us highly focused on the delivery pipeline of DevOps will wonder why we should include the security guy to the party. After all, aren’t they just going to slow down the process and make it harder to deliver good features to end customers? My prior post about introducing SecDevOps by example was not […]
Security in the operational relay race
If you’ve ever seen people run a relay race, you’ll notice that most of the risk happens when the baton is handed from one runner to the next. In IT processes, there is also dramatically increased risk during handoffs. Whether you’ve moving from one process phase to another, one “owner” to another, or one environment […]
Security automation with DevOps: show me the code!
Last week Andrew Storms put up a good post hinting at the promise of security automation in [SecDevOps: Security Automation By Example – The Firewall Change]. He included an example of automating a series of actions when a firewall rule is changed. It’s a good article, although I’m increasingly convinced there’s no such thing as […]
SecDevOps: Security Automation By Example – The Firewall Change
Security Automation By Example The Firewall Change Just when you thought DevOps was the new black, along comes SecDevOps. Yes folks, like most things in life, the new cool is already here. Before I move on to trying to explain SecDevOps, please accept my mea culpa because for many people DevOps is yet to be […]
You have to crawl before you walk…
In previous posts I have explained what Security Policy Orchestration is, why DevOps folks should care, and how it can help facilitate the cultural change necessary for organizations to reap the long-term benefits of the cloud and virtualization. In this post, I’ll provide a few examples of how Security Policy Orchestration can create some “quick […]
DevOps: Security’s last best hope
Help us Obi Wan! The fact is that DevOps is security’s last best hope. The sooner the security industry realizes it the better it will be for everyone. I read George Hulme’s story today about proceeding with caution and going slow with DevOps. Of course it was no surprise to me that those cautioning to […]
Delivering Delight At ChefConf 2014
Chef CEO Barry Crist stirs the pot to open ChefConf 2014 The theme from ChefConf 2014 is stirring delight and if you listened to Barry Crist during todays opening keynote, then you would know its more appropriately “F****ing Delight”. Amidst high energy, loud music and a smattering of exciting expletives, Barry Crist called for attendees […]
Trust and Computers Make the News
The Heartbleed bug in OpenSSL was major news this week. While you are waiting for sudo apt-get dist-upgrade to run on all your servers, let’s take a minute to reflect on how the SSL trust system works and about the kinds of system relationships that depend on it. Just to recap, SSL-based trust derives from […]
Continuous integration for better security
One of the big advantages to smaller deploys and continuous integration is that it can make it easier to provide more proactive security. In short, continuous integration (and the associated automated testing it enables) makes it easier to focus your security team on analyzing areas where the security risk is higher. If the notion of […]










