Fork me on GitHub
Molly Coyne (Sponsorship Director / ITREV)11:05:25

Welcome @sujit.unni for our next session's Q&A. Thank you!

upvotepartyparrot 4
Sujit Unni11:05:05

Good to be here .. great sessions so far

upvotepartyparrot 2
🙌 1
AlignedDev (Omnitech Engineer)12:05:03

I like the idea of starting with low hanging fruit and the CI/CD pipeline and standardizing them

👍 5
Sujit Unni12:05:54

it is the most visible quick win standardizing directly translates in to less chatter in the lifecycle and things appear to be moving along quicker

AlignedDev (Omnitech Engineer)12:05:09

I'm thankful for all the tools in Azure DevOps and Gitlab that have improved greatly in the last years and making it a lot easier!

AlignedDev (Omnitech Engineer)12:05:18

what did the SonarQube reports look like when you first turned it on? I'm afraid to even try it (we'd be overwhelmed) with all the code we have from 10+ years


I'm not practicing it daily, more the people in my team, but AFAIK you define somehow your rules, and in such case, or if you know by advance some issues will pop on which you can't do much because of the legacy, I would start with a smaller set of rules, takkling them and progressing your way adding more (but again not a SonarQube black belt)

👍 2
Sujit Unni12:05:59

You can imagine initial redshift 🙂 But after revision of rules, quality profiles, false positives and grace period - we managed to reach Portfolios A level in less than a year. we have a lot of legacy and as with most tooling early though around focusing on whats relevant vs not so much helped

👍 1
AlignedDev (Omnitech Engineer)12:05:08

was there much dev feedback/resistance to turning it on or the other improvements you introduced?

Sujit Unni12:05:52

we have a pretty solid measurement process heavily leveraging automation there is a daily automated report published calling out at the team level how the code being delivered adheres to the process our focus was to measure throughput front to back so dev teams have adopted heavily. the focus is not to measure productivity but throughput ..does our tolling allow us to release more features in to production, identify the bottlenecks and address them

Molly Coyne (Sponsorship Director / ITREV)12:05:30

📣Welcome @mlivermore and Rob King for our next session's Q&A. Thank you!

👋 3
💯 1
Andrew Salt - Arbor Education12:05:33

@mlivermore and Rob, can you expand more on how rundeck is being used?

Luke Archer - PagerDuty12:05:35

@mollyc @andrew.salt – Sorry! Matt hasn't been able to make it onto Slack – do you mind DMing me your email address so we can follow up with you?

Molly Coyne (Sponsorship Director / ITREV)13:05:45

Welcome @nurmi and @pvn for our next session's Q&A. Thank you!

Daniel Nurmi13:05:03

Hello and thank you so much for having us!

👋 3
Kim Weins (Anchore)13:05:18

"on or around January 31, 2021, an unknown attacker was able to exploit an error in Codecov's Docker image creation process to tamper with the Codecov script.  This has led to the potential export of information stored in users' continuous integration (CI) environments.  Speaking on condition of anonymity to the news agency, one of the investigators said attackers used automation to collect credentials as well as "raid additional resources," which may have included data hosted on the networks of other software development program vendors, including IBM."

Paul Novarese (Anchore)13:05:29

This is a long piece but it’s the most complete account of the SolarWinds attack that I’ve seen:

Paul Novarese (Anchore)14:05:02

very good brief summary of what a software bill of materials is and why they are important:

Paul Novarese (Anchore)14:05:31

(this is a general overview and not specific to SBOMs for container images in particular)

Kim Weins (Anchore)14:05:34

The latest US Executive Order for Cybersecurity is going to require SBOMs for any software vendors selling to the US government.

⬆️ 1
Molly Coyne (Sponsorship Director / ITREV)14:05:26

Welcome @c.trueman for our next session's Q&A. Thank you!

🙌 1
Brian Koenig14:05:53

Thanks for tuning in to Anchore’s session on keeping attackers out of the DevOps toolchain! To continue discussion with @nurmi and @pvn, visit #xpo-anchore-devsecops

👏 1
Chris Trueman14:05:57

Great to be here. Thank you for having me.

👋 1
👍 1
Gene Kim, ITREV, Program Chair14:05:29

Thank you for presenting on the difficulties of SAP — I remember getting trained on it over 20 years ago. When Change Transport System was a thing. 🙂 @c.trueman

Gene Kim, ITREV, Program Chair14:05:42

I think many orgs struggle with doing DevOps-y like things with SAP, Salesforce, Workday…. Was delighted that SAP is being covered, and there was a talk on DevOps for Salesforce yesterday!

Chris Trueman14:05:46

Not long ago when I asked SAP users how frequently they changed production the answer was (and I'm exaggerating a bit) "Never is too often."

Chris Trueman14:05:18

Now the answer is very different. Everyone is trying to "ship often".

Chris Trueman14:05:47

Oh and CTS is still a thing 🙂

Gene Kim, ITREV, Program Chair14:05:28

Oh, no. Really? I thought it was replaced by something else, a couple of days ago! But at least there is such a solid, opinionated, official way to migrate/deploy!

Gene Kim, ITREV, Program Chair15:05:58

I meant, I thought CTS was deprecated a couple of DECADES of ago! 😆 😆 😆

Gene Kim, ITREV, Program Chair14:05:52

Thank you for educating us on SAP, @c.trueman! I think so many technologists, myself included, are way undereducated on SAP, Workday, Salesforce, etc. It’s not even clear how to do things like version control in these critical enterprise applications. I think more people need to know about this so they can make more educated decisions. Thank you!!! cc @mollyc

Chris Trueman14:05:50

Thank you again for letting me share a few thoughts on DevOps for packaged applications. Have a good rest of day one and all.

Siddharth, NatWest Group, DevOps CoE (he/him)20:05:35

Here is the collection of all the reference links that were shared / discussed during the #DOES21 event. Enjoy Reading 🙂