"If we can transform how security operates and get ahead of attackers by attacking ourselves and making ourselves more Rugged, we can get ahead of being susceptible to these things."
Shannon Lietz is on a mission. As leader of the DevSecOps initiative at Intuit and a core member of DevSecOps.org, her passion is to create an environment of collaboration, an environment of shared vision, in an industry on the cusp of creating a new methodology for creating software. Her history as an enterprise level security practitioner gives her a unique perspective on the role DevOps and security will play as the automated software supply chain evolves.
In this “Innovator’s Journey” profile, we speak with Shannon about where she finds her inspiration, the process of discovery in her journey and what she hopes to leave as her legacy for the coming generation of software developers and security practitioners.
Mark Miller: What's your background? How did you get started, in general, with technology?
Shannon Lietz: I was a curious kid, like most. It was a great opportunity for me when my father brought home a computer to understand how to program.
Mark Miller: When was that?
Shannon Lietz: I was ten-years-old. Yeah, my first computer, right? We had a modem, and I was on the BBS boards, and I could barely spell and read. It was one of those great opportunities to learn how to enhance yourself. I got really excited about BASIC and trying to make the computer be able to print things out.
Then I started to get really excited about it (the computer) when I realized that I could turn my chess game into a program. Basically I had a computerized chess game when I was nine, and I loved playing against it, but it really wore out after a while, and so I realized I could create a chess program through this BASIC interface. I started writing one when I was around 10, and it became something really interesting for me. I think it was a good outlet as a child.
Mark Miller: That started at ten-years-old. What's the path? What path did you take...
Shannon Lietz: What path do you go from there all the way through? We also had computer class in many of the schools that I attended, which was really a fortunate opportunity because many schools didn't have them at that time.
I remember my elementary school, they had one computer and they actually taught a lot of folks to go through the process of programming when I was early years. Then in high school, we also had computer lab, and again, it was really early times. I remember the first languages: BASIC was how they taught programming language. Then Pascal became the next language I worked on.
You can imagine, this is early, early days for me. The thing that was really exciting for me was to learn how these things worked. But then I got ultra-curious and at the time, there wasn't a lot about security in the industry. Things like logging onto your computer, you basically turned on your computer and it started up and there wasn't a log on screen until way later. I remember going to my computer lab at college and being able to log onto the mainframe there. Passwords were really primitive. There wasn't a validation policy for them.
You go through this path of figuring out that you're curious about these things, and that it doesn't quite make sense. You're entering information into this system. I'm very curious about things I probably shouldn't have been curious about, and created all kinds of programs to figure out how to penetrate the programs that I was actually writing.
Basically, how could I test my logic flaws? Got really excited about how assembly language worked and started to read books. My father, at the time, had all kinds of books laying around that had information about computers and so it became just a quest for me.
Mark Miller: How old were you at that time?
Shannon Lietz: Around fifteen. Honestly, everybody has their dark moment that turns them into somebody who either is doing something good or bad, and I want to say that around the age of fifteen, I had one of those moments and really understood what it meant to be responsible and to have responsible use of computers and that they were actually susceptible to more damage than I actually understood at the time.
One of my first jobs was working for a bank as a security analyst working on computers. I had a work permit, and I got dropped off at work every day during school time. After school that was what I did. I still was an athlete, I was a sports enthusiast, but I basically ended up with all these responsibilities of learning how to deal with computers and, in a bank, making things safe.
These were really, really early times. Most of the connections within the banks at that time were all dial-up modem, modem banks, there was war-driving happening at the time, so figuring out how to discover those issues and learning how to deal with those things was really a great opportunity for me.
Later years for me, going through college, realizing that I really enjoyed computers, but it wasn't necessarily something I had an ambition for, I ended up doing a degree in biomechanics and then later attending law school. So I kind of have a really odd path, but ultimately all during that time I was really interested in computers, kept coming back to it, kept getting a job doing computer things.
Programming. So I've had a long history of programming. Worked for one of the early internet companies, City Quick, which was basically a dot com company for LA.com, and got an opportunity to learn how to do HTML and web programming. At that time there was definitely theft and abuse of services when they were easy to violate. It was really a quick introduction to the security community, and just fighting off attackers for LA.com and all of the abuses that were taking place with services we were providing gave me a great opportunity.
Mark Miller: Where did you find the connection or the movement into DevOps?
Shannon Lietz: Great question. So this was so early on. DevOps wasn't even a glimmer. I had come up through the ranks working for telcos/hosting companies for many of those years, so after law school basically just getting a job working in a hosting company- I worked for Exodus at the time. And met a man, Dr. Bill Hancock, that I ended up working for for many years. Dr. Bill was just an amazing individual. He would tell stories about security, and he made it really powerful, and the imagery that you got about attackers and understanding that environment was truly inspirational for me and really drove me into the heart of being a security practitioner.
At the time, working for Exodus, we were starting to embark on the journey with cloud, and at the time it was called utility computing. We were working with virtualization, things like VMWare were really sparsely used, but truly important.
Utility computing was an early virtualization effort to take a rack full of computers with a utility for setting up interfaces to compute storage and network within that rack of equipment. If you can imagine, we were basically trying to set up things before customers needed them and make it so a customer could completely configure that rack of equipment to their specification using a software interface.
Mark Miller: That's pre-DevOps, it sounds like.
Shannon Lietz: Really pre-DevOps. This was around 2001. Hosting had gone from racks of equipment and being able to power on things as customers came in with their demand to a state of computing where we needed to have things ready before customers even showed up.
I think that it was culminated by the fact that Agile had just become a thing. It really had become this notion that you could work faster, that you could experiment through things and go through the process of bringing an idea to life in a faster way. The old ability of trying to do traditional software development really was starting to come to a head. The invention of internet and internet-type computing and websites and all those things coming together created this interesting ecosystem and philosophy about how you could deliver more value as you got more customer information.
It was a unique experience for me to be at the heart of that. Utility computing then quickly became more of a tool for a DevOps community, so this was even pre-Etsy and some of the things they were learning. I worked my way through the process of understanding that we could operate better.
Exodus got bought by Savvis after it got bought by Cable and Wireless, so we went through this transformation. I went through many mergers and acquisitions many, many times through that transition of these telcos/hosting companies working for Dr. Bill.
During that process, Dr. Bill had me work on a lot of initiatives that required interesting ways to think about security. Being innovative, being inventive, trying to build security into the computing platforms as they were being invented, and partnering early in the process, so building security in instead of bolting it on was very much a fabric of how he believed things needed to happen.
As part of that process of figuring out what things needed to happen thereafter, I believe DevOps came into being when I went to work for myself. That was the timeframe where I had been working more partnering. I had come up with security innovations. I had gone through the process of getting those to be part of the services that we were selling.
Savvis was selling managed security services during the period that I worked there. We helped to invent things like managed code reviews, so basically give us your code, and those things became formalized later into the life cycle of many of the vendors of today. I remember inventing things that did not exist at the time to help companies to be able to do better security faster, and to make it so that their teams could offload some of the responsibilities of testing their code but at scale. That was a really unique experience.
Then DevOps started to become a thing, but it was the thing that was practiced by very few people.
Mark Miller: Do you remember when you first heard about it?
Shannon Lietz: Yeah, I remember it was summer in the 2005-2006 time frame. I remember reading a book by Gene [Kim], "Visible Ops." I remember hearing some of those things and thinking, "That's exactly what needs to happen!" I've been a long-time fan of Gene and his work and really trying to bring some of those principles to the companies that I've worked for.
I worked for myself during that period, and I had done a lot of contract opportunities within that time frame that DevOps started to be inspired. During that time frame, I remember trying to invoke customer empathy towards solving a problem better. Some of the companies that I worked for had things like mainframes installed, so trying to figure out how to help them to make decisions faster, because truly they needed innovation in their environment to reduce cost on certain things, to make them more efficient.
PCI was also in that intersection. PCI had dictated an operating model that was inconsistent with DevOps as well. So you had frictions that were starting to emerge where companies were thinking about, how do I do Agile, how do I do Scrum? DevOps was starting to become a thing because you had sysops trying to work with developers. Then you have PCI which was dictating an operating model, and a lot of constraints around the security that was being implemented.
For me, that was a great intersection because I saw all these different frictions and changes happening, and I love change. It's like a moth to a flame. I really feel like that's what drives me to think about how to help people to take advantage of new and interesting ways of thinking about problems.
That was early on, and Gene started to do a few more things. I was tracking a lot of his discussions. I was a fan of Josh Corman early on as well because Gene Kim and Josh started to partner, and I've attended a lot of the things that they've talked about.
I remember somewhere in the 2006 time frame meeting up with Gene in Los Angeles and talking to him about what he was working on. Fast forward then there was what Josh was working on around DevOps, and then the notion of Rugged and Security and some of those things were starting to become part of the fabric of what they were thinking. Not having bolt-on security, having built-in security, security testing that was more advanced.
Years had transpired and somewhere in the 2010 time frame, I had heard about Rugged. I'd heard about Rugged software. As I had gone through my journey, I left working for myself and started working for Sony in 2009. As part of my journey, that was a great time for me. Sony was really doing DevOps in 2009.
Mark Miller: Without a roadmap.
Shannon Lietz: Without a roadmap, exactly. We had a few really, really inspired development leaders who were trying to pull people closer together, getting them to collaborate, really taking on the challenge of Agile and Scrum and Scrum of Scrums, and pulling together this fabric of a community of people trying to do the right thing for our company and building things in before they became a later down the line gating process.
It took a while for me to internalize and understand what they were trying to accomplish because running a PCI-based operating model against a DevOps program was not just challenging, but truly added some frictions. Trying to figure out how to turn a control in PCI which dictated how it needed to operate into something that could actually be utilized with DevOps and Agile, the security testing methodology of Agile, threat modeling with Agile, all those things were really complicated to implement during that time frame for me.
Just thinking about how could I make threat modeling a little bit easier to invoke in an Agile process. Part of my transformation was realizing that threat modeling had to be done by a security professional at the time because it was complicated. You had to have all this experience about attacks. You had to have all this information at your disposal to really get a good threat model. You also had to have the context of the workload that was being built at the time it was being built.
All of these things were constraints that came together, and you realized, "Wow, we are not going to be able to do this threat model thing very well as a company if we can't get the right people in the room working on the right things." Then simply trying to hire for security talent has always been traditionally difficult, because how do you take an individual and get them the experience of knowing how things get hacked into at a very detailed level, and then up-level them so they can share that knowledge and take what they know every day, all of their discipline, all of their competency, being able to track what's happening in the community, and be able to take the context of a workload and make it so they could successfully do that role inside of an Agile Scrum team.
Mark Miller: If you're talking to the next generation coming up, that wants to do technology, is security a place to start?
Shannon Lietz: I tend to believe that there's three avenues. We have interns that come to work for Intuit. Some inadvertently talk about how you get there. We have an intern program, and generally when an intern comes in, I don't immediately start them on security.
The first thing that we actually do with an intern that comes into our security program is we have them develop code. We ask them to work on our security portal, to start to understand what it means to communicate about security, to start to enrich what they understand about the security domain, to give them a little bit of a peak into what it means to try and get security defects resolved.
Mark Miller: Should security be part of a developer's education? And I don't mean that as a rhetorical question, it's a real one, because it's not so far.
Shannon Lietz: I do believe that developers should get some level of security training, and I believe that a full stack engineer comes out of being good at developing code, understanding how to create operational rigor, and then also understanding that the environment in which you're actually deploying your software into, it's a very hostile environment, and to think that it's actually not is really detrimental as a constraint to your software.
A developer does need to understand their constraints, one of those being security, and then truly how do they get the security feedback loop in place to be able to support making decisions earlier on in the development life cycle?
So I'm not sure that the current security training that I've seen actually creates or produces the level of knowledge that a developer needs to be able to be successful at that yet.
Mark Miller: What are you most proud of that you've accomplished so far?
Shannon Lietz: In the last couple of years, I think I'm truly proud of the fact that we're starting to evolve a security team's mindset to share and collaborate in a meaningful way. That means that not only are we doing that inside of our company, but we're starting to figure out how to tell that story outside of the company.
Writing the DevSecOps manifesto, for me, was truly an inspiration and a point in my career where I felt like I was giving something back to the community.
I really am proud of the fact that if I can help make a difference, that my children's information and their lives will be different, and so I really take that to heart. So trying to figure out how to collaborate, get good at open source, bring back my development skills. You lose things over time, figuring out how to bring those back and be able to help folks inside of our company, I think is truly special, and I feel very fortunate to work for the company I do right now.
Mark Miller: Your passion that I've seen is around DevSecOps. Is that really where you want to be and where you're headed?
Shannon Lietz: When I started thinking about the problem back awhile, I realized that if we could transform how security operates and get ahead of attackers by attacking ourselves and making ourselves more Rugged, that as a target we could get ahead of being susceptible to these things.
Ultimately, DevSecOps is a means to being more Rugged and having Rugged software. I'm truly inspired by that vision and that mission.
The way that I look at this is that DevSecOps is really a means to getting Rugged and creating Rugged software for our company. But more importantly, being able to pave the path for other companies to either leverage what we've done or be able to experiment and build on or create their own path, but ultimately in service to creating more resilient, Rugged work flows that can help to solve really important problems for people.
Mark Miller: If you could create a new superhero, what would it be?
Shannon Lietz: I think that superheroes in the future, if I wanted to have a superhero character, it would be to be able to help people transform their thinking about learning. One of the challenges that I see is that you give someone something to learn, and they feel like until they understand it perfectly, they can't do something with it, and if I could do anything it would be to spark their ability to move past the blocks in their head, to be way more innovative and creative.
I would really want the gift of being able to unblock people.