Switching employers is usually a difficult transition filled with complex emotions, fear, and anxiety. I haven't had any of these feelings as I start my journey at Sonatype. The timing is right, the culture is right, the tools are right, and I have a ton of technique to bring to the table. Joining Sonatype isn't like jumping into the unknown. It's a sort of homecoming.
DevOps Is Everywhere
Over the past few years I have met many of the talented people from Sonatype as I travelled the world sharing stories about how adding security controls into DevOps practices isn't as difficult as it may seem. At that time "DevSecOps" was a term that wasn't widely known. That has changed.
In every city I've been in I've heard stories of success, stories of epic failures, and realized that DevSecOps is everywhere. I've been asked for advice and brainstormed solutions. Eventually I realized I was making a difference. The work experience I acquired both at startups and Fortune 10 organizations provided the stories, and Sonatype provided the microphone.
Those that have seen my presentations know that I have pretty strong opinions about introducing automated security controls into DevOps practices. When I talked about The Four Horsemen of the DevSecOpalypse at All Day DevOps last year I said that the quickest bang for the buck was open source software management.
Looking at the 2019 State of the Software Supply Chain Report confirmed that sentiment. The data is astounding. 85% of applications are composed of open source software. If they are web applications then the composition rises to 97%!
Think about that for a second. These numbers tell me that developers custom code just 3-13% of any application, on average. This code tends to be the first priority for many organizations when they introduce security controls. Unfortunately, it's not the best place to focus if you want to operate at the speed of DevSecOps.
The open source and supply chain problem facing the industry is one of the major reasons why I joined Sonatype. It's an area I believe I can make an impact in as I evangelize DevSecOps around the world.
The Incredible Future
Successful rollouts of DevSecOps practices focus on Culture, Technique, and then Tools. Starting a conversation about DevSecOps begins with tool selection but expands to these crucial areas. I can, and will, go on here at length.
I'm freak'n incredibly excited to use a product suite I believe in, and work with a team I resonate with, because DevSecOps's true potential, and its deep implementation, is just starting.
Connect with me next week at Jenkins World. I'll be revealing a brand new, detailed DevSecOps reference architecture project, and can't wait to discuss it with all of you. The reference architecture will be a helpful resource and ultimate roadmap for your organization to adopt DevSecOps or mature your practices.