I’ve joined Heroku as their Director of Security.
I started as a Heroku skeptic. The first iterations of Platform-as-a-Service left me deeply underwhelmed. “Deploying web apps is hard,” I said, “there’s no way you can just abstract it away like that.”
I was wrong. Over the last few years I’ve gone from being a Heroku skeptic, to a user, to a fan, and now — an employee. Perhaps at some later point I’ll write a bit about how my thoughts evolved, but for now I’ll leave it at this: Heroku’s vision of a world where developers are empowered to deliver apps is one I support. Strongly.
What does “Director of Security” even mean?
The web’s a scary place, and developing secure web apps is a lot harder than it needs to be. My job, in a nutshell, is to make writing secure apps easier. I’d like to do for security what Heroku already does for deployment. I want to help developers focus on delivering their apps, and free them up from worrying about all the things that might go wrong. I think we can provide some seriously great tools that’ll make everyone’s lives easier.
Obviously my primary focus is going to be on providing those tools to Heroku users, but hopefully I’ll be able to find some ways to deliver this stuff as open source, standards, and communities. If I do my job right, I should be able to help everyone developing web apps, regardless of where they run.
I have my own ideas about what this means, but I’m sure some of you do, too. If you want to give me suggestions, I’m all ears: email@example.com.
What does this mean for Revsys?
As you can imagine, leaving the company I co-own was a hard decision. It’s made easier by the fact that Revsys is doing wonderfully. We’ve made some great hires over the last few years, and I’m confident that Frank, Jeff, Jacob, and Flavio — and whoever Revsys hires next! — will continue to kick some serious butt.
I’m not completely cutting ties with Revsys; I’ll be staying on in my role as co-owner. I obviously won’t have any day-to-day responsibilities, but I will be around for “moral support.”
At this point, my only worry is that Revsys will do too well in the coming years, exposing that I was dragging us down all along.
What does this mean for Django?
Not much, really. As I’ve done since the day Django became open source, I’ll continue to not allow my employer to have any control over what I do to Django.
Of course, the opposite isn’t true. I’m not just going to “let” the Django community influence my work at Heroku; I’m counting on it! All the skills that got me this job are ones I’ve learned from the Django community. I plan to keep listening and learning from the community; I hope to let your priorities influence mine. In other words, I’m now your man on the inside.
One of the very first things that impressed me about Heroku was its willingness to listen to and be influenced by the open source communities that drive the apps people run here. They’ve been listening to what the Python and Django communities need for quite some time, so that’s a trend that’ll continue (and accelerate) with me here now.
I’ll probably even get a smidgen of work time to work on Django. Sweet.
Doesn’t this mean you have to learn Ruby?
Believe it or not, I already know some Ruby. I even kinda like it. Don’t tell anyone, okay?
But seriously: Heroku’s as much of a polyglot on the inside as they are from the outside. Heroku uses Heroku to build Heroku, so since Heroku supports basically anything, Heroku’s implemented using basically everything. Heroku has a culture of small apps, implemented in many languages, knit together with APIs. When you deploy, your app touches bits written in Python, Ruby, Bash, Erlang, Go, and probably a few others I haven’t discovered yet.I’m a bit of a language nerd, so I’m kinda excited about getting to learn about and play with so many different cool things.
Though of course when it’s my choice, I’ll still use Python.
Are you moving?
Nope, I’ll be working remotely. I’m staying in Lawrence so I can keep playing with tractors and chainsaws.