This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-05-19
Channels
- # ask-the-speaker-track-1 (220)
- # ask-the-speaker-track-2 (196)
- # ask-the-speaker-track-3 (323)
- # ask-the-speaker-track-4 (212)
- # bof-arch-engineering-ops (1)
- # bof-covid-19-lessons (1)
- # bof-leadership-culture-learning (1)
- # bof-project-to-product (14)
- # bof-sec-audit-compliance-grc (2)
- # demos (7)
- # discussion-main (1192)
- # discussion-more (15)
- # faq (4)
- # games (69)
- # games-self-tracker (2)
- # gather (5)
- # happy-hour (39)
- # help (79)
- # hiring (10)
- # lean-coffee (13)
- # networking (10)
- # project-to-product (12)
- # psychological-safety (1)
- # summit-info (156)
- # summit-stories (3)
- # xpo-anchore-devsecops (5)
- # xpo-cloudbees (4)
- # xpo-copado (1)
- # xpo-epsagon (1)
- # xpo-gitlab-the-one-devops-platform (13)
- # xpo-harness (1)
- # xpo-hcl-software-devops (9)
- # xpo-ibm (4)
- # xpo-itrevolution (16)
- # xpo-launchdarkly (26)
- # xpo-mirantis-devops (10)
- # xpo-pagerduty (11)
- # xpo-planview-tasktop (10)
- # xpo-redgatesoftware-compliant-database-devops (8)
- # xpo-snyk (3)
- # xpo-sonatype (4)
- # xpo-split (25)
- # xpo-synopsys-sig (4)
- # xpo-tricentis-continuous-testing (4)
@markosrendell @leanne.bridges Love the analogy that risk and control functions are similar to guardians of teenagers. How do we keep safe while allowing freedom and accountability? Brilliant.
Hello beautiful people - for some reason the talk description didn't come through - here is already the slides to get a feel for it - https://docs.google.com/presentation/d/1KSikHfZzt2di0l0V_3w9YakfyMFbwIxw966J_BEck6A/edit#slide=id.g6c44896cdf_1_3
I'm describing how we are all evolving into a team centric view and try to explain how this doesn't come over night and is rooted in past and future collaboration styles
Now that DevOps has been adopted widely, and much of the friction between development and operations has been reduced, organizations and their technical leadership want to learn how to address the next layer of friction, security. Or as it's now being called, DevSecOps.
Much like the Agile development models that preceded DevOps, integrating security into the development process is necessary for the faster creation of innovative and safe applications. Establishing a DevSecOps culture amounts to overcoming the friction between the silos within your organization, and the rest is engineering.
Creating a DevSecOps culture requires the right technology, delivery processes, governance models, and cultural empowerment. By continuously assessing each of these pillars, your organization can establish a proactive DevSecOps culture.Looking forward to hearing from @patrick.debois256, coming up next!
> Dev(Sec)Ops - everything you do to overcome the silos - all the rest is engineering do you agree ^^ ?
I recently listened to one of you DoD talks that focused on building trust
YAS! "Empower the team"
Command & Control - is that linked to the war metaphors in business?
I've learned that associated too, though I know little about who Taylor was. <knowledge gap>
https://www.slideshare.net/npflaeging/special-edition-paper-organize-for-complexity-part-iii is the best concise intro to Taylorism I've seen
I found the discussion of Taylorism (and the potted bio of FWT himself) in 'Team of Teams' really interesting - how such reductionist methods just don't apply in today's VUCA world.
Glad you're using Laloux @patrick.debois256 - it featured in the Scrum Squads documentary and I mentioned it in the book too, he's crystal clear in the model
I love that book (he's also a fellow Belgian) - I know many don't like it as it feels like one model is better then other. I just see it as different thinking evolutiuon
one claim might be they are fit for different environments
Everyone needs to stop being proprietary! ain't nobody got time for that! Well ok everything but the HumanDebt TM term π
@jtf and different problem spaces - It's important to judge your company culture to understand how new ideas land
I think it is useful to consider the information flow ala Westrum in the different organization types.
the different models have different natural flows. the power centric red model matches and tends to give rise to pathological. the strongly hierarchical orange tends towards bureaucratic.
Reinventing Organizations: A Guide to Creating Organizations Inspired by the Next Stage of Human Consciousness https://www.goodreads.com/book/show/20787425-reinventing-organizations π
love the discussion on evolution rather than one better than naother
I've always been super confused with the "Container-Driven Collaboration" since that is somehow using technology, very different from all the other examples :thinking_face:
But I am fairly ignorant on the topic, have not spend a large amount of time to think about this in depth
Then I'm even more confused, maybe I'll need to dive into the book π @patrick.debois256 do you have some enlightenment on this one maybe?
Container driven collaboration hints at a few things: β’ we believe in a tangible thing to be discussed β’ it is a clearly defined thing The danger of it , is that you focus on what you are delivering not how and with who It stems from a belief we can write down all specs and we're good
So it's using a tangible clearly known thing (like a container spec file) to then collaborate on that boundary?
"Hmm which am I? Devops with expiry date! Oh no!!"
Which one of these have all the DevOps engineers?
Yes, it's important to get them all on the same team under one manager :rolling_on_the_floor_laughing:
It always boils down to trust - and at the group level, psychological safety!
βthe first thing to build is trustβ < early agile quote
decisions on outsourcing work impact the trust a team has with the organization
It's always about the people and work put in to develop the trust relationship and overcome the friction
what I meant was that people are watching build vs buy/outsource decisions a company makes, and they become skeptical if they dont feel the org has confidence in them to build it
Lately through Covid, I've noticed its harder for me to trust people I haven't met in person and I tend to rely on those I've spent time with. It's encouraging to hear that a good way to build trust is to answer calls. I hadn't thought about that.
I started a new job in April 2020 - still havenβt ever met 80%+ of my colleaguesβ¦
I think developing trust and other similar things while fully remote is an area needing experimentation and development.
Looking at the pre covid all remote companies, they still advocate coming together several times a year to 'rehumanise' too
@patrick.debois256 - one of the tricky parts for my teams has been how to add DAST to our pipelines. Itβs powerful security but extremely slow to run. Any thoughts or ideas?
Not necessarily an objection, but any best practices on how often to run DAST and any ways to speed it up
Can you decouple it from the deployment pipeline and run it asynchronously?
OK, no worries! Thanks for a great talk today - really enjoy how you weave all these great books together.
I think that is very specific to your own risk profile for what you're scanning in the end. Some things you can cope with not scanning every release, other systems are so critical you definitely take a hit in speed to be more sure :thinking_face:
yes - that is indeed what longer feedback does - much like unit test and integration test can have a different cycle
Thanks @nickeggleston and @philipp.boeschen650! Appreciate your thoughts - will go back and muddle over it
https://www.youtube.com/watch?v=po712VIZZ7M Actually touches on some of this a bit π
1@bernard.voos I don't want to hijack this thread but have you looked into IAST? Let me know if you want to talk
Hi @robertso! Yes we are already using IAST and itβs super valuable, but I think we need a balance of IAST and DAST to layer our security.
Ok great to hear, if your looking at way to intelligently decide when to run what AST tools then you might be interested in Intelligent Orchestration. This is a new product we launched this year and is designed to solve the problem your referring to. When should I run DAST, IAST, SCA and what do I do with the results?
It works with our own tools but its an open platform so can work with any vendors tools which have APIs or other integration points
https://www.synopsys.com/software-integrity/polaris/intelligent-orchestration.html
@patrick.debois256 are you listening to the talk as you respond to questions? How easy/difficult do you find this medium for getting all the questions queued for response?
Listening to the talk works great to understand how people's question progress. It's torture at the same time listening to myself - euhs - struggling with words etc.. π
Nobody likes it, Patrick π but you sound great
I totally agree... Hearing myself is a huge distraction and the inner critic starts commenting...
I'm definitely not looking forward to hear myself in 5 minutes π¬
It's good for business is a rarely a personal motivation - absolutely!
Command and control is like sand - the harder you squeeze the more it slips out of your grip :thumbsup:
I need a Star Wars emoji for an appropriate response
I'd love to hear your feedback to make this talk better - was it what you expected or did you miss something?
Personally, I like to hear stories from your experience that underscore each point - both the positive and negative... but something about the detailed real life story is captivating
fair point - stories can be indeed powerfull - they also tend to expand in time π
Would love to hear more on your view of psychological safety and it's importance here
@patrick.debois256 I would love to know about experiences where organisations have all combinations of the DevOps team patterns, and how we can recognise it and understand if there is a natural evolution & devsecops maturity path in transitioning from one state to another. Is there an optimal devsecops team pattern/model to aspire to?
Something I've been thinking about lately: How do I as an engineer grow in my knowledge of security areas? I'm not getting much training from my security team and I haven't got my head around how I should be continually growing. I can scan code or put WAFs in place, but it feels so narrow that I don't feel like I'm actually fully using my skills.
separate training (the education part) suffers from the silos - you'd have to escape your siloed education program
One way a lot of security engineers learn is by hacking deliberately vulnerable apps. As a developer you can understand the underlying causes in code and it is fun to hack around.
There's a security company that does that and has various "ranges" or scenarios to attack, and I think they open it up for "free" occasionally. Now, if I could just remember the name...
there are many deliberately vuln environments and apps you can find on GitHub. Bunch of them have docker images so you can pull, run and start attacking. π
@nickeggleston think you mean Secure Code Warriors? @dacahill7 Snyk also produces a lot of material around developer education. Check out this e-book for example that looks at Serverless Security: https://go.snyk.io/oreilly-serverless-security.html Happy to DM you some more if you want π
A few interesting vulnerable apps here - https://github.com/appsecco
Love the line about the paradox of command & control culture! Trying to grasp sand and it flows through your fingers. Very zen!
That pendulum swing at the end of autonomy is interesting to me - back towards controlling
Me too! Do we need to dip back into control in order to maintain the balance?
If so, we will have no trouble doing this !
I think Aristotle has it right - we need Structure and Clarity which is easy to conflate
Autonomy, requires Psychological Safety. And requires leaders to keep it in place.
Reminds me of @eshβs βbetter testing, worse qualityβ
Excellent talk @patrick.debois256 - I found it really insightful, especially how you brought every aspect together
Thanks @patrick.debois256. I wish the talk could be longer π
Thanks Patrick! I'm going to be rewatching this later.
Keynote/plenary stuff
Iβd like to pivot off of Daniels question as well, as someone passionate about security how do I help others better understand that security involves everyone at every level. Getting your tech team thinking about security is the easy half of this problem as they are deeply involved in this world already; but βtraditionallyβ less tech-savvy teams like say marketing, sales, support often have a harder time understanding the real nitty gritty of why certain protocols exist. Why is my dogs name and DoB a bad password? Why should I care about the hashing algorithm we use? Attackers know that these are the weaker points and just a surface level protection against phishing is starting to not be enough
My take is that you hit it with the word care - there might be different motivations to care of security part of being an employee is having obligations to keep things secure - but you should translate it into their daily life about what they care Like sales, we don't want to leak information to competitors , loose subscribers when people feel their privacy is violated
When building up that care, is there a way you avoid using "Security" as a blugeon? One example is in the Pheonix Project where the security director can halt any process by talking about how important security is. How are some ways you have effectively seen security implemented gently while still keeping the importance?
The problem is not that security says no - if we trust them we want them to say no - what we are hinting is that if we externalize the basic knowledge & judgement we can distribute the situation assessment allowing not to be blocked all the time. Much like Ops still has a place as the experts or the UX or the project manager - they all have deep expertise I agree that is when people get better they often feel less need to ask for advice. And that reflex of asking advice needs to be enforced by the rules of engagement - everyone that will have impact needs to be solicited in case of doubt (by exception) That is the aim of the trust building
Thank you so much, Patrick! Next up, we welcome @praz, @akash676 and @ramesh.karra!
Awesome session @patrick.debois256 π tough act to follow.
Books mentioned by Patrick: Tyranny of Metrics Threat Modeling Secure By Design Trust: Building Trust at Work Reinventing organizations Turn the Ship Around! IT Revolution books π
This one is my favorite - https://www.thinbook.com/the-thin-book-of-trust
Were you able to have the same app work for children and college students and teachers? Or were there different applications? It sounds like the user experiences for the students of all ages would be important and maybe have different problems to solve.
We have multiple apps for students: 1 . Early learn app K3 in collab with Disney 2. K5-K12 app For parents we have a partner app. But no apps for schools/colleges. We however are working with Google classroom to give content to schools and colleges via Google classroom platform
We use MongoDb as our DB For analytics we use Redshift and BQ depending on different use cases. However, we have realized over time that certain transaction data had to be moved to Relational DB. So parts of it are now being moved to PostgresSQL
In this pipeline design, did you start with this model at the beginning of 2020 or did you have to cut out inefficient steps as you went?
We kept the design as is. Reduced the threshold for alarms for disk space, CPU for the Jenkins.
We tried to stay as close to what engineers expected from before the lockdown, since now all support and interactions were going to be remote.
By having build status go to Slack, do you feel like you avoided alert fatigue?
Slack channel for build status updates acted more of a shared workspace for the DevOps team working from different parts of the country.
Having each status there allowed for further discussion if required.
We did not have to switch been apps to know if something went wrong. Also, because we had alerts come on a certain channel where multiple people were there, we never missed something that was critical. Threaded discussions meant we had the context
Interesting. We have tried both having alerts in the channel and outside the channel and both cases have resulted in them being ignored. Now, new managers are wanting to move alerts again and I'm trying to think about how best to help.
This is a great question for a BoF session. Even I would like to hear from the other experts on what they say.
@ramesh.karra @praz - what underlying tool that you use for your pipeline creation
Folks we are hanging out here and in slack till later, in case any questions come up. Cheers.
signing off here - feel free to reach out to me on the twitters or via email - https://twitter.com/patrickdebois - have a great rest of the conference
In a few minutes, we'll have @dubravko joining us from Continental Tires!
Ah...yes, we use Grafana. The Data Scientists are free to use anything else and are focussing on R, Dash, Streamlit and simliar
Hi @dubravko, is this Lab - something custom-built or something like databricks ui?
Only: after some experimenting we choosed to use the EKS service Kubernetes
the frontend some slides ago looked quite cool :)
@dmitry.luchnik, thanks. It is, I really like it either. It is an interface which is used by tires, ContiTech and Automotive likewise and helps us a lot.
that would be my next question - thank you for this comparison π btw, have you looked into databricks offering?
We did the databrick comparison in 2018. Maybe we can redo this...good point.
Currently many Data Scientists come up with new requests. MLFlow, KubeFlow, Sagemaker, you name it...
can we follow up the discussion in gather when the presentation is finished?
I still have some troubles accessing Gather but I will give it another try...our security is...outdated...in handling PC configurations π
would like to join you, are you planning to be there in 30 mins?
Thank you so much, Dubro! We now warmly welcome, @thomas.jachmann from Siemens Healthineers!
hello everybody. Welcome to my talk. Looking forward to answer your questions and hear your thoughts
DevOps thinking can also be applied to cyberphysical systems not only software only.
@philipday but difficult to reach in such a complex environment. has it's worth as a north-star but dangerous as a KPI (you will see later in the talk)
Intriguing! KPIs are dangerous generally, if used as targets. IMHO they're great for teams to use internally, but dangerous for any form of upward or outward reporting.
or IT infrastructure changes we were looking for a long time until we found them
We use this in some work I do on service design, great to see it here!
I captured the screen with this one it, to show my management I am not the only one who talks about it
The brilliant John Willis talks about the cynefin framework in his podcast with Dr. Mik Kersten https://projecttoproduct.org/podcast/john-willis/
it is not only a matter of scaling speed but also costs which become signifcant now
Embrace the change, important to uncover all of the bad things that are hidden
"Not something you can predefine, it is more about the journey"
@thomas.jachmann would you say that KPIs on this slide could be interchanged with OKRs?
you only can improve what you measure, otherwise you will not see in a complex environment if it improves or creates side effects that are not desired
thanks for joining my talk. I will stick around until the next talk starts in case there are any questions. Feedback is as well appreciated
1my pleasure. I cannot say that prerecording this was a great experience (i love the interaction on a conference as a speaker with the audience). But the possibility to discuss in parallel is really awesome
I particularly liked the incorporation of potential new people into the process to speed it along.
@james.simon1165: we find a lot of topics much earlier now through these measures. We still find too many in V&V, but that is our next step of Shift left to get subsystem validation into the daily feedback cycle
@james.simon1165: especially hitting the system in system integrations is now much smoother an we still uncover topics there that require an analysis and further auto tests, but we were able to reduce also system integration times already (and took out quite of the drama)#
@philipday: I agree with you. I should have used the term "measurement" instead of KPI, because that is what I mean. for me KPI has become a synonym, because it neither has tha religious touch nor the academic touch in our organization. But I see where you are coming from - KPI has in a lot of minds a very specific meaning and also a bad reputation, because it is often misused