Refactr CEO: Coronavirus Crisis Is Rapidly Accelerating Shift To DevSecOps

As the last recession spawned DevOps, the current one, caused by a coronavirus pandemic, appears to be fast-tracking adoption of platforms that integrate security into the agile development pipeline, says Mike Fraser, founder of the Seattle-based startup.


DevOps, in many ways, was born out of the last global recession.

In 2009, as the economy was reeling, enterprises looked to increase efficiencies through greater automation and agility, and shift capital expenses to operational ones, helping consolidate the agile infrastructure movement and kick off a swift and ceaseless climb in cloud adoption.

In a similar way, the COVID-19 crisis, and the massive economic disruption caused by the current pandemic, is accelerating the shift to DevSecOps—the next phase of agile computing that brings security automation into the mix, said Michael Fraser, founder and CEO of Seattle-based Refactr.

Sponsored post

“I think this was the change that was needed for the industry to look at itself,” Fraser told CRN. “It’s not just an interesting conversation from the customer standpoint. This is the time that people start thinking about things differently, trying to fundamentally change things that they weren’t doing before.”

[Related: The 10 Hottest DevOps Startups Of 2020 (So Far)]

Refactr, like many budding startups, has seen in recent months a “game-changing” surge in interest for its visual DevSecOps platform: the company’s sales pipeline has quadrupled, revenue is up three-fold, and VC firms have come knocking.

To keep up with that demand, including a prestigious engagement with the U.S. Air Force, the startup founded in 2017 has more than doubled its workforce—from 5 to 12 employees. While it’s still small, the future looks much brighter than it did just at the start of the year.

“COVID has pushed companies out of being complacent,” Fraser said. “Where everybody was at in February, now it’s a different world we live in. They are looking for ways to help their customers and partners do more with the existing talent they have.”

The last major event before the novel coronavirus put the kibosh on all public gatherings was RSA, the industry’s premier security conference held in San Francisco in late-February.

“Generally speaking, the consensus there was security needs to shift left,” Fraser said of his takeaway from meetings with representatives of cybersecurity vendors—meaning security tools need to be introduced earlier in the development process.

At the time, that was more of a vague notion, one often slowed by cybersecurity and DevOps teams not cooperating with each other, or even knowing much about how the other operated. The security-as-code methodology can be difficult to implement, as it requires not only adoption of a technological toolkit, but a change in culture, and the cybersecurity industry hasn’t done a great job delivering solutions that help bridge those gaps, Fraser said.

But a month after RSA the world changed. Suddenly, organizations grappling with unforeseen and unprecedented workforce disruptions were trying to figure out on the fly how to add security and compliance into the development pipeline through a DevSecOps approach.

“Vendors are starting to realize they have to make changes to make their products easily adoptable, not just in public clouds,” Fraser said. “With all IT systems now being accelerated to software-defined, IT-as-Code, COVID has been a major catalyst pushing adoption forward.”

Fraser has seen that shift across industries, including through the project with the Air Force, a service of which he’s a veteran. In March, after Refactr demonstrated its integrated automation and security platform to the CTO of Level Up Platform One, an Air Force software development organization, it won a $50,000 Air Force AFWERX Small Business Innovation Research Phase 1 contract.

Since then, Refactr has been busy preparing to apply for the second phase of the contract program that makes innovative technology available to any other DOD entities, such as Army and Navy. That phase awards small businesses $750,000, as well as an additional fund match for venture capital raised, for building requested new features both for government and commercial use.

Throughout that process, Fraser hasn’t seen a single military official in-person, as DoD divisions, like commercial businesses, have stood up chat solutions for remote collaboration and looked to “get more automation to more people,” he said.

To make the most of the tremendous disruption, Refactr is releasing updates to its DevSecOps platform that enables cybersecurity-focused MSPs, enterprises and vendors to collaborate and visually design complex service environments and secure automation through a CI/CD pipeline. Refactr Platform also incorporates, an Ansible-as-a-Service approach to configuration management.

The platform integrates with popular DevOps solutions; such as AWS CloudFormation, HashiCorp Terraform, Git repositories and Kubernetes APIs; as well as security ones from Fortinet, Checkpoint, Tufin and the Center for Internet Security.

But the coronavirus crisis is driving a new wave of not only customer adoption, but technology alliances, Fraser said.

“The amount of vendor interest has increased exponentially,” Fraser said. “We went from working with a handful [of cybersecurity vendors] to more than 10 that want to get embedded into the platform.”

The latest release adds several open source security and compliance tools to prioritize the work of security teams and help them collaborate better in the DevOps framework.

Among the additions is the Center for Internet Security’s CIS-CAT compliance assessment tool that can be introduced directly into pipelines for remote scanning and reporting functionality; support for OpenSCAP, an open source compliance assessment tool; and Kubectl to control Kubernetes clusters.

There's also a greater emphasis on hybrid environments.

“Some of the stuff we have coming is to run automation wherever you want so you’re not beholden to a cloud,” Fraser said.

The updated platform includes a beta release of self-hosted runner agents to automate pipelines and tools on private infrastructure as well as public cloud.

Fraser noted that it’s not just customers, technology vendors and managed services providers taking notice of the emergence of DevSecOps.

“On the VC front, they’re looking at this space not just up-and-coming, but something they need to take seriously that’s going to change the landscape of IT as a whole,” Fraser said.

Investors understand that enterprises are aiming to future-proof their technology, he said, thinking “now is the time to do it because we don’t ever know when things will go back.”