This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
DevOps is one of the hottest trends in all of IT—sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We'd translate that, but don't want to make you feel too old and out of touch).
We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that's really the only way to fully understand the implications.
But just because we like something doesn't mean it won't get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of de-segregation of duties—the sort of thing that rings security alarm bells. We now see DevOps discussed and used in nearly every major enterprise and startup we talk with, to varying degrees.
DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC's Wide World of Sports…it's on YouTube now—look it up, young'ns).
Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It's about getting the job done better and faster to improve agility, resiliency, and economics. You can't really fake your way through building a continuous deployment pipeline, any more than you can to backflip a snowmobile (really, we can't make this stuff up -- YouTube, people). We believe DevOps isn't merely trendy, it's our future -- but that doesn't mean people who don't fully understand it won't try to ride the wave.
This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSAC day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty bad too, especially presentations on the 'risks' of DevOps that show *someone* doesn't understand it doesn't actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves…and as with anything new, we expect to see plenty of banners proclaiming their antivirus is "DevOps ready".
—Rich Mogull, Analyst & CEO, Securosis
Check out other posts in the series: Introduction
Theme posts: Change; Internet of Things; Professionalism; Compliance; Big Data; Bonk; DevOps
Coverage Area Deep Dives: Overview; Endpoint Security; Network Security; IAM; Cloud Security; Data Security; Security Management;
Download your copy of RSAC-G