This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # ask-the-speaker-more (10)
- # ask-the-speaker-plenary (1086)
- # ask-the-speaker-track-1 (268)
- # ask-the-speaker-track-2 (106)
- # ask-the-speaker-track-3 (338)
- # ask-the-speaker-track-4 (216)
- # birds-of-a-feather (9)
- # bof-arch-engineering-ops (2)
- # bof-covid-19-lessons (3)
- # bof-leadership-culture-learning (1)
- # bof-sec-audit-compliance-grc (12)
- # demos (13)
- # faq (4)
- # games (76)
- # games-self-tracker (14)
- # gather (36)
- # happy-hour (91)
- # hiring (26)
- # lean-coffee (16)
- # project-to-product (2)
- # psychological-safety (2)
- # summit-help (99)
- # summit-info (424)
- # xpo-anchore-devsecops (12)
- # xpo-cloudbees (1)
- # xpo-copado (33)
- # xpo-gitlab-the-one-devops-platform (15)
- # xpo-harness (1)
- # xpo-hcl-software-devops (20)
- # xpo-ibm (5)
- # xpo-itrevolution (18)
- # xpo-launchdarkly (15)
- # xpo-mirantis-devops (5)
- # xpo-pagerduty (9)
- # xpo-redgatesoftware-compliant-database-devops (1)
- # xpo-snyk (3)
- # xpo-sonatype (5)
- # xpo-split (3)
- # xpo-synopsys-software-integrity (8)
- # xpo-tasktop (9)
- # xpo-tricentis (2)
Research mentionned in the talk : https://www.agilealliance.org/resources/experience-reports/empowerment-of-security-engineers-through-security-chartering-in-visma/
And this book ( Chapter 9 ) : https://www.igi-global.com/book/balancing-agile-disciplined-engineering-management/244366
( I do not make any money on the book and I`m sorry for the price, not my choice )
I see 37 watching live! Post comments and questions here for @espen.johansen.
Short background on Visma. 13.000 employees, 6000 devs. 40 aquisitions a year, we make software and buy companies that make software.
Interesting talk. ..I need to get the slides and review..this again.. agree so much on empowering and sharing the same intelligence!
Here you go @troy.grandison https://github.com/devopsenterprise/2021-virtual-europe/raw/main/Johansen_Espen_Slides.pdf
Great talk @espen.johansen I'm interested to hear (I might have missed it) how you align all of Visma and subsidiaries on a Security mandate? Do you centralise or is it departmentalised/region
We empower the Local Legal Units in the strategy. ( The companies, but have chosen to group a small team of experts in the middle ( Hub and Spoke structure )
@espen.johansen so you talked about sharing information that you have. Our team struggles with organizing that information and often leads to duplicate info. Do you have any suggestions on how to centralize shared information?
Yes! We have a Security Engineer Guild structure for that purpose 🙂 We orcestrated the startup and now it is mostly "self managed" but with some contrib from the central team
Thank you, @espen.johansen! Coming up in a few minutes: @shilpama and @krishnakanth_bn
So sorry, we have the wrong talk playing – stay tuned while we fix things backstage.
That said, I was seeing the correct talk on Track 2. The schedule is not ordered by Track number
The correct talk, Mission Live Enterprise : Distributed Agile and DevSecOps Automation at Scale Through Platform Approach, will start momentarily. Apologies for the delay!!
I'm so sorry for the inconvenience, everyone. We will be showing the session with @shilpama and @krishnakanth_bn at a later time, we will make an announcement very soon. Thank you all for your patience!
Nicely recreated the live conference epxerience where you end up in the wrong room than you expected :rolling_on_the_floor_laughing:
We will be showing Mission Live Enterprise : Distributed Agile and DevSecOps Automation at Scale Through Platform Approach with @shilpama and @krishnakanth_bn at 3:50p BST today here in Track 2 during the break. Our apologies for the shuffle!
Hello to the 45 people watching track 2! The speaker is available here to comments and questions.
How big an software engineering organization you have, and how big share of the engineers are in the platform team?
Hi @markus.lauttia , we are ccs 300 people strong with most of the people being engineers... And our platform team counts around 8 people
Hey @erik.sackman,they also operate the platform...in fact, when operating the platform, the team identifies things that should be automated and that goes directly to their backlog.
yep, in fact we have 12 of them... with 2 more in onboarding process currently
with not everybody in the company working as a part of the team
GCP, AWS etc offer something like this already - Kubernetes clusters, logging, monitoring, security capability, with self-service portal. What does your platform team do differently?
there are cases when it makes more sense to do the job outside the team
but roughly put you would say that you have one team of 8 engineers supporting 100 or so engineers in the stream-aligned teams?
Hi @david.read, the thing is that we still work with clients that are relying on internal on-premise cloud installations. With our runtime infrastructure as similar as theirs, it's easier to manage risks coming from differences in infrastructure.
@markus.lauttia yes, we currently have such setup 🙂
how do you overcome bottlenecks when introducing platform teams (i.e. you introduce more dependencies)
Not yet sold the idea and got approval for it, so for now it's only conceptual for me. But for me the platform team should not be in the way of the dev team. It brings tools to reduce cognitive load by simplifying things, it can bring knowledge and momentarily integrate someone in the dev team to tackle specific questions and get a better sense of the team^s need, but the dev team shouldn t rely on the platform team to complete some of their actions
outside of the concept of platform by itself, for what we have done to date, like a jenkins sharedlib easing the integration of the various tools and reducing greatly the work to build a pipeline, is available as inner source, so any team using it can submit PRs to enrich, modify it... To avoid us becoming a bottleneck for some requested functionalities which anyway dev team needing it knows probably better than us
for example, stream aligned team cannot access the k8s platform directly but must go through the platform team
Hi @erik.sackman, you're right, we try to design all changes so they are as frictionless as possible.... self-service is crucial here, we want to eliminate such situations and have stream-aligned teams to be as autonomous as possible...
and do you supply your clients with an exit strategy when they have "lock-in" on your platform?
Right now, I think that we have automated much of stuff that needs to happen for initial setup... we have a selfservice platform that can provision namespaces and project resources on its own
:)) It's not a lock-in on our platform. This is a platform that we use internally. And when we help them build their platform, they are engaged from the beginning and we reach decisions together.
ok, so it's either included in the services your provide, or it's knowledge you take with you on consultancy efforts when building a platform for your client
@ikrnic How do you sync with the complete ecosystem of tools/technologies which are integrated and the platform that you have built
Yes, many times part of our job is not only to deliver software components but also to consult and help our clients build their own platform... this usually includes client education, knowledge sharing and helping them with specific tasks... so we share more than we lock-in 😄
Hi @manash_hazarika we invest efforts to look out what's happening out there and we decide on the direction via Community of Practice. We need all POVs for this
She's saying we need more security folks to secure all the things that the software devs are making. Can anyone summarize the other points?
Basically, we need to be judicious in how we spread responsibility in order to not overload others (DevOps folx) but be cognizant that some things require specialists. It's a fine line... but we need to move fast because the security skills aren't growing as fast as the de talent and demand (that 1:17 ratio)
Got it, makes sense. So devs need security skills (what you call 'devsecops' roles?), and we also need security specialists who sit in security teams. And the ratio you quote is the number of developers to security specialists?
I'd be really curious to hear what team structures you've seen working - most places I've worked have had separate security and they've struggled to keep up, as a devops-centric person boosting security into the discussion and automation is critical to what I do, but... bundling them together as a single team doesn't feel quite right either
How are some ways that you have seen developers effectively improve in their security skills? I have trouble growing and learning for things actually useful for development based on what my security team tells or doesn't tell me.
Now there's talk of Dev, Ops and Security teams. Previously there was talk about DevOpsSec roles too. I'd love a diagram to see what is good and bad in team structure.
My takeaway from the last two slides is that it's highly contextual and probably will change. Yeah, I like that slide, might steal that for some team structure discussions myself
Thanks for the informative session @akoran - loved the energy and the content.
Thank you, Amelie! And NOW, we welcome @shilpama and @krishnakanth_bn!!
Thank you so much @shilpama @krishnakanth_bn for allowing us to air your talk now — we’ll push a change so that it shows up in the schedule in just a couple of moments. cc @alex
I have some slides with the venn diagrams with better explanations as well - i will post them
thanks, we only have the PDF without notes https://github.com/devopsenterprise/2021-virtual-europe/blob/main/Ame%CC%81lie%20Erin%20Koran%20-%20Koran_BeyondFirefightersvsSafetyMatches_SLIDES.pdf
Yeah, I have a separate deck specifically on the DevSecOps diagrams as to team strengths and structures and where they come from and where they go to - I think my single slide was a tiny amalgamation
it's a "pattern" diagram of where orgs find themselves now versus their desired state and it's more 'self-recognition'
Here are my DevSecOps patterns, which are larger and expanded versions of the Venn Diagrams on organizational moves.
@shilpama @krishnakanth_bn You’re now in the schedule — thanks for accommodating this!
@shilpama @krishnakanth_bn Your submission generated so much interest among the programming committee — can you share some details on how you’re funded? It’s so impressive you did this for non-revenue generating applications! How did you justify modernizing certain categories of apps where justification for funding might be difficult? And thank you so much for sharing your story!
Live enterprise is our Organization level initiative, there are 6 weekly SPRINT plan review with CXO. The organization was aligned for the digitization as part of Live enterprise.