 This is actually my 10th scout. I just realized that, which is pretty awesome. So actually, the first time I came here, I asked Elon if I was at Chef for two weeks. And I was like, shoot. I went up to him and said, if anybody cancels, can I give a Chef presentation? So I give the first Chef presentation here, by the way. In case you're interested. The divine and felonious nature of cybersecurity, otherwise called Introduction Dev Ops. My name is John Willis. The best way to get a hold of me is Botchakalooop, which is a horrible Twitter name. I thought it'd be really clever whenever we've all got our Twitter handles. And I put it on every slide, because honestly, if you want to get a hold of me, if there's anything that interests you, or you want to talk about this stuff, like if you somehow remember that, you'd be in good shape. A little bit about my background, if you don't know me, I round down now. I'm 58, so I say somewhere north of 35 years in IT. But about 10 years ago, I jumped into kind of distributed computing. Before that, I was doing the kind of IBM. Still sorting. It was enterprise stuff. But I was actually probably, it was only three or four Cloud Evangelists in the world. Jeff Barr, James Urquhart, of course, Simon Wardley. And I went to work for Simon Wardley over at Canonical to introduce the first private cloud. It was based on, it was called Ubuntu Enterprise Cloud. Anybody heard of it? It was terrible. I mean, it was horrible. It was just a mean thing of life to treat people that have to use that. Then this guy, Adam Jake, had poked me and asked me if I would come in and be the old guy in his little startup called Chef. I was the ninth person in. I kind of helped build a customer-facing business there. That was awesome. And in fact, that was my kind of, you know, Adam gave me a credit card and said, just go to every DevOps days on the planet. I'm like, okay, that sounds good. I think today I'm still the one who has gone to more DevOps days than anybody else. I left there. Another friend of mine was doing a startup. Just kind of give you a background. It sounds like I'm bragging and I am, but I'm trying not to, but the, I like that. You cover your base there. He said, I want you to do what you did at Chef for us. He had this multi-cloud manager thing that's called Stratius. I'm sure nobody's heard of it, but we did sell it to Dell. That was awesome. Paid off all my entrepreneurial sins on that one. Left there, kind of got into networking stuff. Got myself into all sorts of trouble. Created a company called Socket Plane. Sold at the Docker within three months. Didn't even get started. And then we did SDN. We did an SDN interface for Docker. So all the networks that you've ever seen, you can either blame me or give credit for it that Docker's had over the last four years. And I left Docker about five months ago and I'm going back to consulting. So prior to Ubuntu, that's what I did forever. I built transformation, matter, kind of, you know, how do you help people systemically improve? So that's, you know, I like that kind of work. On the right-hand side, a couple of things you should know about me is the, I knew this was gonna happen. I was one of the, I was the only American in original DevOps days. So I've been literally like heavily involved in this DevOps thing we did. Started a podcast years ago. Got to meet Gene, I don't know, eight, nine, eight years ago. Hey, this is good. It'll work. He'll fall off periodically. And Patrick DeBar, and so he said, I'm the godfather. It's actually Patrick DeBar is the godfather of DevOps. I figure I'm the consigliere. But I got to kind of shadow and help him kind of change the narrative of the Phoenix Project. How many people have read the Phoenix Project? All right, not enough, okay. Yeah, it's an amazing book. It's a novel about theory constraints with a Java program and a Java stack. I mean, it's awesome, all right? And if you ever heard of Elliot Korat, it's a rewrite of his book, anyway. So I was able to kind of think about what would we do after this novel came out. So did that, and then I've been in something called the Enterprise Summit. Because I met Gene, I've had this incredible opportunity to be involved in a couple of books. DevOps Handbook, I actually have a couple of copies. I only wrote about four or five, but if you wanna have a nice dialogue with me, and it's an interesting conversation after this, I'll give you a signed copy if you want. If you wanna tell me I'm full of crap on the presentation, you might get one too, so. It's sold over 100,000 copies in its first year. And we've been self-publishing it, so that's pretty cool. Phoenix Project's sold 400,000 copies. I don't get anything for that. Yesterday, my second, second real book dropped. Could be on the Phoenix Project, it's on audio, it's on audio only, so. Pretty excited, also I worked on some other projects. Anyway, to the point. So I call this thing the divine and felonious nature of cybersecurity. Is anybody ever read anything by Bill Bryson? One, two, three, four, five, so a couple, yeah. So he's a travel writer, and he's very funny, and he's very informative. You've probably heard of that book, The Walk in the Woods. We talked about the Appalachian Trail, and it's just hilarious, right? So we wrote a book about the history of everything, which really was the history of science. And it's a great book, but this is my favorite, maybe a second favorite quote from any book ever written, maybe Jonathan Swift is probably the first one, the Confederacy and Dances, but I digress. So here's the deal, he sets this age. He says basically, at the time that Newton is finishing Procipia, and basically trying to just describe everything that's going on about our physical universe, there are two idiot sellers at the Galapas Islands killing the last two Dota birds on the planet. Pretty distinct, right? And he's like, God, how do we do this as humans? And he says, in the middle, you'd be hard pressed, I would submit, to find a better pairing of occurrences to illustrate the divine and felonious nature of human being. So I'm gonna use that as a narrative, and I'm gonna tell you why it was actually at a conference, a cyber conference, where I thought about this idea that cyber is not as bad as extincting a whole species, but like cyber security is pretty felonious. The felonious nature of cyber security. So let's talk about why I think some of the things in cyber security are felonious. So in 2016, the Verizon DBI report said that 10 CVEs, National Institute of Technology, database counted for 97% of all the known breaches. But here's the kicker. I don't know if you might not have time to read that. Eight of them were 10 years old. So when we talk about some foreign actor and all this 60 minutes and oh my God, these foreign, these are kids, 18 year old kids, they're just saying you're a bunch of idiots. You've got that vulnerability thing that's been known for 10 years in your production environment. And again, no nation state army of cyber people required. And by the way, I love open source, open source is awesome and nothing I will say is to be interpreted as a negative to open source, but you should be aware that open source opens up a lot of opportunities for adversaries. Incredible amount of adversarial activity. Because I mean, you write 10 lines of code, what happens? It could be like a house in lines of codes, 10,000 lines of code behind the scenes, or the library's distraction. This is, Sonotype does a state of supply chain. You should totally read it, it's brilliant. 31 billion, they managed Maven Central, right? So 31 billion component downloads requested annually. 228,000 average components per company. Look at that second one, 5,275 average unique component versions. You know when they did healthcare.com, the post mortem on that, they found out they were running 21 Java logging frameworks, right? If you read the Google SRE book, it tells you that Google, you know, I go by the book, so if you work with Google and you wanna correct me, don't, because I'm going by the book. Basically, it says they have two of everything. And that's actually a deming principle, but I digress again. The average cost of 10% of a breach could be 7.2, anywhere from five to $8 million a breach. And again, that varies. Some of you might know what this is. Anybody, quick. Jeopardy, bang. It struts too, right? Or otherwise called the Equifax Toboggle. So struts too was, there's a library, there's a parsing routine, and if you're that one of those kids, not those cyber states that all they wanted to do was put in like a pound and execute a shell script, any escape, put your root access on a machine, right? So here's the thing. And this was actually, there's been a couple. This was last year's flavor. On 3.6, as far as I can do research, there was a company that mentioned this. They discovered it. It was actually officially announced on 3.9, I think Red Hat or, you know, the actual CVE was created on 3.10. And again, I think that last presentation about safety culture was brilliant, right? Because like I'm not gonna sit here and do counterfactuals on what, you know, Equifax should have done this and Equifax should have done, that's like, in complex systems, that just doesn't work. But it's worth looking at that they don't discover it through 720, July, 2017, and they announced it in September of 2017, right? And then here's some data that, oh, so I wanna talk about another company that dealt with the same CVE, the Fannie Mae. And so Fannie Mae, so you think about, again, I've gotta say things bad about Equifax, I have friends over there, I don't wanna counterfactual and say they should have done this, should have done that. It's like the, you know, like we could say that there was a human error for that Hawaii missile thing, right, like that, you can't do that. But what I can do is compare two companies. And I can tell you that Fannie Mae, I work with them a little bit. In fact, I'm co-speaking with the woman who runs AppSec at RSA in San Francisco. And they have this True North and it's kind of built around like, you know, we wanna be America's most valuable kind of housing partner. And so here's the thing, if that really is your True North, then on basically three nine, you gotta really smell the coffee about like what the potential is to happen. No, Equifax, how many millions and millions of records got, like if I've got all your loan applications and everything, and I wanna say that statement on my website. So here's the thing, the woman who did this, she went to the executive staff on 310, 311, you know, a little fuzzy on the dates, but which is, so it was basically discovered on Tuesday, and then by Thursday or Friday, she went to the C level team, the CEO, everybody said, the only way that we can protect our True North is I have to have you shut down the loan application. Over the weekend, I don't know if you, I bought a couple of houses, almost all of my loan, it's happening on a weekend. They said yes, because that value, you know, how do you dance to dance when it's time to dance? That sounds silly, but, and they did it, they danced to dance, and by the way, I don't wanna spend too much time on this, it's gonna get too complicated, but it wasn't easy to find all the places that was, because some of them were embedded in, it was Apache, Tomcat, struts to Jakarta, it was in WebSphere, it was embedded things, there have been applications that hadn't been vulnerability scanned, even ones that had, there still was no CVE till the 10th, and who knows when the signature came out to be actually scanned it, but they had it, she went ahead, she wrote a little script, very similar to the script here, and hit every internal extender URI, and by Sunday night, she remediated every instance, and it was just a script that read Etsy password, from URI, and she was able to remediate, and the reason she had turned, she was like, she got tired, like 100 people behind her desk, you gotta fix it, you gotta, it's like, everybody go away, shut it down, let me fix this over the weekend. So here's the thing, some, you know, as of fall 2017, again, this is sonotype data, they're just doing great stuff, 3,000 organizations downloaded the exact struts to that hit, so, all right, you know, I mean, they're not paying attention, it was March and now it's September, 3,000 companies, but here's the real kicker, as of fall 2017, almost 50,000 organizations are running a vulnerable version of struts to, I tell you right now, we can go over there and we write a little script to go ahead at Tomcat, to go find, you know, kind of a default built-in on Jenkins server, hit your Amazon accounts, and you know, by the way, that's how NSI got breached. They scanned all the S3 buckets and they broke into a struts to Jakarta, well, it wasn't Jakarta, it was struts to, and then it went in through a default installed Jenkins server, which is like, extremely dangerous as it gets, 50,000. And so, okay, we're like, okay, did we learn our lesson, right? We're not felonies, you're full of crap, John. So on 9.21, it was published, I gotta think that nobody knew about this publish and nobody cared, but in basically Spring, Pivotal Spring, and the rest of the team, a very similar situation where you could escape in, this CVE 215, that's actually 1780246, sorry, let me get a little typo there. There actually is a 15, but it's not this one. The CVE was created in January, but it wasn't discovered until 218, and it wasn't corrected until 36, right? Again, I'm not picking on Pivotal, but you know, I mean, you did the numbers, how many people were running Spring? And let's look at some of the numbers, the full me once, shame on me. Basically, five months prior to that discovery, 400,000 people were running that Spring component. Five months after, basically to February 18, it only 11% dipped, 367,000 people are running that. Like, we're doing a shitty job, folks. And I'm not even getting into the hard stuff. And so one of the things that was interesting is about, so how many people have heard of Martin Casado? He invented SDN. He was this brilliant Stanford kid that the NSA went to and said, I think you're the smartest guy on the planet, now I can't even remember that. And he wants you to solve this incredibly hard problem. And he spent a couple of years trying to solve it, and he couldn't solve it. And I guess it was unsolvable, but out of that, he came up with the invention of SDN. Created Nacera, sold it to VMware for 1.2 billion, with four customers and no revenue. And about a year later, he became the head of that work for VMware, and he started this idea of what they called the Goldilocks Zone. It was interesting, because he was starting to point out something, which is the felonious nature of cybersecurity, is that we are very brainwashed. We have memory muscle on the idea that we do perimeter-based. We have static firewalls coming in primitive. All data's coming in north, north, south. Prevention, prevention, prevention, right? And he was talking about, well, guys, we spent 80% of our money on prevention and perimeter, and 20% on what happens when you get in. And I'll tell you the story of why I came up with this thing in a little bit. So again, he was saying that we need to rethink this. And now there, the way they thought about it, I would say on the whole probably didn't work the way it should have. But their idea was you were gonna put security in the hypervisor and the virtual switch. And then have a callback system with the node where you could talk to a puppet or a chef or anything like that. It didn't seem to really work the way it did. But the thing I love about it was this idea that instead of waiting out there, we'd come in here. And I think that's not close enough. So this Goldilocks zone is an interesting idea about trying to change the narrative of people talk about prevention and perimeter and static firewalls. And the truth is not only, the presentation this morning was brilliant, right? Like not only is network traffic, network traffic used to be 90% north-south and 10% east-west. In large web scale organizations, basically network traffic is basically flipped. It's 90% east-west and it's about 10%. In fact, about two and a half, three years ago, I noticed a couple of Facebook people here. I saw a report when I did the calculation, it looked like 98% east-west. So this felonious nature thing. Ha! So it was a Chicago conference. It was a cyber conference. And I was the afternoon keynote and there was this guy who did the morning keynote and he was a hacker, confessions of a hacker. So I hit him hidden in some room. They basically put a hoodie in greatest face and changed his voice. And he just started telling like these five hacks that he did. And by the way, again, he's not working for China, he's not working for Russia, he's not working for whoever. He's working for himself, probably ain't gonna have a million dollars a year, because he goes into your bank and he basically sells on the dark net or it's a, you know, the orange and purple net, whatever your, the day-to-day gets. And he talked about like four to five stories he told about and how he got in. He tailgated. He followed somebody in the door. He took some precautions. He went there a week early. He found out where you all drank coffee, what Starbucks, he tried to RFID clone your badge. But in general, he wanted to see how you dressed, see if you could pick any buzzwords. And four to five times, he didn't even have to use an RFID badge. He's like, hey, hey, you hold the door. And he got right in. And when he got in, he found an empty floor of cubes, like nobody has these, right? And then he found and put a Raspberry PI. Now he's in. Like those guys, once you're in, like there's so many ways to get in your network. Then he proxies out and he's got you. Right? So I was thinking about that. And he was kind of making fun of us as an energy. Like he was a kid that probably never been in IT. And he was like, you guys, like why do you let me in the door? You know, I think you're really stupid. And I'll talk about that at the end. Cause I think that's the, that's where I started thinking about this divine and felonious nature, right? I don't know if this works, but come with me. So let's talk about those DevOps, hey, first. So I'm gonna give you the really, really short course on DevOps to kind of drive the conclusion here. Let's see, you know this. You know, so we got Agile. Now I've been an operations person my whole career. You know, I've been just like everything operations. And I remember the first time somebody told me about Agile and I'm like, well dang, you should never give us the memo, right? Like the Agile manifesto and what? And we're like, yeah, but like, we're like, next March, next October, right? Like it was like a total impedance mismatch of one side just going incredibly fast, having all these manifesto and great stuff, which was awesome. And then obviously we're just like, you know, and then somewhere around 2007, 2008, Luke Kines would pop it and things started popping up. You know, Chef with Adam Jake late 2009, DevOps coined in 2009. We started thinking about these collaborative ideas and then we did this DevOps thing. Also somewhere along the way, Verna Walker, the CTO of Amazon did this interview where he said, you know, in Amazon, we do it differently. We have these teams. We call them two pizza teams. And unless you have me on a team, then it's three pizza teams. God, let's get that one in. And he said that like at Amazon, we have this, you build it, you run it. The developers own the delivery of the service or the service, the team, whatever you wanna call it. Enough of this siloed and this group gets it and when they're done, I get it. Like that became DevOps. Now, whether it was two pizza team or whether it was, you know, creating developers so that they can create full chain with the first operations, then QA and allow them to put the meta into the supply chain. Right, because that was the shift. Originally, the first argument was, hey, the DevOps, you need to work together. How do we do that? Well, the Ops team need to be more feeding in so the developers can do the things. Early days at DevOps, we said things like developers were pagers. You know, if you build it, you know, you build it, you run it, you get walking up. Like you think about technical debt in a whole different way and operationalization. And so here we are in 2018, but maybe we're all patting ourselves in the back. There's like, there's a fifth of us stay here. There's been Amsterdam and Austin been running them and we're all just like amazingly great and awesome. And we got through the like the memo thing from the Agile and the Ops and like, this is where I throw my hat on the ground and say, cowdog it, we forgot about security. We did the same thing all over again. And so how many people have heard the concept of the Amdankord? Right, it comes to like, a lot of what comes into DevOps comes from Lean. You know, and that last book I talked about, that audio book that just went yesterday, we, me and Gene spent a lot of time talking about Lean. So the Amdankord was a scenario where at Toyota, work line workers, edged workers had the power to ultimately stop the line. I mean, it was, there was a set of rules before the actual line stopped. But the point was, and here's an interesting thing on culture, you wanna read a great book, Toyota caught up by Mike Rother. He said that, he spent like a year over there. Like he was part of the people that studied Lean, they went over to Japan to really understand it. And he said, what a floor manager would do when you pull the Amdankord is they'd thank you. Before they even knew what you did. Because basically you were creating a learning culture. Right, anyway, there's a great story about a Toyota plant in Kentucky that was creating like 22 hard cars a day. And it was an analyst went in there to find out about, and they said, well, how do you do that? And they said, oh, we pull the Amdankord 5,000 times a day. Hopefully your head's spinning a little right now. You know, it's an antifragile message, even though not so tall as an idiot. But we can talk about that later too. So but that's what we do in DevOps. I'm not into the DevSecOps stuff yet, right? This was the old 2008, Agile 2008, Chris, Chris Reed, Dan North and Jess Hummell. Right, but this is what we do. We put our gates in, we automate things. The developer checks something in, it goes through this, hits a red gate, goes back, developer fixes it, gets next gate, next gate, red goes back. And we do this over time with small batch of commit and hopefully same trunk deploy, all those kind of principles. And we create resilience. And there's no better example than Google. This is five years old. And you can read all the other numbers, but that's the number that blows me away five years ago, 75 million automated tests today. I saw a presentation in the 2016, it was 150 million. If you work for Google and you wanna update me and I'll update my slides, 150 million automated tests today. That is that Kentucky plan and software. That's where you're creating that gating resilience over time at speed. So that's the thing we learned about DevOps is that if you have certain cultural behaviors, you can go faster and be more resilient. That's the secret. And in fact, we've actually learned that if you actually have those right behavior patterns, the faster you go, the more resilient you get. How about that? So with DevOps Handbook, quickly, we tried to codify about a year ago, a little over a year ago, all the things that we think it's done very well. I'm only one fourth of the other three authors are like incredibly amazing. You know most of this, every response will done means release, stop the line when it breaks, right? Break the build, remove silos. And one thing I realized, we actually set the foreground for the discussion about separation of duties because that is also, that's one of the first like armors in the security discussion, separation of duties. Yeah, you can't do that DevOps thing. Why? Well, you know, it's the ops team and the dev team, if they work for build. You know, well, okay, well, we automated it. Like, nobody gets to shell into this machine. It's all automated, it's all audited, all right? So all these apply to security, we just got to get the security people to get out of that felonious nature mode, right? And then, you know, the things I can do is delivery. I mean, you hear this over and over, so. So in summary on DevOps, you know, Agile took us months to days to deliver software, great. When the ops people got the memo, we were able to take, you know, kind of DevOps from months to days to deploy the software, right, it was no more throw it over the wall, we figured out how to work together and combine and automate them. So now, actually a little while back, there was a couple of people started this thing called the rugged manifesto. Anybody heard of it? One, two, right, it was good. It was great, right? And if you did, I recognized my code using ways I can't anticipate in ways that were not designed and made no longer than it was intended. Remember those eight CVs, they're 10 years old, right? I recognized my code, the attack by talent and persistent adversaries who threaten our physical and economic. Here's the thing, there's a woman, Shannon Leitz, platonically in love with this woman. She's, you know, I don't know if she's goddess, but she's the most amazing thought leader when it comes to security. She works into it, you know, I just follow around, the bread comes to learn. She talks about adversaries, it says, here's nothing, we suck. The adversaries have dark web, they team up, they work together, I mean, they're dev ops, by the way, in a security. They're collaborating, they're sharing information, they're telling you about the banks and everything. Does Bank of America talk to J.P. Morgan Chase? No, I mean, we know this. And so I stole this from Josh Corman, but I think I believe it's such that, so Mark Andreessen said software is eating the world, right? I'll throw you back and Mark and Chase is just, you know, famous VC now. But really, if you think about that software side and open source side, it's affecting the world. And again, I'm not trying to tell you that open source is bad, because it is, it's awesome. But it comes with a heavy handed cost so that we get to dev sec ops. So I started thinking about what's different about rugged and this dev sec ops thing. And it really was, it was back to the core principles of what dev ops did. The dev and ops, we tried to figure out how to get that all on the same page so that ops and dev were working together. And more specifically, ops were basically trying to create tools and meta and policy so that developers could operationalize their software. Could remove the operational technical debt because they would take care of that. And the operations people would be the people who put the guard rails to the policy. So I would contend that, and I've got a couple of presentations where I call it, you build it, you secure it, it's a play on the vernal world. And that is that we need to get to a point where developers completely own security. There is no reason, just like we did with ops and QA and any other group where we tried to integrate, we still have to, and it's hard because there's so much memory muscle on a security group and how they think about things and they're still thinking parameter based and prevention. But we have to get them to flip, and the women who are Fannie Mae and actually Shannon Leeds and the two who have done this magically, where the security people see themselves as the people that feed the opportunities for the developers to create secure and safe code. If Fannie Mae, they have GitHub repositories with all the known OS things. They've written their own wiki so that a developer doesn't have to pull their hair out when they go to the OS site because they're not a security person. They explain it in a way that makes sense to developers. Every time they find a new vulnerability, they put the example correct code in their own internal GitHub products. Like a lot of cool things. My other presentation, I spent more time on that because I wanted this to be a higher, more meta presentation. And so here, you should have had this conclusion already, like what about DevSecOps as an abstraction onto the thing that we've done so freaking well since 2008, 10 years ago. Those red gates not only should be like test-driven development for stories or behavior-driven development for stories rated to the code, they should be test-driven development for security things, security stories, technical depth of security, should be behavior-driven that do port scans. Why is this port open? Why it should be open? Among a whole bunch of other things. And then hopefully we get that resilience, right? I mean, not hopefully. I know we get that resilience. We get basically the Kentucky plant in color red. Like a red Corvette. Although that's General Motors. But here's the thing, right? So think about the supply chain. So I wanted to contrast this to what we do and why I keep saying we're kind of pholonious in the cybersecurity thing. So imagine, most of you, I'm sure, how many people are more than like the third DevOps days? Oh really, not that many, okay. I mean, but if you start listening to the DevOps message, DevOps message over and over, you get the sense that there's the shift left idea. We try to take things to the right and we move them to the left to get them in the automation of the flow. We try to find things. And so imagine you go, I go in a shop and I'm like, John, my DevOps environment is freaking killer. You know, like, yeah, we use Eclipse and we got some really good help of plugins, version control for the birds. Idiots who do that. CI Jenkins, you know, it's always throwing red messages up, so we just turned it off. But we do a hell of a job with Selenium for behavior driven and we're kicking this shit out of it with Ansible. You'd be like, okay, I'll see you later. Because the truth in matter is if we saw that, we would know it was really kind of an anti-pattern to what we want to try to accomplish with DevOps. You know, go with the behavior and other things, not just technology, but you know, I always say that all the buckets have to be filled if you want a shift left. So we've done that with security. I mean, so with security, we've had this like, it's table stakes to do vulnerability scanning, although a lot of people don't do it. But it's table stakes. So there's no artifact should come to that system where either JFrog or Docker, you know, Docker data center or Twistlock or Nexus, Sonotite is telling you, ooh, I just saw a binary signature. That's a bad thing, red. I mean, like if you're not doing that, like you're really, really being criminal to your organization. And most people, you know, think that we should be doing that. So that's table stakes. But like those people have that and maybe some behavior driven, but they won't have nothing in the IDE. So they'll have nothing in version control. They'll have a couple of things here. So what DevSecOps means is two things in my opinion. One is you build it, you secure it. So whether it's the developer to service team takes full ownership and the other organizations now including security, I'm sorry, security people, you got to get on board. You just got to flip your mindset. We're not gonna, you're just as important as ever. You just need to not turn your meta and stuff into automation to help developers do what you want them to do anyway. And in every bucket has to be filled with some kind of solution. And none of these are endorsements, right? I just took simple names that the first icon I could find. But like in the bottom row, there are fine bugs. There's IDE plugins for IntelliJ and we'll actually pop up red on something that's a known vulnerability. There's an open source fine bugs. At the build layer, everybody in their brother, you know, Black Duck, you know, the Martifact guys, Nexus and JFrog and, you know, Docker has cut into theirs and Twistlock will do it. And then, you know, a lot of people do it. So you need one of those, right? And then there's a whole bunch of tools in between the build and test, you know, Veracode fortified, Gornet was a really cool open source project by one of the founders of Rugged Dev Ops, James Wicket, Aqualcess, Twistlock, Dome9, Evan and IO, which will do a real-time investigation of bad hygiene and policy in your Amazon. Right? I don't care. I'm just saying, and I'm building actually a maturity capability matrix right now. Like, and I'm working, I'm doing consulting and I'm like saying, like, you don't have one of these. That means that you're, you know, a medium to low performance organization. And so one of the things, the new company that I went to and they, it's an 8A woman owned and she's got the Karen, who's my boss, is actually got a lot of contracts with DoD, the OPM and all this stuff. So we've been actually working with like, you know, slam right in, like, hey, John, this is what we need. Okay, you know, Dev Ops or Dev Stack Ops in a regulated environment, like, I don't wanna go through all this, but like, it gets really serious. Not only fill in a box, but like fill in the box. And this is actually from Gartner, you know, usually Gartner, another subject that I've got two really good friends at Gartner, everybody else I dislike. And they mean that they're usually full of crap except those two guys. Although this guy who's been doing the Dev Stack Ops stuff is he's pretty spot on. And this is a really cool chart and I once spent, how much time do I get? Yeah, don't worry. You know, he did this thing, it's really good. It's another, you know, I'm doing a capabilities thing that's kind of a pivot on this. But I like this, right? Like, you know, you have open source governance in design, in the IDE, in the repository, in the CI, post deployment. Do you have open source software allowances? Do you do SAST or DAS, right? Static application testing, dynamic application testing. Are you doing interactive? Are you doing RASP, right? Like, these are the things like, you know, what are you doing and what is your architecture and what are your known capabilities and how do you match to... And this is kind of like, these, the full circles I would say, he doesn't say this in his report, would be must haves. The kind of half and quarter circles would be nice to haves or should haves. You know, and the ones that, you know, kind of NA would be basically, in a sense. I mean, some of the products aren't even, there aren't even solutions there for some of the boxes, but would be nice to haves. And that's red, yellow, green for me. Red means you don't have a must have. Yellow means you don't have a should have. And green means I don't give a shit. So I say, and I was gonna ping, I was actually in all honesty, I thought I was gonna be a little more nervous because I finished this, I took an old presentation and rewrote it and I wrote most of it on the plane ride here, but I mean, I had all the data, so I'm not faking it. But as I was thinking about the Goldilocks zone, I thought about Martin and I'm gonna ping him and I'm like, dude, the real Goldilocks zone is DevSecOps. Like, that's the play. So here's the thing, like, think about the Equifax thing. I don't know if they had Palo Alto or they had these billion, not billion, multi-million dollar boxes that do prevention. They had, all these companies have that. But they don't get a zero-day vulnerability through that. Static firewalls don't protect you from that kid who tailgates into your building. I mean, the Goldilocks zone for the real, and by the way, the Israeli intelligence is not going after your a hundred million dollar company. Right? If it was going after your a hundred million dollar company, there's some freaking kid that was two blocks away from you who finds out that you're running a stupid, you know, a Java or open source vulnerability thing and he pwns you and now he's got all your data. Right, so the Goldilocks zone has to be that the hygiene, it's one of the reasons that Fannie Mae was able to react so incredibly fast is she was a developer managing a Java developer for years and they asked if she wanted mine going to app sec. I was choked about dev ops, early days of dev ops, here's my joke. It was three developers had to do a startup. The one who drew the short straw had to do operations. Right, and then what did that developer do? Treated operations like a developer discipline. This is actually what this woman did at Fannie Mae. She's like, okay, security, got it, okay. Developers should own it. Okay, what do I gotta do to help secure developers have a seamless control and ownership of this thing? And that's the Goldilocks zone. It was the Goldilocks zone for dev to ops and dev to QA and I think it's the Goldilocks zone for security. So in the back of the book, we have some something for the dev ops handbook. So one of the things, when I left Docker, since about five months ago, I really wondered about consulting and I'd been fortunate enough to work with a lot of groups that had done some really, really cool stuff. So I was advisor, consultant, whatever. And I took, I decided when I was gonna leave, I'm gonna take all the things from the smartest people I did. So in other words, I didn't invent anything. And I'm gonna use that as a practice. And so far and five months it's been incredibly successful. So I go in and I use the known capabilities both for dev ops and dev sec ops. Okay, yeah. Shows me about seven, but why does mine never match yours? I'm gonna, someday I'll figure that out. And then I do kind of value stream mapping and it's interesting. And then I do this thing called terroticata. And we do it on value stream by value stream and value stream and we help the companies kind of create a systemic rhythm of improvement. Nothing can get elastic, but I barf. When I try to have this conversation like yeah, yeah, yeah, yeah, yeah. But can you install the Atlassian suite for us? No, like that's not gonna create systemic improvement. Sorry. Putting Jenkins or Shaffer Puppet or Docker. Not gonna create systemic improvement. All right, the divine in the what? Four minutes I have left. How do you do that? God, I'm sorry. That was funny. So a few years ago, I had the opportunity to sit in and give a presentation to a CEO. We're pretty big companies, a weird set of circumstances. And I walked in with like 15 slides. And about the second slide, I got the T, I said, in fact, it was actually in the kind of green room to meet the CEO. And he's like, you get like five minutes, eight minutes if you stretch it. Like if you're gonna talk, I didn't talk to Jamie Dimon, you know, or Jay Brown says, but you're gonna talk to Jamie Dimon, you got eight minutes. Better get your point in five minutes. And I realized I have another presentation where I'm like a kid with spaghetti all my face. So like, I don't know shit about DevOps because he's right, I couldn't explain DevOps in two slides. And I spent all year trying to think, could I do that? And I don't even think I can anyway. But I would say the conclusion I did after a year of thinking about this really hard, which is DevOps is set of practice and patterns that turn human capital to high formal organization. Drop the mic. And there's my son. He's speaking, Laura. Daniel, say hi to everybody. He's speaking on a really cool statistical analysis and MP3 files and like cool stuff. So back to the Bryson quote, the divine and felonious nature of cybersecurity. So I was thinking about that kid. And I think of that kid that this guy that was actually making fun of us all about how stupid we were for holding the door open for him. And I thought about that, you know, that that kid never worked in a company for 15 years. Because if you're two cubes away from me and you're two paces away from me and I don't hold the door for you, I'm not saying you, but you're like, what an asshole, John. And over years, there's Diane Vaughn who did like a lot of the challenger analysis. She calls it the normalization of deviants. You just get, he doesn't know that we just like get tired of getting yelled at and beat up. And every year that, you know, the cyber people are gonna stage this, are you this year, never let anybody in the room. You know, you have to make them badge in, right? But then we just, so you have our tailgating policies. And so, imagine, if I'm telling you that this is what I think DevOps is, I also think this is what I call DevSecOps. It's a set of practices and patterns that turn human capital, high performance organization. I would tell you, you can ignore everything I've said and get this one right and you win, win, win, win, win. Susie, it's raining. She's pregnant. She's holding 10 boxes, four boxes. She's coming to the door and she's two paces behind you. And you let the door close. Now you wait, because you're a gentleman and she comes in and you're like, oh God, don't get so beat up. But like, I was told I had to do it this way. And she walks up and he says, just remember the Toyota guy who comes up and thanks the person when they pull the iron cord. She comes up to you and says, I want to thank you because you just made our organization safer. And I'll cliche it, we might not get Equifax this year. Not easy, but that's why we always boast about culture, culture, culture, culture, culture. Because if this kid who steals your data, sells it for a million, you know, hundreds of thousand dollars, tells you that the biggest breach that you have is letting people kind of tailgate your door. You know, you've got to change the mentality and its culture and its behavior. I can't do the bonus material, but it's been cool. It's stocker stuff and immutability and stuff, but sorry. Hey, thank you very much for letting me kind of just talk off the rails.