Five years after the DevOps Handbook, the most surprising and rewarding thing is seeing how practices pioneered by tech giants – Facebook, Amazon, Netflix, Google – are being embraced by every organization regardless of size or industry. Banks now talk about chaos engineering as critical infrastructure. The seniority of people speaking at DevOps Enterprise Summit shows that devops matters to people who matter.
The devsecops label caused controversy early on. John Willis describes the turning point: at RSA, when they called the pre-conference track “devsecops,” a wave of security people showed up. When asked why, they said “we feel like we’re invited.” Sometimes you need a name to create belonging. The interesting evolution is that large banks now call it “the devsecops pipeline” – meaning they have already combined everything. Mission almost accomplished.
On the security practices side, one of the best pieces of advice comes from Jeremy Long (OWASP Dependency Check): just keep your dependencies up to date. The PrimeFaces vulnerability proved it – a CVE exploited for bitcoin mining had been fixed two and a half years prior. But staying current is not easy because updating dependencies often breaks things. This brings up the trust question. In promise theory, you decide your own fate – you cannot fully rely on others. External dependencies, services, and libraries all require you to have an alternative path when things fail.
John Willis pushed the concept of a DevOps Automated Reference Architecture – creating digital evidence of everything that happens during builds, moving from subjective change records to digitally signed attestation. This shortens the feedback loop between real risks and the 1990s-era controls that companies still cling to. The vision: risk controls should be part of ideation flow, not static spreadsheet definitions that add six weeks to every production deployment.
Watch on YouTube – available on the jedi4ever channel
This summary was generated using AI based on the auto-generated transcript.