Excited to speaking later today- 150 CDT for Flying an Air Force Cyber Weapon System to DevSecOps

Welcome to our presentation! We will show you how our Continuous Quality Assurance approach has enabled us to open up new cloud-based business opportunities for Siemens Digital Building. @klaus.baumgartner and I look forward to your questions.

🎉We now welcome @klaus.baumgartner and @peter.fassbinder presenting: Unlocking New Cloud-based Business Opportunities in an Industrial Company With a Novel Continuous Quality Assurance Approach:tada:

What the metrics used to decide the quality of artifacts? Software and non software

Software quality is driven mainly by tests and PO feedback, the quality of the non-software artifacts is mainly the question whether it requris an update and whether this has been completed BEFORE the fast deployments.

I guess how is your approach different than conventional model where reqs are finalised and then developed and then tested using CI/CD approach. In other words what was done differently....Sorry for a long question

In the convential approach typically the focus is only on the CI/CD pipeline and the software. We integrated a second stream taking care of the non-software artifacts (regulatory required documents, patent clearing, risk assessments, export control documents, etc.) and ensuring, that those are always awailable in an upo-to-date state when a deployement is made.

👍...So all the non soft artifacts were updated before development of the software began, right? So in other words you guys treated documentation etc as 1st class citizens

Not all, depending on the type (for type 1-2 yes, for type 3 and 4 no - those can only be upadte in parallel to the development sprint)

But your conclusion is correct: we elevated "documentation" (of all sorts) to the same level as functional user stories

Did you ever find situations where you did the development and realized you missed non-software artifacts? How did you handle that?

In addition to what Peter wrote: the difference is also that we broke those non-sw-artefacts down and evaluate and attched them - only if applicable - to the individual features. With that we were able to shift-left also those elements...

@jlutz777 this was the case earlier: the software was ready, but we could no deploy because of ...

Good talk .. Thanks @peter.fassbinder

In the past many (most) of these non-sw-artefacts were done and chacked only after the sw-development, so the deployment had to wait for those

Thanks @peter.fassbinder and @klaus.baumgartner, good talk!

📣 Let's welcome @cheburge presenting: Embedding Security: How We Use Automation to Reduce Time and Effort for Cisco Developers to Secure their Products 📣

Hello, looking forward to everyones questions.

Love the way you start with - Developer Experience

It is the actual name of our team.

Is it serving the whole enterprise?

curious how big your Developer Experience team is vs the size of your org?

For your DevEx team, are each of the specialists full-time on the team, or just have a part-time responsibility?

@topo.pal Cisco is defined into many orgs and business units and then product teams. We service a number of the products with-in our “Cloud & Compute” BU. We supports about 1000 developers.

@graham_mcgregor & @brian_t_marshall As mentioned we support a range of services and products. So we have 13 FTEs supporting those teams.

That 13 includes network engineers, data center, etc.

So its a very small team when considering the range of things we support.

🐢

Do you use a tool to generate the SBOM? (maybe you're still getting to that)

I used to use that analogy when I was working on networking overlays and underlays. I felt it was apt in this case as well.

@mikayla.m.rettig Getting there… 😛

I'll be patient!

TL;DW - Tools from a company called Anchore, but details are coming.

Thanks for those massive images slackbot.

@cheburge, were there a wide variety of different container registries that you guys had to wrangle as a first step? Apologies if I missed that part of your preso.

@david.sanda - We do support and use a number of different sources. We haven’t really had any issues with referencing or using multiple but we do have contents thats available in Docker Hub, private Docker registry, artifactory, and harbor. As mentioned none of the Anchore tools has had problems with any of those. We have had issues with availability of registries that were supported by other internal teams.

Roughly how many containers are being scanned? i.e what sort of scale is this running at?

I assume you aren't remediating all vulnerabilities, what criteria are you using to prioritize remediations? CWE? CVSS?

@cncook001 - We have about 2300 images that presently being continually evaluated (released artifacts). As for transit development artifacts its a few 1000 over the course of a day. We have some jobs that can generate 100+ unique images and scan requests per build.

@jonathon.sturdevant - Cisco has an internal team that determines severity based upon a number of factors. Minerva pulls data from one of their internal tools for that information.

@cncook001 - Further our anchore deployment today is deployed on relatively small internal k8s cluster we use for developer services. We can, and have in the past, easily scaled our Anchore Enterprise deployment by just scaling up our pods at different levels. I suspect we could easily support a lot more than current without much effort at all.

good talk @cheburge - lots of practical examples!

Thanks @cheburge!

are folks using any tools for gathering and centralizing policy metadata to help with automation of policy governance?

@cheburge great presentation! thank you

@cheburge What types of ares will you look at for Risk Assessment?

Thanks

Another great talk today @cheburge. Minerva looks like a useful tool. Would Cisco make it available to the community or is it too proprietary?

@kim.weins Cisco recently acquired Kenna Security (https://www.kennasecurity.com) and we want to enable it as a source of data for Minerva.

@glenn.wilson - I’m afraid its too proprietary in that a lot of what it does is pull data from various Cisco internal feeds to help perform risk analysis and present data to our engineers. Its mostly just a series of ingest scripts that load data into elastic search. We then have various dashboards as well other automation that runs regularly to create the tickets etc based upon all the data thats been loaded.

Our team depends on it heavily but it was never really designed around the idea of being something that would function/work for others outside of Cisco I’m afraid.

Thanks all.

🌟 Let's say 'hello' to @bcannon and @halfmoondad who will be presenting Aflac DevOps Journey of Journeys 🌟

Hi all. Welcome. Looking forward to answering any questions you have.

Great to be here!

Good afternoon Brett, I wanted to be sure to catch your talk

@jarrowood great to have you listen in Joe!

Most companies bring in Devops with the intention of reducing time to mkt or implement MVPs ...so there alway seems to be some business goals, Can you give an exmaple of where u have seen Devops for the sake of Devops.

The DevOps for DevOps sake antipattern rears its head when teams have maturity goals and/or use checklists to track who has adopted what practice or tool. This misses the point, as you say of adopting DevOps ways of working to achieve measurable goals and business objectives.

I saw OKRs earlier results slides... were you able to align outcomes dojo's with OKRs?

To some degree, yes. The outcome goals were measurable and enablers of broader OKR's of fast flow of delivery of capabilities toward bigger business OKRs

I am a former Aflac agent and down times were no joke when working with the systems which were a headache for all involved. Good to see things have gotten significantly better!

Our goal is for each team to understand their metrics and work to continuously improve those metrics, making it part of their culture and team DNA. We’ve worked hard to stay away from DevOps for DevOps sake. Each team is on their own journey

We have made the maturity model mistake but have found a way to measure progress of adoption vs judge with Maturity scoring. It's the score that drives the competitive anti-pattern and perceived negative as no team wants judged.

What level are the senior leaders on the enablement council at? Is it VPs? Directors? Managers? Senior Devs?

We have found that it is better to have leaders ask their teams, do they know their metrics, do they have a backlog of continuous improvement items, what is their biggest impediment, how can I as a leader help, etc. This has a direct impact on metrics of business value improve across each team. Not perfect in any case, but as the title says, this is a journey!

The enablement council is CIO staff, nearly all VPs.

If we can only get leaders to believe that Metrics are for teams not for Leaders to push. Only teams can improve metrics

That is difficult Steve. It requires some unlearning of what has been done for decades. But it is critical

Steve, not only the metrics that leaders push, but also changing the mindset of leaders to think differently, even outside of just the metrics. We have spent a lot of time working with leaders to think differently to enable their teams.

Thanks John....if leaders believe metrics are for teams but teams then embrace transparency in all we do then both parties would be happy and live in harmony. Teams share and bring transparency for leaders then leaders trust thru that transparency.

Thank you!

I really enjoyed the talk. Thank you for sharing your journey!

Thanks, Joe!

Thanks all for listening

Well done guys

Thank you Gentlemen

And thanks to all that listened in

Nice job AFLAC........even though the duck kills me from the "Nationwide is on your side" team

✨ Introducing @tiny.mpetersii, here to present: Employing DevSecOps for Air Force Cyberweapons ✨

Thanks, Steve.

Afternoon all, here to chat, I brought other experts with me @bbutler and @jsorrell

LETS GOOOOO @tiny.mpetersii!

There it is!!!

hhaahhaha “simplified”

Have to love the acquisition chart....

I love it when people show the DoD LCMS on a slide

Paperwork over working product.

I am totally geeking out of over this presentation. @tiny.mpetersii

Unfortunately the CDRL aspect still focuses on the same aspect. Gov rep: Tell me about your installation plan, by the way, the Defense Instruction Document was written in 1984. Me: But it's a container-based system. Gov: Need the full doc, all 30 pages, every time Me: every 24 secs?

AFDCGS CM Lead "Give me you Software installation Document". Here "Type Run "XXX". Oh, "That's not acceptable".

gosh the olden days of dragging someone in to meet in-person

What tool did you use to create your documentation?

Wow - 90% of ATO issues closed.

Imaging that.

I think that is such a value add, checking out other teams and seeing what they do . what a good and bad looks like

AFDCGS Horror stories - I have this one line code fix that closes a CAT 1 security issue. It is in a containerized package. Reply: "What's a container. Give us your CCB package 56 slides, TCTO, and required documentation" BTW. your late for your CCB submission, see you in two weeks."

Bureaucracy ❤️ 😄

Reminds me of a quote from the Nick Challain missive. You wouldn't put people in a cockpit without flight training, but you put them in charge of a technical team without training.

Make sure you stick around for Flow Engineering and the ‘how’ of DevOps! https://sched.co/mGT9

I am glad to not hear anything about CMMC

Oh, that is great you went to the We Work environment. Would love to know more about that.

WHOO HOO!

Great job.

Very nice @tiny.mpetersii, that was great

I got my money's worth right there .

Thanks

Thanks @tiny.mpetersii, you're one of the few speakers who have touched upon AI/ML in DevOps.

👍 great presentation

Hi folks! @abd3721 and I are here and excited to hear any questions, shared personal experiences, or feedback about our presentation coming up! 🙌

🔆 Introducing our next speakers, and future IT Revolution authors, @steveelsewhere and @abd3721 here to present: Flow Engineering – Learning to Lead from the Inside Out 🔆

Which tool are you using for thie collaborative mapping, Miro ?

Which tool are you using for thie collaborative mapping, Miro ?

"Learn By Doing" - Cal Poly motto

“We must not sacrifice quality for speed” - absolutely 💯

Even better the 2nd time @steve773 @abd3721!

Are these slides available?

This is the OODA loop 🙂

@steveelsewhere - Love the content, awesome

it is an experience ... i've seen it first hand

By increasing flow you increase engagement and happiness. Awesome!

hmm, sounds like Kim works at my company 🙂

@steveelsewhere Nice how you bring visibility to 1st class VS's (Platform VS's including Infrastructure)

Wow, this is very exciting! Do either of you help organizations go through this process, @steveelsewhere & @abd3721?

Go to the gemba - best way to gain understanding

One difficulty that happens in this scenario is when the infra team serves not just one business unit but a dozen or more. This can lead to the situation where multiple teams' highest priority issue doesn't even make the the infra team's top 5. How would you approach this?

Enabling flow is a team sport!

I see this happening when managers are working make their work centers faster when they are not the constraint, it just builds WIP at the real constraint...

“Other”. This is great, @abd3721!!! We fear others.

This is so much bigger than FLOW!!! Such a great blueprint for inclusivity on your way to FLOW. Awesome.

This is a great presentation. Thinking about perceptions, about teams collaborating, finding consensus and so on - has anyone else found during the pandemic that it has been hard to get Teams to empathise with each other? Because of the endless video calls, because of the stress and distraction of the pandemic, that sort of thing

one of the foundation items I have to cover with onboarding a new DevOps engineer to the team is to remind them that we are responsible for the whole value stream, not just a work center.

This is literally talking about something that is happening to my org in another slack channel right now...

@steveelsewhere, do you have books that you'd recommend for understanding flow engineering better?

THIS! "Psychological alignment & shared goals" @abd3721

this talk is so great. thank you @abd3721 and @steveelsewhere

Ohhhh! New Book 🎉

Look forward to this book!!

Nice! Looking forward to the book!

Books books books!

Super excited for this book!!

Excellent talk!!

https://inside-out.work is the site, please do check it out and join us on the journey!

maybe new IT Rev BookClub item?

great talk. My brain is full! 🙂

Thank you!

Well, that was the best talk of the day so far, thanks guys. Got a lot from that. Looking forward to the book!

Wonderful talk @steveelsewhere and @abd3721 . I enjoyed this one immensely

I'm so happy to not be the only book-junkie!

Thanks @steveelsewhere & @abd3721 great talk

The story was beautiful and the talk !!

That was great!

nice job!

Thank you! very well done

Great talk---

@abd3721 It occurs to me that we heard very similar themes in talk from Target, Team of Teams, etc. Great talk!!! cc @steveelsewhere

Thank you so much everyone for being here, it’s an absolute dream!

Stay in touch with us at https://inside-out.workhttps://inside-out.work

Great stuff! Thanks for the talk on flow engineering.

Reminder: The plenary sessions are starting again in 5 minutes. Start making your way back to your browser and join us in #ask-the-speaker-plenary to interact live with the speakers and other attendees. https://devopsenterprise.slack.com/files/UATE4LJ94/F01D34MC2KS/image.png