If the only reason you have a WAF is for compliance, then it’s time to replace it with something that provides compliance AND actually adds security value.

Breakups are hard, but now is the time to breakup with your WAF. Photo by Charlie Foster on Unsplash

In the land of web application security, there are a few not-so well kept secrets, but arguably none bigger than this:

The WAF survived not by being excellent, but by being mandated.

The WAF is antiquated technology that was initially created to help stem the rise of application security vulnerabilities. Application vulnerabilities were overwhelming organizations with their frequency of discovery. …


DevSecOps Chronicles

Software development has gotten tricky. If you have been in the DevOps game for the last few years — and let’s be real here, who isn’t these days? — then you have no doubt noticed that there is a drumbeat of “shift left” echoing across your brainpan. You can’t escape it at conferences or blogs or the numerous podcasts. We know now to write tests before writing code —boom, we shifted left! We added acceptance testing in our CI system — notch one up for a shift left win.

Yet, with all this shifting left, it may be hard to…


We get personal on DevSecOps over at devops.com

Photo by Sergei Solo on Unsplash

Recently I sat down with Alan Shimel of DevOps.com and discussed security, DevOps, and how it all fits together. It was a fun conversation and I always enjoy talking with Alan and the fine folks over at DevOps.com. The entire conversation and transcript are available online, but there were a couple points that really stood out to me.

First, we discussed the major shift that security needs to make to join DevOps through DevSecOps (or whatever you want to call it). Security needs to never say “no” again. Every organization that has high performing DevSecOps practices teams has gone through…


Software development has gotten tricky. If you have been in the DevOps game in the past few years, then you have noticed a drum beat of “shift left” echoing across your brainpan. You can’t escape it — it’s at conferences, in blogs, and on numerous podcasts. We know now to write tests before writing code — boom, we shifted left! We added acceptance testing in our CI system — notch one up for another shift-left win.

Yet, with all this shifting left, there is a whisper in the wind (it may be hard to hear), but it is not a…


Lessons Learned in Product Development

Security products are notorious for being hard to install and slow to get usage in production. There is one corner of the security market where this is doubly true: the web application firewall (WAF). One of the secrets of the WAF industry is that once the deal has closed and the product is sold, it takes months to get installed and — worse yet — it often goes unused. Due to all the problems they create, WAFs get placed in monitoring mode (sometimes called passive mode). …


The 2018 DevSecOps Community Report is out and for those following the growth of DevOps and its subsequent drive into the security community, under the moniker of DevSecOps, the results won’t be surprising. In fact, I set out to write some hot-takes from the report that would really dig into an existential evaluation of security in a DevOps world, but in the end, the takeaways from the report are far more pedestrian. Don’t read that as not meaningful — in fact I think the survey results are very meaningful and informative for our path forward.

Signal Sciences was excited to…


Generated from: dev.to/rly

Ah, the WAF. You might know it by its street name: the web application firewall. It’s a long standing technology that has been handed down from generation to generation from datacenter to cloud to serverless. Rarely effective, largely disliked.

In the land of web application security, there are a few not-so-well-kept secrets, arguably none bigger than this:

The WAF survived not by being excellent, but by being mandated.

The WAF is an antiquated technology that was created to help stem the rise of application security vulnerabilities, which had been overwhelming organizations with their frequency of discovery. …


Last month in San Francisco, the DevOps tribe gathered under the umbrella of DevOps Enterprise Summit (DOES). This conference brought together practitioners from Disney, United Health Group, CapitalOne and even some three-letter government entities. These practitioners came together to discuss how to do DevOps in the enterprise. The conference featured speakers like Gene Kim, John Allspaw, John Willis, Damon Edwards, j:hand and many more.

A New Journey Begins

Where does security fit in? DevOps in the enterprise is basically doing “DevOps at Scale.” This means that you can’t wave your hands at real problems like security or regulatory compliance. I gave a 5-minute lightning…


DevOps school is now in session over at Lynda.com and LinkedIn Learning. Photo by Redd Angelo on Unsplash

Over the last 12 months, I (James Wickett) have been working on a really exciting project to help make DevOps training and educational resources accessible to online learners. Along with Ernest Mueller and Karthik Gaekwad, we have been building up the DevOps library over at LinkedIn Learning and Lynda.com. So far we have four DevOps courses ready for you to watch right now and several more in pipeline that should release in early 2018.

In these courses we lay the groundwork of DevOps and show how to gain value from the DevOps movement in your organization. We tackle concepts like…


Those new to the Go language (sometimes called Golang) often are excited about the simplicity, speed and portability of the language. Go also has a wonderful ecosystem of tooling for testing and helpers for working on web applications and APIs. In this post, we look at a few.

Keep Go development moving with hot-reloading using Fresh. Photo by Anthony Legrand on Unsplash

Along with Ernest Mueller I have recorded a few courses over at Lynda.com and LinkedIn Learning on DevOps, Continuous Delivery and Infrastructure as Code. In those courses Ernest and I take an approach of covering theory and philosophy and then follow it up with real world experiences, code samples, and tooling. …

James Wickett

Head of Research at Signal Sciences, creator of gauntlt, and author of DevOps courses at Lynda.com / LinkedIn Learning

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store