Software Security: Industry Influencers

Matthew McCullough is the director of field services at GitHub. While at DevNexus 2015 in Atlanta earlier this month, Matthew and I sat down with Brian Fox, VP of Product Management at Sonatype. The discussion was wide ranging, covering everything from the prevelance of Java on GitHub to the patterns for enterprise software development through the use of the DevOps tool chain through polyglot programming becoming the norm. Part of the discussion talks about how Nexus and GitHub work together to create a complimentary tool set for the contemporary programmer. Music for today's broadcast is provided by The George Cole Quintet.

"Typically, people divide the (software) world into cost, schedule, functionality, quality. In my experience, almost everyone when they talk 'quality', are excluding security." -- David Wheeler David Wheeler is a project leader at the Institute for Defense Analyses. He also teaches a graduate classon software security at George Mason University. David has a unique view of security's role as part of the software development life cycle. In this wide ranging discussion, we talk about the current state of security, how people are trained (or not trained) to handle security as part of the development process, and what the future looks like for the security industry. "We've already moved to a mostly componentized world. We now have to understand that we have to update the components as we go along. We need to put tools in the customer's hands so they can quickly identify, 'Wow! You're using a library with 300 known vulnerabilities. I'm not going to use your system until you get your act together.'" -- David Wheeler About David A. Wheeler My professional interests are in improving software development practices for higher-risk software systems (i.e., ones which must be secure, large, and/or safety-critical). My specialties include writing secure programs, vulnerability assessment, open standards, open source software / free software (OSS/FS), Internet/web standards and technologies, and POSIX. http://www.dwheeler.com/

"I think with development practices, such as CI, we're going to get to a point that rather than having this one, monolithic milestone where you're given these hundreds of defects, instead the developer will have the ability to ingest these quality defects as they truly are on a daily or nightly basis as their code is checked in, compiled, assessed and run against the test harness allowing for a lot more of these defects to be addressed a lot earlier in the development cycle." -- Omkhar Arasaratnam In today's show, I talk with Omkhar Arasaratnam, Chief Security Architect at the TD Bank Group. I talk with Ohmkar about his work with open source and how component based software has become ubiquitous within the development environment, finding its way into virtually every corner of today's software. With his history as an open source developer, Omkhar brings a unique perspective to his role as security architect. We begin today with a story about his realization as to how prevalent open source really is. About Omkar Arasaratnam Omkhar Arasaratnam is the Chief Security Architect for TD Bank Group. He has over 15 years of Information Technology experience. Omkhar has had a long history of leading global, multi billion dollar projects. He has lead organizations to realize their business goals while effectively managing risk and compliance requirements. Omkhar leads the Enterprise Security Architecture department at TD Bank Group. In this capacity, he has been accountable for revolutionizing the effectiveness of security architecture across the bank. Omkhar is also an accomplished author with several pending patents and is an Open Group certified Master Infrastructure Architect.

At Source Conference in Boston last month, I sat down several times with Tripwire CTO Dwayne Melancon. Our discussion centered around his work with the development and engineering teams at Tripwire, their use of open source components, the future roadmap for Tripwire and Dwayne's vision for placing business context around incident response. We start the discussion with an overview of Tripwire. Highlights 00:43 Overview of Tripwire 04:27 Tool chain at Tripwire 06:14 Use of Open Source Components 09:10 Roadmap for Tripwire 11:03 Business Context Around Incident Response About Dwayne Melancon I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles. As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.

'"It's only metadata" is a mischaracterization that plays into goverment hands.' -- Bruce Schneier At the 2014 Source Conference in Boston, I was able to sit down with Bruce Schneier after his keynote to clarify his position on several topics he brought up. The twitter stream was on fire during his presentation as he described how the power of government and large corporations affects the internet. Where are the boundaries between personal data and corporate/government usage of that data? What is our responsibility in the equation? An interesting observation from Bruce is that despite the government's insistence that they are only collecting metadata, which according to them has no intrinsic value, that presupposes metadata is somehow less important or less personal when it comes to interrogating the data. This despite that it can be used to generate a network of contacts such as "who your friends are, who your family is, what you're concerned about, where you go, your relationships, your interests", creating extremely an intimate and personal portrait of a person's life. About Bruce Schneier I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of Co3 Systems, a fellow at Harvard's Berkman Center, and a board member of EFF.

"Increasingly, we're putting our lives on the line in software driven devices.From an industry perspective, we've got to start thinking about how we update these devices over time." -- Wayne Jackson I have been working with Sonatype as a community advocate for a while, but never had a chance to catch up with Wayne Jackson until now. My main objective was to ask him the things I want to know about the company, what the security market looks like to him as the CEO and how he intends to guide the company in the future. We start the conversation with defining what, exactly, does the CEO of a software security company do. "Ultimately the only way we are going to solve security issues in the cyber realm is to make better software." -- Wayne Jackson Highlights of our discussion 00:48 What does the CEO of a software security company do 01:07 Why the career transition to software security 02:08 Personal realization of magnitude of software vulnerabilities 02:53 Market differentiation with component security vs code security 04:13 Managing the Central Repository 06:05 Software is everywhere, it's taking over everything 07:11 Choices in managing software security 07:50 Security is an industry problem, not just a software problem 08:30 Create a better ecosystem for security software with community best practices 09:25 Move beyond known vulnerabilities in single components

"There are ways through automation, design and testing techniques where we can take what is traditionally a three to six to nine week testing cycle and shrink it into minutes or hours." -- Curtis Yanko In November of 2013, I was able to catch up with Curtis Yanko, Architectural manager for CIGNA in Hartford, CT. Our discussion is on the cost curve of fixing defects in the application life cycle and alternatives to current methodologies. "Most companies waste somewhere between 30% and 40% of their productivity on rework." -- Curtis Yanko Highlights of the Discussion 00:25 - Analyzing the cost curve of fixing defects 01:45 - The difficulty of proving the cost of fixing a defect 03:15 - The lack of alternatives to current methodologies 04:45 - Some alternatives to current methodologies 06:05 - Managing the security handoff process 07:07 - Real world story on integrating security and developers 13:05 - A wake up call to corporate America 15:40 - Documenting a process based upon real world experience "It's a fast pace world. Disruption can come from anywhere, and even if it's not disruption, it could be just be very profound change. Your ability to respond and act to that is key to stay in the game over the long haul." -- Curtis Yanko About Curtis Yanko, Architecture Manager - Clinical IT / DevOps, Cigna experience in improving process and developer productivity that deliver superior and trusted applications to drive competitive differentiation. Curtis has built his career by helping large enterprises modernize their application development and delivery by architecting and implementing DevSecOps processes that ensure trust and collaboration between development, QA, IT Ops, Legal and Security teams. He is a leading advocate for IT transformation through teaching these different enterprise silos how to partner for success.

"If you take the big, monolithic testing effort you currently have at the end, and you push it towards the beginning but it remains monolithic, you're not going to get the dramatic increase in efficiency and decrease in cost you expect. It has to be an incremental effect." -- John Steven One of the things I have recently been investigating is the true cost, the real cost, of security and how that changes based upon where in the application life cycle you are. I was talking with John Steven from Cigital and we agreed it might be good to record our thoughts to see where it leads. "With security, it's not a question of how far left you can get. It's really a question of are you doing the right things at each step." -- John Steven Highlights of our Discussion 00:45 - Source of current graphs on cost of application security 03:45 - How can you prove cost savings when including security earlier in the application life cycle 06:30 - Process vs technology 07:45 - How early in development should security be inserted 09:25 - Incremental security within the development process 12:17 - How do you measure the effect and efficiency of moving left About John Steven John Steven, Internal CTO John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and led the Northern Virginia OWASP Chapter. John contributed to the Hacking Exposed Mobile book, and speaks with regularly at conferences and trade shows.

In this morning's news I saw a reference to a project on OWASP that documents the vulnerabilities in web applications and someone who is keeping a public repository of those vulnerabilities. I called and spoke with Simon Bennetts, co-lead of the project with Raul Siles, to hear his thoughts on where this leads and what his vision is for the future of web application security. Highlights of our Discussion 00:34 - How did the project start 02:50 - Directory vs repository 03:30 - How large is the data set 04:15 - How do you anticipate people will use the information 04:45 - Future vision for the project 05:40 - Final thoughts on bug bounties About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Bennetts started the OWASP Zed Attack Proxy project, and leads the international group of volunteers who develop it. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project.

"I think we have a long way to go to get the broad understanding of what security really means in the development world." -- Steve Lipner Steve Lipner has lead the Security Development Lifecycle team at Microsoft since 2004. The SDL initiative is a set of requirements for secure software development. "The SDL is a set of requirements that developers have to meet. No matter how you are doing development, you have to meet those requirements. A lot of the SDL requirements are based on the application of automated tooling; build requirements, code analysis requirements, automated test tools... " -- Steve Lipner I had an extended discussion with Steve about what the SDL is really for and how it is used at Microsoft. Along the way, we talked about how application security for the cloud is handled with the SDL, and how the disciplines of DevOps/Agile are taken into account. "We've tried with the SDL to provide a discipline and a set of requirements for secure development, but at the same time, to do that in a way that enabled development groups to meet their customer requirements, to meet their market requirements, to meet their time limit requirements." -- Steve Lipner Highlights of our discussion 00:00 Introduction 00:33 History of Security Development Lifecycle at Microsoft 01:55 The purpose of the SDL Microsoft development groups 03:02 Native code vs components 03:53 How does DevOps and Agile fit into the Microsoft security roadmap 06:52 Where does SDL sit in the process of automated deployment 08:26 How are requirements enforced 10:20 The cloud and the SDL 11:25 Application security vs network security 12:01 Future vision of security 12:47 Tools for security 13:44 A future in security About Steve Lipner As the senior director of security engineering strategy in Microsoft Corp.’s Trustworthy Computing Group, Steve Lipner is responsible for Microsoft’s Security Development Lifecycle team, including the development of programs that provide improved product security and privacy to Microsoft® customers. Additionally, Lipner is responsible for Microsoft’s engineering strategies related to the company’s End to End Trust initiative, aimed at extending Trustworthy Computing to the Internet. Lipner has more than 35 years experience as a researcher, development manager and general manager in information technology security, and is named as inventor on thirteen U.S. patents in the field of computer and network security. He holds both an S.B. and S.M. degree from the Massachusetts Institute of Technology, and attended the Harvard Business School’s Program for Management Development.

"Enterprise security has actually become dependant upon how we can identify people at the mobile layer" -- Jack Mannino When it comes to mobile security, you'd be hard pressed to find a more knowledgeable source than Jack Mannino, co-leader of the OWASP Mobile Security Project. During the Software Quality and Assurance Forum sponsored by the Department of Homeland Security last month, Jack and I sat down to talk about his work with OWASP and the mobile initiative. "The ecosystem is arguably just as much of a risk as the actual application security itself. They go hand in hand." -- Jack Mannino Our discussion included ideas on how to move security closer to the beginning of the development project, and why many companies are choosing not to do that. "You'll see pushback from a product or project manager if security impacts their ability go live. They are willing to accept the risks in order to just go live." -- Jack Mannino Highlights of our Discussion 00:05 OWASP Top 10 for Mobile 01:31 GitHub for mobile and open source projects 02:10 Concerns with mobile and security 03:30 Changing security within the development life cycle 04:40 Security automation within the development life cycle 06:45 Pushback to DevOps methodology 07:42 The biggest security threat in mobile About Jack Mannino Jack Mannino is a managing partner at nVisium Security, a leading provider of mobile application and web application security services. At nVisium he is responsible for ensuring that all services are delivered at the highest levels of quality and with keen attention to detail. He focuses on mobile application security research (especially Android), and is the co-leader of the OWASP Mobile Security Project. In addition to the Mobile Security Project, Jack is also heavily involved with the OWASP Northern Virginia Chapter where he serves as the chapter leader. In addition, he is the lead developer for the OWASP GoatDroid Project, and is a contributor to the OWASP RailsGoat Project.

"Some of the common weaknesses are not at the code level. Over 2/3 are at the code level, but the others are at the architecture and design level." -- Joe Jarzombek Joe Jarzombek is Directory for Software and Supply Chain Assurance within the Department of Homeland Security's office of Cybersecurity and Communications. Joe and I sat down for a chat during a recent conference in McLean, Virginia. His premise is that hardware assurance is just as important as software assurance. It was a new concept for me, and an interesting perspective. "It's absolutely worth the overhead [of security automation tools] because of the 100s of thousands of lines of code being produced. You can't do is scalably, in a secure fashion, use you've got tools." -- Joe Jarzombek Highlights from our Talk 00:30 Security automation programs 02:25 Tools for automation 04:30 Hardware counterfeits 07:52 Composability and common weakness patterns 09:12 The viability of "moving left" and empowering developers 10:42 Code analysis within government software ,b>About Joe Jarzombek Joe Jarzombek is the Director for Software Assurance within the National Cyber Security Division of the Department of Homeland Security. In this role he leads government interagency efforts with industry, academia, and standards organizations in addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices. Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. He is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP) As an active member of Toastmasters International, Joe Jarzombek has served as International Director, and he is currently serving as Region Advisor Marketing.

"You can have great policy, you can have great DOD directives and DOD instructions, but if it's not in enforceable contract language, no one is going to pay attention to it." -- John Keane Before my presentation at the Department of Homeland Security "Software and Supply Chain Assurance September Forum" in Washington, DC last week, I was able to catch up with John Keane, the security industry's Software Angel of Death. John and I discuss the idea of contracts, and enforceable contract language, that hold people accountable for what they develop. From there, we get into how developers can become more security conscious just by the tools that they use. The third voice you hear is that of Jeff Deal, VP Government Sales at Sonatype. Jeff had some interesting questions on how to make development teams accountable after scanning has found vulnerabilites. "After a short period of time, the developers learn not to just find and correct mistakes, they don't make them in the first place because the tools are teaching them how to write better code." -- John Keane Highlights of our Conversations 00:05 Security scanning during development 02:47 Enforceable contract language 04:54 DevOps and Agile (or really fast Waterfall) 06:22 Accountability after scanning through a software assurance manager 07:03 Automation of security in the IDE 09:33 Recognizable design patterns in software 12:54 The discipline of code development and managing legacy code (There is a little background noise in the recording because we were standing in the lobby at the conference, having a conversation, and I turned my recorder on.) About John Keane IT Specialist, Test and Independent Verification and Validation (T&IVV) office, newly-formed DoD/VA Interagency Program Office (IPO) which falls under the DoD TRICARE Management Agency (TMA). John was just transferred from the equivalent position in the TMA Joint Medical Information Systems Office. The IPO was established in April 2008, as mandated by Section 1635 of the National Defense Authorization Act (NDAA) for Fiscal Year 2008 (FY08). The IPO acts as the single point of accountability for the development and implementation of electronic healthrecord (EHR) systems and capabilities and provides oversight and management of the delivery of interoperability goals and objectives. John has a number of responsibilities of which one is the Software Code Quality Checking (SCQC) task manager. The SCQC project was nominated for the 2011 North America Government Sector Information Security Project of the Year. John was a Federal Computer Week Top 100 award winner in 1993 for his work in developing the DOD Technical Reference Model. John is a retired Army Officer with 20 years service and this is his second time in the government as a civil servant. During his first time as a civil servant, he was responsible for developing the DoD Technical architecture Framework for Information management (TAFIM) which was adopted by the Open Group as the TOGAF.

In Part 02 of our talk with Jim Routh, Jim talks about the history of components, the original idea behind a component repository and where we are today. His observation that GitHub has become the defacto location for mobile developers is an interesting one, but it still begs the question: Who is going to vet the components? Highlights of the Discussion 00:05 Components and reusability through universal repositories 07:20 Who will vet the components in a universal repository 08:37 Repository of choice for mobile developers 11:12 The mobile phone as a primary computing device About Jim Routh Jim Routh is the Chief Information Security Officer and leads the Global Information Security function for Aetna. He is the Chairman of the FS-ISAC Products & Services Committee and former board member. He is currently a board member of the National Health-ISAC. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 20 years of experience in information technology and information security as a practitioner, management consultant and leader of technology, analytic and information security functions for global financial service firms. Jim is the winner of the 2009 BITS Leadership Award for outstanding leadership of the Supply Chain Working Group sponsored by the financial industry in collaboration with NIST and the Department of Treasury. He was the 2007 Information Security Executive of the Year for the Northeast and is a widely recognized expert in security program implementation. Jim was successful in reducing information security costs while significantly improving enterprise risk management practices through innovation and transformational leadership.

Jim Routh has one of the best analogies I've ever heard on how to envision a tool for automated vulnerability discovery during the software development process. In Part 01 of our talk, we have an extended discussion on the line between design and remediation, the ideas behind Gene Kim's the Phoenix Project through his work with cross-functional sharing with kanban systems. Part 02 in an upcoming segment explains how components started as a simple idea and are now a central part of the open source development process. Hightlights of the Discussion 00:05 Introducing software security concepts into the development life cycle 02:51 The line between design and remediation 08:18 A automated development tool with contextual help 10:54 Pushback to new security methodologies 13:30 The concept of security "moving left" in the application life cycle 17:02 The Phoenix Project, Kanban boards and cross-funtional sharing of information About Jim Routh Jim Routh is the Chief Information Security Officer and leads the Global Information Security function for Aetna. He is the Chairman of the FS-ISAC Products & Services Committee and former board member. He is currently a board member of the National Health-ISAC. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 20 years of experience in information technology and information security as a practitioner, management consultant and leader of technology, analytic and information security functions for global financial service firms. Jim is the winner of the 2009 BITS Leadership Award for outstanding leadership of the Supply Chain Working Group sponsored by the financial industry in collaboration with NIST and the Department of Treasury. He was the 2007 Information Security Executive of the Year for the Northeast and is a widely recognized expert in security program implementation. Jim was successful in reducing information security costs while significantly improving enterprise risk management practices through innovation and transformational leadership.

"Security defects come in two flavors; bugs in the implementation and flaws in the design. We're paying quite a bit of attention to bugs and not enough attention fo flaws." -- Gary McGraw Gary McGraw thinks in broad strokes. In our "50 in 50" discussion, he goes beyond our talk of component based vulnerabilities and leads the discussion to the problems inherent with the building of complex applications. From there, we talk about his latest initiatives; architectural risk analysis and how to measure your software initiatives. "What happens when you compose things that were secure, but then you compose them in a way that the designers did not anticipate. It leads to a crazy kind of security flaw." -- Gary McGraw Highlights from our discussion 00:20 How do you integrate software security into DevOps 01:30 The concept of "moving left" in the application development cycle 02:55 Defining software security practices that are usefeul no matter what the software dev life cycle 05:37 Security at the component level 07:15 Three levels of insecurity; creation of components, components in production, combining of components in an insecure way 08:31 Software security for specific verticals 11:36 Consumer assumption of software security 13:03 Architectural risk analysis and threat modeling 13:52 Measuring your software initiative Resources Cigital BSIMM About Gary McGraw I am a technologist, a scientist, a musician, a writer, and a father. I work at Cigital near the blue ridge mountains in Dulles, VA. I live on the Shennandoah river about a mile from the Appalachain Trail in a house built in 1760. Berryville, VA is the closest town, but we're much closer to the Holy Cross Abbey. I am married to Amy Barley. Together, we raise our two boys Jack and Eli.

The "Internet of Things" is of extreme concern now that virtually every device on earth is getting wired. What are the implications? In this wide ranging discussion, I talk with Joshua Corman about his project, the "Rugged Manifesto", and upping the ante on application security. Highlights of our discussion 00:05 The history of the "Rugged Manifesto" 07:07 Who is part of the Rugged Movement 09:26 The patterns within DevOps 12:37 OWASP Top 10 - Go deep vs Go Long 16:40 A different approach to the OWASP Top 10 17:57 The most important factors in your ultimate application security yield 20:08 The problem with the "Internet of Things" 21:35 The agenda at Derby Con in Kentucky, September 2013 Blog: Cognitive Dissidence Rugged Software Manifesto About Joshua Corman Hired to build and run a new team for Akamai called Security Intelligence - reporting to the CSO. Team will do research, analysis, thought leadership, work closely with high risk organizations and drive actionable intelligence into the public sector, government, and critical infrastructure. With almost a third of internet flowing through us, we intend to drive asymmetric gains to security - at a time when it is most needed.

John Willis has some interesting perspectives on the origin of the DevOps movement. Most people think of DevOps as something created conceptually by Patrick Debois in 2009, but from John's point of view, it can be traced all the way back to W. Edward Deming 's '14 Points for Management'. In this talk, we discuss how the community started and its short history. John runs through a list of veritable "Who's Who?" in the DevOps movement. Along the way, we talk about how the community is determining its own course. Resources Mentioned by John The DevOps Cafe: http://devopscafe.org/ IT Revolution Press: http://itrevolution.com/devops-blog/ The Phoenix Project: http://www.amazon.com/The-Phoenix-Project-Helping-Business/dp/0988262592/ The Goal: http://www.amazon.com/The-Goal-Process-Ongoing-Improvement/dp/0884271951/ W. Edward Deming: http://en.wikipedia.org/wiki/W._Edwards_Deming From Deming to DevOps: http://itrevolution.com/deming-to-devops-part-1/ DevOps Days: http://devopsdays.org/ Interview Highlights 00:05 DevOps Cafe Podcast History 02:07 From Open Source to Configuration Management to Cloud to DevOps 05:37 The Convergence of DevOps 06:41 The Visibility of the DevOps Movement and DevOps Days 12:03 Community Contributions to DevOps Days 13:01 The Maturing of the DevOps Movement 16:41 The CAMS Taxonomy: Culture, Automation, Measurement, Sharing 17:47 The Counter Intuitive Nature of DevOps 22:58 From Demmings to Devops 26:56 A Timeline for DevOps 29:09 The DevOps Cookbook and IT Revolution Press 31:49 The Goal of the DevOps Message About John Willis John Willis has worked in the IT management industry for more than 30 years. Currently he is VP of Customer Service and Enablement at enStratus. Prior to enStratus Willis was the VP of Solutions for DTO Solutions where he led the transition to a new suite of automated infrastructure and DevOps solutions. Prior to DTO Solutions. Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise. Willis has authored six IBM Redbooks for IBM on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.

Gene Kim is at the forefront of the DevOps movement. Through his book, The Phoenix Project, he is educating organizations on what it takes to create a high performing software development environment. In this segment, I talk to Gene about the concept of DevOps and how the DevOp process can be incorporated into the enterprise development environment. Highlights from our Discussion: 00:05 Application security and the position of the DevOps process 01:13 Is the DevOps concept really being used by major organizations 03:40 Public Labs "State of DevOps" study 05:41 "The Phoenix Project" a novel for IT 07:37 Prescriptive, actionable items in the book 08:18 Building the relationship between development and operations 11:58 Bottlenecks in the process of development 14:35 The technical debt of poor development practices 17:00 A parting message from Gene Links Referenced in our Discussion: http://itrevolution.com/the-phoenix-project-excerpt/ https://puppetlabs.com/2013-state-of-devops-infographic/.. http://itrevolution.com/the-phoenix-project-excerpt/

"A software project is not done until your last enduser is dead." -- Kris Buytaert Kris Buytaert was one of the first proponents for the DevOps movement in Europe. Our discussion ranges from the beginning of the DevOps movement through how DevOps is acting as the liaison between developers and IT. Highlights of our Discussion 00:05 The beginning of the DevOps movement 01:45 The growth of DevOps 03:13 DevOps Days, conferences for DevOps 04:05 DevOps and security 05:52 CAMS keyword: Culture, Automation, Measurement and Sharing 08:39 DevOps reaction to testing within the development environment 10:11 DevOps process patterns 12:31 The 10th Floor Test 13:41 Into the future with DevOps DevOps Days: http://www.devopsdays.org/ Kris' Blog: http://www.krisbuytaert.be/blog/ About Kris Kris Buytaert is a long time Linux and Open Source Consultant. He's one of instigators of the devops movement, currently working for Inuits He is frequently speaking at, or organizing different international conferences and has written about the same subjects in different Books, Papers and Articles He spends most of his time working on bridging the gap between developers and operations with a strong focus on High Availability, Scalability , Virtualisation and Large Infrastructure Management projects hence trying to build infrastructures that can survive the 10th floor test, better known today as the cloud while actively promoting the devops idea ! His blog titled "Everything is a Freaking DNS Problem" can be found at http://www.krisbuytaert.be/blog/