This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-05-18
Channels
- # ask-the-speaker-track-1 (268)
- # ask-the-speaker-track-2 (106)
- # ask-the-speaker-track-3 (338)
- # ask-the-speaker-track-4 (216)
- # bof-arch-engineering-ops (2)
- # bof-covid-19-lessons (3)
- # bof-leadership-culture-learning (1)
- # bof-sec-audit-compliance-grc (12)
- # demos (13)
- # discussion-main (1086)
- # discussion-more (10)
- # faq (4)
- # games (76)
- # games-self-tracker (14)
- # gather (36)
- # happy-hour (91)
- # help (99)
- # hiring (26)
- # lean-coffee (16)
- # networking (9)
- # project-to-product (2)
- # psychological-safety (2)
- # summit-info (424)
- # xpo-anchore-devsecops (12)
- # xpo-cloudbees (1)
- # xpo-copado (33)
- # xpo-gitlab-the-one-devops-platform (15)
- # xpo-harness (1)
- # xpo-hcl-software-devops (20)
- # xpo-ibm (5)
- # xpo-itrevolution (18)
- # xpo-launchdarkly (15)
- # xpo-mirantis-devops (5)
- # xpo-pagerduty (9)
- # xpo-planview-tasktop (9)
- # xpo-redgatesoftware-compliant-database-devops (1)
- # xpo-snyk (3)
- # xpo-sonatype (5)
- # xpo-split (3)
- # xpo-synopsys-sig (8)
- # xpo-tricentis-continuous-testing (2)
Welcome Sonatype's team for our next session's Q&A Thank you https://doesvirtual.com/sonatype!
are the slides of "DevSecOps Security Champions and How to Implement Them Successfully" on dropbox?
@vladyslav.ukis Yes they will be, if is there something specific you would like to discuss PM me directly and we can discuss.
@vladyslav.ukis I just pinged you with the link in the #faq channel as well.
"Delivery above Security!" love the reactive image to go with it. Security needs to be built into the Software Supply Chain and allows for proactive views into the Product being developed.
Robbie what approaches have you tried for getting interest from pers to step up as security champions from business areas that might have some friction towards security culture. Iβve found it pretty easy to get interest from tech-savvy devs and those interested in security but struggle to foster interest from areas with less knowledge/interest in security
@lloyd.passingham It has been an interesting journey, providing ownership and guide rails help immensely, but also trying to reduce all risk to 0 is a fools errand. The way to bring more parts of the business in has worked well by providing visibility into what the issues are and what remediation steps to take. Parts of the business have been hounded historically by a list of vulns/risk, this is off putting hence the need to contextualise the problem and make it personal.
β¨A warm welcome to @james.hunter & @vkelkar for our next session's Q&A .Thank you https://doesvirtual.com/ibm!
If youβre out there live, the speakers are available here for questions and comments!
So true @james.hunter #Flow #Zone #Impact - all awesome but even more so if they have the magic of #psychological-safety too
how do you measure mental health and happiness of a team?
Can you share more about how AI is used in GitLab Ultimate? What benefits are you seeing?
Team happiness and psychological safety are measurable once you understand the components and behaviours going into the healthy dynamic of the team
Mental Health isn't a team aggregated measurement unless we add together the health of the individuals but the more PS there is in a team the more positive effect it has on their personal wellbeing
After asking the teams I then looked at performance metrics but that requires numerous assumptions to draw any conclusion.
More recently I have been looking at analysing comments and text within code using NLP to see if I can identify any trends.
Would love to compare notes on what and how you asked @james.hunter - dropped you a note on LI
IMO that's the most overrated of all human measurements - means nothing really
interesting.. It was mentioned several times in the Accelerate book
so would you measure with surveys or rely on personal connections and "managers' reporting up the chain?
what are some "components and behaviours going into the healthy dynamic of the team"?
Apologies, I missed this @logankd - we measure if they are Flexible, if they have strong emotional bonds, if they Speak Up, if they are Courageous, if they are Resilient, if they are Learning together and on the flip side if they refrain from Impression Management
π£ Welcome @stephen who will be moderating for today's VendorDome Q&A between @brianf, @twalker and Josh Stella!
Thanks for joining the VendorDome! Post your questions here and we'll pose them live!
Hi Vendordome! Where do you see DAST going in the future, specifically scaling it and speeding up the run times?
PS: thank you for helping create and maintain Maven Central, @brianf! cc @arne.brasseur @mitesh
Thanks indeed! we rely on it every day, together with Clojars.
Thanks, life without maven central wouldn't be easy ππ
βwe need to protect the car, and also protect the factoryβ βΒ @brianf
It seems like an impossible task when you look at the number of dependencies some (even mid-sized) projects work with. While tools are definitely getting better, thereβs no way for tooling to catch all the supply chain vectors. Is this just a question of hardening various security layers?
Definitely. Although, I think we could compare this to a defense-in-depth approach, every security measure helps strengthen the supply-chain but no single measure may be a 100% effective by itself... be it an application firewall blocking suspicious dependencies (outright malware or dependency confusion PoC packages), or just any tooling scanning dependency for vulnerabilities. I've written extensively about these real-world examples.
What kind of security automation has to be applied to a Jenkins Server and Build servers?
What type of security vulnerability detection can you automate for embedded systems?
Thanks for your answers. π Really illuminating. Follow-up question, in case thereβs time: @twalker mentioned that itβs important to at least know which vulnerabilities you might have in your chain/stack. I totally agree. Do you see any convergence with the practice of observability in terms of taking a stab at looking into unknown unknownsβ¦maybe observing and querying security-related events in real-time?
Lift and shift = moving from koi pond to acid bath filled with sharks with lasers.
> less than 7 minutes from a service going public to the moment it being scanned for vulnerabilities Can you share a source for that?
Great to hear the mention of Platform One and Iron Bank. We've been working embedded in P1 for a while.
βWe want people to be safer and happierβ β @brianf cc @jonathansmart1
πSo happy to have @robert.greville1,@natasha.n.wright and @david.ward for our next session's Q&A. Thank you https://doesvirtual.com/launchdarkly!
LaunchDarkly is super excited to partner with Vodafone'sΒ https://www.linkedin.com/in/%F0%9F%A4%96-robert-greville-2206b719?originalSubdomain=uk,Β https://www.linkedin.com/in/dave-ward-b205742/, and Natasha Wright from Accenture, for their release acceleration journey. If you have any questions about LaunchDarkly feel free to come by our Slack channel! #xpo-launchdarkly
"driving towards the culture of inner sourcing"
@natasha.n.wright did you experiment with any "lets take this small service and only flip that" to break the microlith ?
Unfortunately the flip process was too time consuming to run for just one service, so this wasnβt ever going to be a scalable approach.
The explanation at the beginning felt like you were explaining my exact current situation. And we have been looking at LD but this talk is showing me even more ways that LD can improve things.
We really hope this has been helpful for you @lyonssr! Do get in touch with any of us if you have any questions following the talk.
this engineering walkthrough is GREAT @natasha.n.wright
are teams able to deploy their own flags? or you let them submit PR but the push to LD is done by platform team?
Teams can handle this themselves, within teams we have custom roles - Release Manager is the person who can deploy to PROD - but this role can be applied to members in teams or in over-arching roles (such as release, scrum etc.)
Trusted individuals - there is no technical barrier to applying a flag other than having the correct permissions.
Gus β We do have some new features that allow for an approvals workflow that limits who can activate flags.
As well as an audit log so that you can see a history of who made what changes π
yup...in process of onboarding with you guys already...just interested if they same need on vodafone side. our regulators arent there yet with trusted individuals unfortunately π
one more from me...how do you manage testing when there are multiple active flags?
Hey Gus, I'm sure Rob has some thoughts on this, but this blog post on the topic may be interesting for you as well https://launchdarkly.com/blog/testing-with-feature-flags/
Love the use of being able to toggle flags on/off via Slack! Makes life easier! π
π:skin-tone-2: Welcome @justin7orbry and @adrian.jones for our next session's Q&A. Thank you https://doesvirtual.com/tasktop!
are the slides form this presentation missing on github or am i overlooking something π
@erik.sackman we decided to go without slides for a change. Hope it works. We want edot focus on the conversation, not the material
Can I mention the Value Stream Management Consortium (should be ok - Tasktop are a founder member!) https://www.vsmconsortium.org/
I blame starting in manufacturing for my flow journey into digital as well!!
@justin7orbry What's your definition of a value stream? I try and distil it to "Anything that delivers a product or a service"
@justin7orbry What's your definition of a value stream? I try and distil it to "Anything that delivers a product or a service"
A common way that I have seen is similar but slightly different - "A value stream is all the work done in order to deliver value to a customer"
Definition of done moved from 'I did my job' to 'our customer realized value'?
"Compressing the time from Idea to cash"
"A system of local optimums is not an optimum system", Eli Goldratt
@justin7orbry How do you overcome the business saying things like "prove it works before I change my business model" ? Thinking specifically here about where you mentioned failing agile transformations due to business goals/measures not changing
you're right @wiskow.sj...inevitably proving is important - proving the importance of focussing on flow, leading to improved delivery. That needs to be proven ...then scaled.
I'm finding lately that there can be a disconnect on the role of management and organisational leads and where they should play. Often I see a strong focus on the tooling instead of the background core business processes and organisation redesign. Then we end up in a half transformed state. Is there a good way to get org leaders to partner on the transformation, offering up organisation redesign along with tool and cultural changes?
That old chestnut "the budgeting beast" that needs changing...for sure
I struggle as a developer, knowing all the things we need to improve on, but the leaders not seeing that we need to invest time into making the improvements (reduce tech debt). They seem to think we need more features, where we really need to clean up and improve what we have
I struggle as a developer, knowing all the things we need to improve on, but the leaders not seeing that we need to invest time into making the improvements (reduce tech debt). They seem to think we need more features, where we really need to clean up and improve what we have
"Improving daily work is as important as daily work" quoting Gene
I think of that often... it's hard to convince others of that π. I often promote Gene's books
Very difficult to cook in a dirty kitchen
Our approach to debt was to get the leaders to realize that we need both. Over our sprints we have some portion of time devoted to reducing debt and some portion devoted to delivering new value. The reduction of debt has value somewhere or it wouldn't be in your backlog, you just have to figure out how to quantify that to your leadership.
https://bdfinst.medium.com/5-minute-devops-tech-debt-24f739607f81
it is the job of devs to bring those issues up. I think leadership needs to make the space and time and prioritize them
Might want to intentionally incur debt to be first to market
very true, we need features to get more clients and revenue, but at some point it starts slowing us down so much it feels like we'll crash and burn
A relevant blog - https://blog.tasktop.com/why-we-need-a-shared-understanding-of-technical-debt/
Yes, knowing the difference is key, agree @jonathansmart1!
I actually see reduction in βFlow Timeβ as a leading indicator of value delivered. Though βTime to Marketβ is often a lagging one as it is considered for bringing entire new projects or applications to market.
Nested leading indicators! Aging as a leading indicator of Time to Value as a leading indicator of Value as a leading indicator of survival
Yes, agree, and good point that @justin7orbry made on that.
Most delays caused by organizational design, technology is the constraint at the end of the system... this is fabulous!
If you build E2E feature teams who aren't dependent on anyone else....how big is too big? (in terms of people).
@wiskow.sj we tend to ask people to study the effect of the current measures so they can make up their own mind
Great, but I hear the conversation now: Me: So you see? Management: Yes totally Me: So lets change the org this way Management: No, we have to deliver
Fully agree...but I challenge myself sometimes, are we lacking skills to "sell" ??
isnt in the Unicorn Project book where one exec joins the troops in the pub and that exec is used to create advocacy in the senior leadership? something like that
A very very typical situation. So many threads to this challenge, from conflicting incentive structures and bonuses, to lack of data to justify the change - and more. But from what I have seen in my career so far - the most important thing is having someone at the executive level that genuinely cares about how improving how software is built and delivered. Someone that is willing to tackle the 'sacred cows' (like moving to focus on Value instead of just Costs, or breaking down the silos to align business and technology to Products). Someone who is willing to fight to 'move the needle' on the business results, manage the political aspects and break a few eggs on the way - rather than just deliver a pre-defined transformation project. If you or your company can find an executive or senior manager who is genuinely like that - just like in the Unicorn Project - then great things will result.. not just in terms of business results, but also in terms of employee happiness !!
"Transform While You Perform" is the challenge. However, I have not seen transformations running any other way. You need a small group of people in the org at different levels to pull off the transformation. 3-5 key people or so.
@james.simon1165 you Need better measures to show that delivery is not efficient
I love this talk of looking at whole systems (and flow). I feel like there are some nice wins on local optimizations in a system, but you start to get real wins when the larger org starts evolving more (though that seems to be a large challenge for many)
Also involves a lot more people. Therefore much harder to do, maybe impossible with the wrong people in the company.
First time Iβve heard someone at one of these conferences with my accent, But seriously , this is really bold stuff, and getting to the heart of the adoption of methods or models piecemeal rather than good systems thinking. Da iawn Justin!
The bit where he said Taiichi Ono! π I'm catching up on this after the event... @justin7orbry fantastic talk thank you! So much insight. I couldn't make out the name of the John __ person at Cardiff, who was that?
i learned more from John about TPS than any body else regarding lean because it was about TPS not what the lean movement has become
"Value demand" nice one @justin7orbry I'm hearing pull over push
Since @justin7orbry mentioned systems thinking: Can someone recommend a good book which treats systems thinking quantitatively, i.e. includes some math?
Thanks @jonathansmart1. Probably my mistake was only listening to the audio book of "Thinking in systems" π .
@tim.gould lol .. we do some of it but the things that work and support out principle of the correct work in the correct order not a by the book version ..
Such a key point @justin7orbry just made re changing the system!
Iβm amazed at how often the system is not changed, then culture is blamedβ¦
If you want to hear more from @justin7orbry and the remarkable stuff he's doing at Lloyds, do make sure to listen to his illuminating podcast episode with Mik Kersten. Redesigning software systems around flow, respecting laws of physics when accelerating flow, identifying leading indicators, the economies of flow and more https://projecttoproduct.org/podcast/justin-watts/
@justin7orbry thx so much for your insights. I loved your talk. So true. We are working by far too much on solutions which are not based on real problems.
*Overuse of Scrum *DevOps necessary but not sufficient *Doing the wrong things righter Thanks @justin7orbry - fabulous insights
thanks for the great talk and all the Slack conversation
I think the problem with Scrum is that you don't give it an honest try before adapting and the problem with Kanban is that you do parts of it to shirk on the parts of Scrum you didn't understand.
@ferrix points donβt make prizes and is done really done and from whoβs perspective .. ?to work out if scrum is working for you find out how many instances of done are done from the external customers perspective ..
This! It has been thought through but the thoughts never explained.
Great talk @justin7orbry. It would be great to see how much as a result of e2e/ system thinking and flow improvements, "Compressing the time from Idea to cash" has improved over time.
thanks @sabina.kambersalamanc Loved your talk this morning btw! Perhaps we can compare notes
hi @sabina.kambersalamanc! What Adrian said (loved your talk). Justin talks about how Lloyds reduced customer mortgage application times in this podcast episode. which you may find of interest https://projecttoproduct.org/podcast/justin-watts/
Many thanks for sharing. I will check this out
@sabina.kambersalamanc we are getting there ..we have brilliant pockets ..but so much still to do
Keep going. It sounds like a great journey and one well worth undertaking. I love it
@justin7orbry I tend to ask the question: "When you say Scrum does not work for you, what's the reasoning behind that and how did you try to adapt it to your needs?"
(I really love the few times when I got a mature answer...)
I understood from @justin7orbry that the issue is not scrum per se, but a tendency to over-rely on the processes, ceremonies etc.....as opposed to how work is flowing and delivery of value is being improved.
Yeah, I think we're aligned on that thought. "Ceremonies without understanding are the biggest challenge for agility" is a quote from a wise man observing us do SAFe in 2010.
Loving the dialogue generated by @justin7orbry and @adrian.jonesβs talk on business value - so many angles to this!
RE: todays talk with Justin and Adrian - β’ For all those that are interested in helping their org move from Project to Product - check out the Project to Product podcast, featuring several of the DOES presenters, including Justin, Gene Kim and many more - https://projecttoproduct.org/podcast/ β’ For all those that are interested in connecting technology and business on the flow of value - check out http://flowframework.org/
RE: 'many more' on Mik + One - goodness me, I had not realised quite how many DOES presenters have shared their insights via this podcast until I wrote these out π€― Justin Watts, Gene Kim, Pieter Jordaan, Robin Yeman, Maya Leibman, Ross Clanton, Matthew Skelton, Manuel Pais, Jon Smart, Rene Te-Strote and possibly more from previous years.. It is becoming quite the transformation cultural index!