Blog Posts on Davy Hua | Security & Cloud Infrastructure Operations

Enough With the Silence: A Return Post

Sun, 01 Feb 2026 00:00:00 +0000

I’ve been quiet online.

Not because I ran out of opinions.

Mostly because I’ve been doing the work: building infrastructure, hardening systems, and cleaning up the kind of problems that only show up at 3am.

What I’ve Been Doing

The past few years have been spent in the trenches. Running platform teams, navigating SOC 2 audits, and figuring out how to make cloud infrastructure actually work at scale. The unglamorous stuff that doesn’t make for good conference slides but keeps businesses running.

Debunking Common Myths about DevSecOps

Wed, 07 Jun 2023 00:00:00 +0000

Security isn’t a later problem. If you treat it like one, it will show up later, during an incident, when you’re tired, under pressure, and improvising in production.

DevSecOps isn’t magic. It’s just the boring discipline of building security into the work you already do.

Below are six myths that keep teams stuck.

Myth #1: DevSecOps is just adding security to DevOps.

Reality: No. Its security throughout the lifecycle, not a security sticker slapped onto the CI pipeline.

The Commoditization of DevOps

Wed, 17 May 2023 00:00:00 +0000

DevOps is getting commoditized (and it’s our fault)

DevOps didn’t become hard to hire. It became easy to fake.

When everyone can paste the same tooling list into a résumé, DevOps turns into a commodity role: interchangeable, keyword-driven, and detached from the actual job, running systems without drama.

Here’s the fix, from both sides of the table.

The problem: buzzwords beat competence

Most résumés now read like this:

Kubernetes
Terraform
CI/CD
Observability
Zero Trust
Cloud-native

Cool. None of that tells me you can:

Embracing DevSecOps

Thu, 11 May 2023 00:00:00 +0000

DevSecOps isn’t a slogan. It’s guardrails.

If your security strategy is run a scanner and hope, you don’t have DevSecOps.

You have a pipeline that produces findings.

DevSecOps is simpler (and harder) than the conference talk version:

security is part of how you ship
teams share ownership
guardrails make the safe path the easy path

The real problem

Most orgs treat security like a phase:

build fast ✅
ship ✅
panic when prod gets spicy ✅
add a tool ✅

Thats not a security program.

The Importance of The Human Factor in DevOps and Security

Mon, 01 May 2023 00:00:00 +0000

Security doesn’t fail because your scanner missed something.

Security fails because:

someone ignored the alert
someone didn’t know what it meant
someone didn’t feel responsible
or nobody had time to fix it

Tools matter.

But tools don’t own risk. People do.

In DevOps environments, automation helps you move faster.

It also helps you ship vulnerabilities faster.

So if you want “secure delivery,” you need to prioritize the human factor.

1) Train people like you actually expect them to make decisions

“Security awareness training” can’t be a once-a-year checkbox.

As a beginner DevOps engineer, it can be overwhelming

Wed, 19 Apr 2023 00:00:00 +0000

DevOps is overwhelming because the internet won’t shut up.

As a beginner DevOps engineer, you’ll feel like you’re behind.

Because every week there’s:

a new tool
a new “platform”
a new best practice
and a new influencer telling you you’re doing it wrong

Here’s the reality:

You don’t need to know everything. You need a foundation that survives tool churn.

Below is the foundation — in the order I’d learn it.

Why DevOps Needs More Operations and Less Development

Thu, 13 Apr 2023 00:00:00 +0000

DevOps has an identity problem.

Somewhere along the way, “DevOps” got interpreted as:

“Developers doing infra work.”

That’s not DevOps. That’s just… developers doing ops tasks badly, until someone gets paged.

DevOps only works when Operations is strong.

Not glorified. Not “respected” in a company values slide deck.

Funded. Staffed. Given real authority.

Here are the three reasons, in plain operator language.

1) Ops is the foundation

If your operations layer is weak, everything built on top of it is fragile:

DevOps is Hard

Thu, 06 Apr 2023 00:00:00 +0000

Enough with the highlight reels.

DevOps is hard.

Not because you don’t know Terraform. Not because you can’t write YAML. Not because you forgot some Kubernetes flag.

It’s hard because DevOps is a contact sport.

You’re not just shipping code. You’re navigating:

company politics
unclear ownership
fragile systems with tribal knowledge
“priority” whiplash
and the fun little game where uptime is expected and outages are remembered forever

Here’s the part nobody tells you:

Security Challenges in Cloud Native DevOps Environments

Thu, 30 Mar 2023 00:00:00 +0000

Cloud-native security: where things actually go wrong

Cloud-native didnt make security harder.

It made it faster to fail.

Microservices, Kubernetes, CI/CD, managed services, all great.

But they amplify the same old problems:

unclear ownership
bad access discipline
no visibility when it matters
compliance as paperwork

Here are the security failures I see most often in cloud-native DevOps environments, and what to do about them.

1) You don’t know what you have (visibility is missing)

If you can’t answer these in 30 seconds, you’re flying blind:

Cloud Security Compliance

Sat, 25 Mar 2023 00:00:00 +0000

Cloud compliance: stop treating audits like a seasonal panic

Most compliance pain isn’t caused by auditors.

It’s caused by teams trying to reconstruct reality six months later.

Cloud compliance gets easier when you accept one rule:

Audits are evidence problems.

Not policy problems.

Not tool problems.

Evidence problems.

What compliance actually requires

Whether it’s HIPAA, PCI DSS, GDPR, SOC 2, the themes repeat:

control access
protect data
log activity
manage change
prove you did the above

If you can’t prove it, it doesn’t count.

Benefits of Integrating Security and Compliance into DevOps

Wed, 22 Mar 2023 00:00:00 +0000

Shift Left Isn’t a Slogan—It’s a Cost Reduction Strategy

Security at the end of your pipeline is security theater. Compliance as a last gate is expensive rework. Here’s what happens when you integrate both from the start.

The Actual Benefits

1. Find It Early, Fix It Cheap

A vulnerability found in design: hours to fix. In code: days. In production: weeks, incident response, legal review, and customer notifications.

Cost increases 10-100x with each stage shift.

Cloud Security Data Protection

Sat, 18 Mar 2023 00:00:00 +0000

Data Protection: The Five Controls That Actually Work

Encryption isn’t a feature. It’s a baseline. If you’re treating data protection as a checkbox, you’re already behind.

Here are the five controls that separate professionals from pretenders.

1. Encryption (At Rest, In Transit, In Use)

At rest: Disk encryption, database encryption, bucket encryption. If the data sits somewhere, it should be unreadable without the key.

In transit: TLS 1.3 minimum. Not optional. Not “where possible.” Every connection, every time.

Why Cloud Security is Important

Sun, 12 Mar 2023 00:00:00 +0000

Cloud Security Isn’t Optional Infrastructure

You moved to the cloud for speed and cost. But you inherited a new attack surface that’s invisible to traditional security models. Here’s why that matters.

The Five Areas That Actually Matter

Data Protection

Your data sits on someone else’s computers. Encryption isn’t a nice-to-have: it’s the baseline. At rest, in transit, and increasingly, in use. If you don’t control the keys, you don’t control the data.

Not Fully Matching All Requirements Listed in The Job Description

Mon, 06 Mar 2023 00:00:00 +0000

Job descriptions are written by people who’ve never done the job. Remember that.

Most JDs are copy-pasted wish lists, not requirements. When you see “10 years of Kubernetes experience” (Kubernetes has only existed since 2014), you’re looking at HR theater, not actual hiring criteria.

What Actually Matters

The 70% Rule

If you can do 70% of what’s listed today and learn the rest in 90 days, apply. The people who get hired aren’t the ones checking every box: they’re the ones who demonstrate they can close the gap fast.

Your DevOps Journey

Thu, 02 Mar 2023 00:00:00 +0000

The Phantom Obstacles

Everyone wants to talk about the tools. Kubernetes this, Terraform that. Nobody wants to talk about the psychological traps that derail actual DevOps careers. Here are four that trip up smart people.

“DevOps Is Only for Developers”

Wrong.

Coding helps, but it’s not the gate. Some of the best DevOps engineers I know came from tech support, NOC, or sysadmin backgrounds. Why? Because half this job is troubleshooting under pressure, and you don’t learn that from LeetCode.

What is Devops?

Tue, 18 Apr 2017 00:00:00 +0000

Last Updated: February 2026 — Nine years later, the core thesis holds: DevOps isn’t a title, it’s a convergence of skills. But the landscape has shifted. Below the original post, I’ve added a 2026 update on Platform Engineering, AI Operations, and where DevOps is heading.

Enough Already!

Too many non-DevOps talking heads have been chiming in and giving their 2 cents on what exactly DevOps is or isn’t. Let’s get something straight: I don’t consider DevOps as an official title or role. DevOps is a culmination of skills and talents in a singular embodiment; a channel to getting sh!t done. The only reason why us “DevOps” Engineers use or tolerate the term to label what we do simply because it is the easiest way to obtain universal head nods from the people in the room.

Water for DevOps

Sat, 15 Apr 2017 00:00:00 +0000

Last Updated: February 2026 - The Bruce Lee principles still apply, but the context has shifted. Added: AI pragmatism, platform engineering mindset, and why “no way as way” matters more than ever.

For my inaugural post, I’d like to lead off with my philosophies and approaches in DevOps ( What is DevOps? ). Like many of my childhood friends, I idolized Bruce Lee growing up. There is no introduction needed for Bruce as there isn’t anything I can say which hasn’t already been said about the legend. One of his many talents and creations included a guiding set of philosophical principles.