This document provides an overview of a presentation given by Joshua Corman and Gene Kim on the topics of security, DevOps, and Rugged DevOps. Some key points:
- Joshua Corman is the director of security intelligence at Akamai Technologies and Gene Kim is a researcher and author known for his work on IT performance and DevOps.
- They discuss how traditional security models are no longer effective due to increasing development speeds and how Rugged DevOps combines principles of DevOps and security.
- Rugged DevOps focuses on operational discipline, situational awareness, and countermeasures to provide security in a way that does not hinder development workflows and speeds.
- The presentation
Kubernetes has evolved from Borg at Google to provide an open source platform for automating deployment, scaling, and management of containerized applications. The presentation discusses how to use Jenkins, Fabric8, and other tools to achieve continuous integration and delivery (CI/CD) with Kubernetes. It provides examples of configuring Jenkins and Fabric8 to build, test, and deploy container images to a Kubernetes cluster, illustrating an end-to-end CI/CD workflow on Kubernetes.
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Gene Kim
In this presentation, I describe why we've decided to pre-record our talks for DevOps Enterprise Summit, and some of the top lessons learned for any speaker who needs to record their presentations.
I cover microphones, standing up, elevating your camera, adjusting your lighting, picking a good background, and record!
To learn more about the awesome DevOps Enterprise Summit programming here: https://itrevolution.com/london-virtual-what-to-expect/
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...Gene Kim
This document discusses a study of the Java Maven ecosystem to analyze relationships between practices and security/update outcomes. It outlines hypotheses that projects releasing frequently and updating dependencies frequently will have better security. Data on 310,888 components was gathered on attributes like release frequency, dependencies, vulnerabilities. Preliminary findings show a correlation between faster updating and better security. The goals of further studies are outlined.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 Top Lessons Learned Since the Phoenix Project Was ReleasedGene Kim
This document summarizes key lessons from a presentation by Gene Kim on building a world-class engineering culture. Some of the main surprises discussed include: (1) the business value of DevOps is even higher than previously thought, (2) DevOps benefits operations and security as much as development, (3) measuring code deployment lead time is more important than deployments per day, and (4) Conway's Law has implications for organizational structure and architecture. The presentation also discusses how DevOps enables organizations to become dynamic learning organizations.
Kubernetes has evolved from Borg at Google to provide an open source platform for automating deployment, scaling, and management of containerized applications. The presentation discusses how to use Jenkins, Fabric8, and other tools to achieve continuous integration and delivery (CI/CD) with Kubernetes. It provides examples of configuring Jenkins and Fabric8 to build, test, and deploy container images to a Kubernetes cluster, illustrating an end-to-end CI/CD workflow on Kubernetes.
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Gene Kim
In this presentation, I describe why we've decided to pre-record our talks for DevOps Enterprise Summit, and some of the top lessons learned for any speaker who needs to record their presentations.
I cover microphones, standing up, elevating your camera, adjusting your lighting, picking a good background, and record!
To learn more about the awesome DevOps Enterprise Summit programming here: https://itrevolution.com/london-virtual-what-to-expect/
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
GitHub Universe: 2019: Exemplars, Laggards, and Hoarders A Data-driven Look a...Gene Kim
This document discusses a study of the Java Maven ecosystem to analyze relationships between practices and security/update outcomes. It outlines hypotheses that projects releasing frequently and updating dependencies frequently will have better security. Data on 310,888 components was gathered on attributes like release frequency, dependencies, vulnerabilities. Preliminary findings show a correlation between faster updating and better security. The goals of further studies are outlined.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 Top Lessons Learned Since the Phoenix Project Was ReleasedGene Kim
This document summarizes key lessons from a presentation by Gene Kim on building a world-class engineering culture. Some of the main surprises discussed include: (1) the business value of DevOps is even higher than previously thought, (2) DevOps benefits operations and security as much as development, (3) measuring code deployment lead time is more important than deployments per day, and (4) Conway's Law has implications for organizational structure and architecture. The presentation also discusses how DevOps enables organizations to become dynamic learning organizations.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
2014 State Of DevOps Findings! Velocity ConferenceGene Kim
This document summarizes a presentation given by Nicole Forsgren Velasquez, Jez Humble, Nigel Kersten and Gene Kim on the findings from Puppet Labs' 2014 State of DevOps report. Some key findings include organizations with high performing IT having 30x more frequent deployments and being 8,000x faster. Additional findings showed a correlation between IT performance metrics like deployment frequency and mean time to recover with practices like continuous delivery and version control. High performing organizations also had higher levels of organizational culture, job satisfaction, trust and relationships between teams.
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
This document discusses the benefits of adopting DevOps practices. It notes that wasted IT spending amounts to $2.6 trillion per year and that traditional divisions between development and operations hamper business goals. Adopting DevOps allows for faster delivery of code changes, more reliable systems through better feedback, and an organizational culture of continual learning through experimentation. Companies that have implemented DevOps see benefits like 30x more frequent deployments, 8,000x faster lead times, and higher success rates and availability. The document advocates that all organizations can achieve these gains through DevOps.
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!Gene Kim
The document summarizes key findings from a 2012 survey on DevOps practices conducted by Puppet Labs, Gene Kim, and Jez Humble. The survey had over 4000 responses and aimed to understand the link between DevOps behaviors and performance. Key findings included that high performing DevOps teams deployed code much more frequently (30x more), had significantly shorter lead times for changes (8000x shorter), and were more reliable with fewer failed changes and faster mean time to restore service. Technical practices like infrastructure automation and version control correlated strongly with better performance. Organizations that adopted DevOps practices over 12 months prior performed significantly better. The document also discusses challenges in measuring culture and psychographics in DevOps.
The document discusses how to better sell DevOps practices to organizations. It begins by describing the downward spiral of tensions between IT operations and development teams as applications become more fragile and difficult to deploy. It then provides suggestions for framing the problems organizations face in a way that shows how DevOps practices can help address significant business issues. The document concludes by highlighting examples of organizations successfully implementing DevOps and offers additional resources for learning more.
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
This presentation describes my interpretation of the Why and How of DevOps, and the key findings from my 15 year study of high-performing IT organizations, and how they simultaneously deliver stellar service levels and rapid implementation of new features into the production environment.
Organizations employing DevOps practices such as Google, Amazon, Facebook, Etsy and Twitter are routinely deploying code into production hundreds, or even thousands, of times per day, while providing world-class availability, reliability and security. In contrast, most organizations struggle to do releases more every nine months.
He will present how these high-performing organizations achieve this fast flow of work through Product Management and Development, through QA and Infosec, and into IT Operations. By doing so, other organizations can now replicate the extraordinary culture and outcomes enabling their organization to win in the marketplace.
Kevin Behr: Integrating Controls and Process ImprovementGene Kim
The document discusses integrating controls and process improvement. It notes that human-caused changes are responsible for 78% of system outages. The current approach does little to address this problem. The organization implemented a framework called ITIL and methodology called Visible Ops to better integrate controls and improve processes. This aims to increase operational efficiencies, service levels, and reduce problem resolution times through preventative and detective controls.
2012 Velocity London: DevOps Patterns DistilledGene Kim
2012 Velocity London,
Presentation by Patrick Debois (@patrickdebois), Damon Edwards (@damonedwards), Gene Kim (@realgenekim), John Willis (@botchagalupe)
This document summarizes Gene Kim's presentation on how organizations can adopt a DevOps approach. It outlines three ways to achieve DevOps: (1) use systems thinking to understand workflow and increase flow, (2) amplify feedback loops to improve quality and respond to needs, and (3) foster a culture of continual experimentation and learning. Specific practices are provided for each way, like defining work, embedding dev in ops, and breaking things early. The presentation warns that the status quo leads to a downward spiral but DevOps can help organizations overcome tensions and do more with less effort.
The document is a transcript from a presentation given by Joshua Corman and Gene Kim at a security conference in San Francisco in September 2012. The presentation discusses the problems with current security practices, introduces the concepts of DevOps and Rugged DevOps, and provides three ways ("systems thinking", "amplifying feedback loops", and "culture of continual experimentation") to implement Rugged DevOps practices to improve security. The overall message is that cultural and process changes are needed, not just technical fixes, to build more secure software.
Infosec at Ludicrous Speeds - Rugged DevOps Gene Kim
The document discusses how information security (infosec) teams can adopt a DevOps approach. It describes five "acts" that outline historical tensions between different IT groups like operations, development, and infosec. It then provides three ways for infosec to integrate with DevOps: using systems thinking to understand workflow; amplifying feedback loops to fix issues faster; and embracing a culture of experimentation. Specific practices are outlined for each way to help infosec contribute to the organizational DevOps journey.
This document summarizes Gene Kim's presentation on how IT failures can cause business failures. Some key points:
- IT is now involved in 95% of capital projects and 50% of capital spending, so IT issues directly impact businesses.
- Companies with IT-related weaknesses saw 8x higher CEO turnover and were less profitable than companies without such issues.
- High performing IT organizations have fewer issues, fix problems faster, implement changes more successfully, and have less unplanned work than average organizations.
- The relationship between IT operations and development can spiral downward if too many fragile applications are deployed without sufficient controls.
- Kim's mission is to help organizations understand why IT fails and fix it by chronicling an IT
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsGene Kim
This document summarizes a presentation by Gene Kim on DevOps practices. It discusses how high performing IT organizations excel at areas like security, change management and incident response compared to average organizations. The presentation explores how the relationship between development and operations can become strained, leading to a downward spiral. DevOps principles like automation, collaboration and shared goals between Dev and Ops are presented as a way to break this cycle by increasing speed and reliability. The concept of systems thinking is discussed as important for understanding how work flows through the entire system from business to customer.
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aGene Kim
The document discusses a presentation by Gene Kim on DevOps and high performing organizations. Some key points discussed include:
1) High performing IT organizations maintain compliance, find and fix security issues faster, have fewer failed changes and outages, and manage resources more efficiently.
2) DevOps aims to break the "core chronic conflict" in IT between responding quickly to business needs and providing stable services.
3) DevOps is implemented through three "ways" - systems thinking to increase flow and reduce waste, amplifying feedback loops between development and operations, and fostering a culture of experimentation and learning.
4) Transforming organizations use techniques like integrating development and operations teams, implementing continuous delivery pipelines,
The document discusses how the Sarbanes-Oxley Act of 2002 led to disproportionate focus on IT controls in SOX-404 compliance efforts. This created problems and challenges as there was no clear guidance on how to scope IT processes and controls to specific internal control objectives. The document proposes that defining new terms, similar to how terms like "force" and "mass" helped Newton formulate his laws of motion, could help address this problem. It suggests an approach taken in another document could help create equivalence for exceptions in IT controls.
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aGene Kim
The document is a presentation about DevOps and achieving high performance in IT organizations. It discusses how DevOps approaches can help organizations break the "core chronic conflict" between responding quickly to business needs while also providing stable, secure services. It presents three "ways" to achieve DevOps: systems thinking, amplifying feedback loops, and developing a culture of continual experimentation and learning. Examples are given of how different teams like operations, development, security can adopt DevOps approaches. The overall message is that DevOps transformation requires cross-functional collaboration and breaking down barriers between teams.
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsGene Kim
The document discusses the DevOps approach to improving collaboration between development and operations teams. It describes three ways to implement DevOps: (1) taking a systems thinking approach to optimize the entire system rather than local parts, (2) amplifying feedback loops to improve communication across teams, and (3) fostering a culture of continual learning through experimentation. Specific practices discussed include integrating operations into the development process, conducting joint root cause analyses, and implementing chaos engineering to increase resiliency. The document argues that DevOps can help break the "IT core conflict" and help the business succeed.
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
This document summarizes a presentation given by Gene Kim on infosec and DevOps. It discusses research that found high performing IT organizations have fewer security issues and implement changes more successfully. The presentation introduces the concepts of Rugged software development and DevOps. It provides an overview of how to implement DevOps through systems thinking, amplifying feedback loops, and developing a culture of experimentation. Key aspects include integrating operations, security and development teams and processes. The goal is to reduce issues and improve flow to help the business.
SecureWorld: Security is Dead, Rugged DevOps 1fGene Kim
This document provides an introduction to a presentation by Joshua Corman and Gene Kim on Rugged DevOps. It includes brief biographies of the presenters and outlines some of the key topics to be covered, including how security is evolving from a separate function to an integrated part of rapid software development. The presentation will explore how organizations can adopt practices like DevOps to help break the chronic conflict between rapid innovation and stable operations.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
2014 State Of DevOps Findings! Velocity ConferenceGene Kim
This document summarizes a presentation given by Nicole Forsgren Velasquez, Jez Humble, Nigel Kersten and Gene Kim on the findings from Puppet Labs' 2014 State of DevOps report. Some key findings include organizations with high performing IT having 30x more frequent deployments and being 8,000x faster. Additional findings showed a correlation between IT performance metrics like deployment frequency and mean time to recover with practices like continuous delivery and version control. High performing organizations also had higher levels of organizational culture, job satisfaction, trust and relationships between teams.
DevOps: Who Will Create $2.6 Trillion In Business Value Per Year?Gene Kim
This document discusses the benefits of adopting DevOps practices. It notes that wasted IT spending amounts to $2.6 trillion per year and that traditional divisions between development and operations hamper business goals. Adopting DevOps allows for faster delivery of code changes, more reliable systems through better feedback, and an organizational culture of continual learning through experimentation. Companies that have implemented DevOps see benefits like 30x more frequent deployments, 8,000x faster lead times, and higher success rates and availability. The document advocates that all organizations can achieve these gains through DevOps.
2013 Velocity DevOps Metrics -- It's Not Just For WebOps Any More!Gene Kim
The document summarizes key findings from a 2012 survey on DevOps practices conducted by Puppet Labs, Gene Kim, and Jez Humble. The survey had over 4000 responses and aimed to understand the link between DevOps behaviors and performance. Key findings included that high performing DevOps teams deployed code much more frequently (30x more), had significantly shorter lead times for changes (8000x shorter), and were more reliable with fewer failed changes and faster mean time to restore service. Technical practices like infrastructure automation and version control correlated strongly with better performance. Organizations that adopted DevOps practices over 12 months prior performed significantly better. The document also discusses challenges in measuring culture and psychographics in DevOps.
The document discusses how to better sell DevOps practices to organizations. It begins by describing the downward spiral of tensions between IT operations and development teams as applications become more fragile and difficult to deploy. It then provides suggestions for framing the problems organizations face in a way that shows how DevOps practices can help address significant business issues. The document concludes by highlighting examples of organizations successfully implementing DevOps and offers additional resources for learning more.
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
This presentation describes my interpretation of the Why and How of DevOps, and the key findings from my 15 year study of high-performing IT organizations, and how they simultaneously deliver stellar service levels and rapid implementation of new features into the production environment.
Organizations employing DevOps practices such as Google, Amazon, Facebook, Etsy and Twitter are routinely deploying code into production hundreds, or even thousands, of times per day, while providing world-class availability, reliability and security. In contrast, most organizations struggle to do releases more every nine months.
He will present how these high-performing organizations achieve this fast flow of work through Product Management and Development, through QA and Infosec, and into IT Operations. By doing so, other organizations can now replicate the extraordinary culture and outcomes enabling their organization to win in the marketplace.
Kevin Behr: Integrating Controls and Process ImprovementGene Kim
The document discusses integrating controls and process improvement. It notes that human-caused changes are responsible for 78% of system outages. The current approach does little to address this problem. The organization implemented a framework called ITIL and methodology called Visible Ops to better integrate controls and improve processes. This aims to increase operational efficiencies, service levels, and reduce problem resolution times through preventative and detective controls.
2012 Velocity London: DevOps Patterns DistilledGene Kim
2012 Velocity London,
Presentation by Patrick Debois (@patrickdebois), Damon Edwards (@damonedwards), Gene Kim (@realgenekim), John Willis (@botchagalupe)
This document summarizes Gene Kim's presentation on how organizations can adopt a DevOps approach. It outlines three ways to achieve DevOps: (1) use systems thinking to understand workflow and increase flow, (2) amplify feedback loops to improve quality and respond to needs, and (3) foster a culture of continual experimentation and learning. Specific practices are provided for each way, like defining work, embedding dev in ops, and breaking things early. The presentation warns that the status quo leads to a downward spiral but DevOps can help organizations overcome tensions and do more with less effort.
The document is a transcript from a presentation given by Joshua Corman and Gene Kim at a security conference in San Francisco in September 2012. The presentation discusses the problems with current security practices, introduces the concepts of DevOps and Rugged DevOps, and provides three ways ("systems thinking", "amplifying feedback loops", and "culture of continual experimentation") to implement Rugged DevOps practices to improve security. The overall message is that cultural and process changes are needed, not just technical fixes, to build more secure software.
Infosec at Ludicrous Speeds - Rugged DevOps Gene Kim
The document discusses how information security (infosec) teams can adopt a DevOps approach. It describes five "acts" that outline historical tensions between different IT groups like operations, development, and infosec. It then provides three ways for infosec to integrate with DevOps: using systems thinking to understand workflow; amplifying feedback loops to fix issues faster; and embracing a culture of experimentation. Specific practices are outlined for each way to help infosec contribute to the organizational DevOps journey.
This document summarizes Gene Kim's presentation on how IT failures can cause business failures. Some key points:
- IT is now involved in 95% of capital projects and 50% of capital spending, so IT issues directly impact businesses.
- Companies with IT-related weaknesses saw 8x higher CEO turnover and were less profitable than companies without such issues.
- High performing IT organizations have fewer issues, fix problems faster, implement changes more successfully, and have less unplanned work than average organizations.
- The relationship between IT operations and development can spiral downward if too many fragile applications are deployed without sufficient controls.
- Kim's mission is to help organizations understand why IT fails and fix it by chronicling an IT
Kim IT Pro Forum Eugene: IT at Ludicrous Speeds - rugged dev opsGene Kim
This document summarizes a presentation by Gene Kim on DevOps practices. It discusses how high performing IT organizations excel at areas like security, change management and incident response compared to average organizations. The presentation explores how the relationship between development and operations can become strained, leading to a downward spiral. DevOps principles like automation, collaboration and shared goals between Dev and Ops are presented as a way to break this cycle by increasing speed and reliability. The concept of systems thinking is discussed as important for understanding how work flows through the entire system from business to customer.
Kim itSMF New England: ITIL at Ludicrous Speeds - Rugged DevOps 6aGene Kim
The document discusses a presentation by Gene Kim on DevOps and high performing organizations. Some key points discussed include:
1) High performing IT organizations maintain compliance, find and fix security issues faster, have fewer failed changes and outages, and manage resources more efficiently.
2) DevOps aims to break the "core chronic conflict" in IT between responding quickly to business needs and providing stable services.
3) DevOps is implemented through three "ways" - systems thinking to increase flow and reduce waste, amplifying feedback loops between development and operations, and fostering a culture of experimentation and learning.
4) Transforming organizations use techniques like integrating development and operations teams, implementing continuous delivery pipelines,
The document discusses how the Sarbanes-Oxley Act of 2002 led to disproportionate focus on IT controls in SOX-404 compliance efforts. This created problems and challenges as there was no clear guidance on how to scope IT processes and controls to specific internal control objectives. The document proposes that defining new terms, similar to how terms like "force" and "mass" helped Newton formulate his laws of motion, could help address this problem. It suggests an approach taken in another document could help create equivalence for exceptions in IT controls.
SecureWorld Kim - Infosec at Ludicrous Speeds - Rugged DevOps 6aGene Kim
The document is a presentation about DevOps and achieving high performance in IT organizations. It discusses how DevOps approaches can help organizations break the "core chronic conflict" between responding quickly to business needs while also providing stable, secure services. It presents three "ways" to achieve DevOps: systems thinking, amplifying feedback loops, and developing a culture of continual experimentation and learning. Examples are given of how different teams like operations, development, security can adopt DevOps approaches. The overall message is that DevOps transformation requires cross-functional collaboration and breaking down barriers between teams.
ServiceNow ITIL at Ludicrous Speeds - Rugged DevOpsGene Kim
The document discusses the DevOps approach to improving collaboration between development and operations teams. It describes three ways to implement DevOps: (1) taking a systems thinking approach to optimize the entire system rather than local parts, (2) amplifying feedback loops to improve communication across teams, and (3) fostering a culture of continual learning through experimentation. Specific practices discussed include integrating operations into the development process, conducting joint root cause analyses, and implementing chaos engineering to increase resiliency. The document argues that DevOps can help break the "IT core conflict" and help the business succeed.
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
This document summarizes a presentation given by Gene Kim on infosec and DevOps. It discusses research that found high performing IT organizations have fewer security issues and implement changes more successfully. The presentation introduces the concepts of Rugged software development and DevOps. It provides an overview of how to implement DevOps through systems thinking, amplifying feedback loops, and developing a culture of experimentation. Key aspects include integrating operations, security and development teams and processes. The goal is to reduce issues and improve flow to help the business.
SecureWorld: Security is Dead, Rugged DevOps 1fGene Kim
This document provides an introduction to a presentation by Joshua Corman and Gene Kim on Rugged DevOps. It includes brief biographies of the presenters and outlines some of the key topics to be covered, including how security is evolving from a separate function to an integrated part of rapid software development. The presentation will explore how organizations can adopt practices like DevOps to help break the chronic conflict between rapid innovation and stable operations.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed
1. Security is Dead.
Long Live Rugged DevOps:
IT at Ludicrous Speed…
Joshua Corman & Gene Kim
Session ID: CLD-106
Session Classification: Intermediate
2. About Joshua Corman
Director of Security Intelligence for Akamai Technologies
Former Research Director, Enterprise Security [The 451 Group]
Former Principal Security Strategist [IBM ISS]
Industry:
Expert Faculty: The Institute for Applied Network Security (IANS)
2009 NetworkWorld Top 10 Tech People to Know
Co-Founder of “Rugged Software” www.ruggedsoftware.org
BLOG: www.cognitivedissidents.com
Things I’ve been researching:
Compliance vs Security
Disruptive Security for Disruptive Innovations
Chaotic Actors
Espionage
Security Metrics
2
3. About Gene Kim
Researcher, Author
Industry:
Invented and founded Tripwire, CTO (1997-2010)
Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008)
Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming
May 2012)
Things I’ve been researching:
Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs.
IT performance
DevOps, Rugged DevOps
Scoping PCI Cardholder Data Environment (#FAIL)
3
4. Agenda
Problem statement
What is DevOps?
What is Rugged?
What is Rugged DevOps?
Things you can do right away
4
5. Potentially Unfamiliar Words You Will See
Kanban
Andon cord
Sprints
Rugged
DevOps
Bottleneck
Systems thinking
Controls reliance
5
21. High Performing IT Organizations
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applications
Source: IT Process Institute, 2008
Source: IT Process Institute, 2008
22. 2007: Three Controls Predict 60% Of
Performance
To what extent does an organization define,
monitor and enforce the following?
Standardized configuration strategy
Process discipline
Controlled access to production systems
Source: IT Process Institute, 2008
56. DevOps: It’s A Real Movement
I would never do another startup that didn’t
employ DevOps like principles
It’s not just startups – it’s happening in the
enterprise and in public sector, too
I believe working in DevOps environments will
be a necessary skillset 5 years from now
58. The Prescriptive DevOps Cookbook
“DevOps Cookbook” Authors
Patrick DeBois, Mike Orzen,
John Willis
Goals
Codify how to start and finish
DevOps transformations
How does Development, IT
Operations and Infosec
become dependable partners
Describe in detail how to
replicate the transformations
describe in “When IT Fails: The
Novel”
59. Arc 1: Decrease Cycle Time Of Releases
Create determinism in the release process
Move packaging responsibility to development
Release early and often
Decrease cycle time
Reduce deployment times from 6 hours to 45 minutes
Refactor deployment process that had 1300+ steps spanning 4
weeks
Never again “fix forward,” instead “roll back,” escalating any
deviation from plan to Dev
Ensure environments are properly built before deployment begins
Control code and environments down the preproduction runways
Hold Dev, QA, Int, and Staging owners accountable for integrity
60. Arc 2: Increase Production Resilience
To preserve and increase throughput, elevate preventive
projects and maintenance tasks
Document all work, changes and outcomes so that it is
repeatable
Protect the flow of planned work (e.g., tickets bouncing
around for weeks, causing features to slip into next sprint)
Ops builds Agile standardized deployment stories
Maintains adequate situational awareness so that incidents
could be quickly detected and corrected
Standardize unplanned work and escalations
Continually seek to eradicate unplanned work and increase
throughput
61. Arc 3: Remove Complexity, Attack Surface And
Waste
Elective complexity adds to technical debt
Infosec (and everyone) wins when we take work
out of the system
Understand where controls reliance is placed
and what matters to the business
61
62. Meeting The DevOps Leadership Team
Typically led by Dev, QA, IT Operations and
Product Management
Our ultimate goal is to add value at every step in
the flow of work
See the end-to-end value flow
Shorten and amplify feedback loops
Help break silos (e.g., server, networking, database)
63. Definition: Agile Sprints
The basic unit of development in Agile Scrums,
typically between one week and one month
At the end of each sprint, team should have
potentially deliverable product
Aha Moment: shipping product implies not just code –
it’s the environment, too!
63
64. Help Dev And Ops Build Code And
Environments
Dev and Ops work together in Sprint 0 and 1 to
create code and environments
Create environment that Dev deploys into
Create downstream environments: QA, Staging,
Production
Create testable migration procedures from Dev all the
way to production
Integrate Infosec and QA into daily sprint
activities
66. Integrate Ops Into Dev
Embed Ops person into Dev structure
Describes non-functional requirements, use cases
and stories from Ops
Responsible for improving “quality at the source”
(e.g., reducing technical debt, fix known problems,
etc.)
Has special responsibility for pulling the Andon cord
67. Integrate Dev Into Ops
MobBrowser case study: “Waking up developers
at 3am is a great feedback loop: defects get
fixed very quickly”
Goal is to get Dev closer to the customer
Infosec can help determine when it’s too close (and
when SOD is a requirement)
68. Keep Shrinking Batch Sizes
Waterfall projects often have cycle time of one
year
Sprints have cycle time of 1 or 2 weeks
When IT Operations work is sufficiently fast and
cheap, we may decide to decouple deployments
from sprint boundaries (e.g., Kanbans)
70. IT Operations Increases Process Rigor
Standardize deployment
Standardize unplanned work: make it repeatable
Modify first response: ensure constrained
resources have all data at hand to diagnose
Elevate preventive activities to reduce incidents
71. Help Development…
Help them see downstream effects
Unplanned work comes at the expense of planned
work
Technical debt retards feature throughput
Environment matters as much as the code
Allocate time for fault modeling, asking “what
could go wrong?” and implementing
countermeasures
72. Help QA…
Ensure test plans cover not only code
functionality, but also:
Suitability of the environment the code runs in
The end-to-end deployment process
Help find variance…
Functionality, performance, configuration
Duration, wait time and handoff errors, rework, …
73. Help IT Operations…
“The best way to avoid failure is
to fail constantly”
Harden the production
environment
Have scheduled drills to “crash
the data center”
Create your “chaos monkeys” to
introduce faults into the system
(e.g., randomly kill processes,
take out servers, etc.)
Rehearse and improve
responding to unplanned work
NetFlix: Hardened AWS service
StackOverflow
Amazon firedrills (Jesse Allspaw)
The Monkey (Mac)
79. Case Studies And Early Indicators
Almost every major Internet online services
company
VERACODE Rapid SaaS Fix Blog Post
http://www.veracode.com/blog/2012/01/vulnerability-
response-done-right/
Pervasive Monitoring
Analytics at LinkedIn viewed by CEO daily:
LinkedIn Engineering: “The Birth Of inGraphs: Eric
The Intern”
81. Things To Put Into Practice Tomorrow
Identify your Dev/Ops/QA/PM counterparts
Discuss your mutual interdependence and shared
objectives
Harden and instrument the production builds
Integrate automated security testing into the build
and deploy mechanisms
Create your Evil/Hostile/Fuzzy Chaos Monkey
Cover your untested branches
Enforce the 20% allocation of Dev cycles to non-
functional requirement
82. Resources
From the IT Process Institute
www.itpi.org
Both Visible Ops Handbooks
ITPI IT Controls Performance Study
Rugged Software by Corman, et al:
http://ruggedsoftware.org
“Continuous Delivery: Reliable Software
Releases through Build, Test, and
Deployment Automation” by Humble,
Farley
Follow us…
@JoshCorman, @RealGeneKim
mailto:genek@realgenekim.me
http://realgenekim.me/blog
83. Interested In “The DevOps Cookbook?”
Give Gene your business card, and get exclusive
access to the first 100 pages of "When IT Fails:
The Novel" and "The DevOps Cookbook" for free
We’ll send it to you as soon as it’s ready!
86. Common Traits of High Performers
Culture of…
Change management
Integration of IT operations/security via problem/change management
Processes that serve both organizational needs and business objectives
Highest rate of effective change
Causality
Highest service levels (MTTR, MTBF)
Highest first fix rate (unneeded rework)
Compliance and continual reduction of
operational variance
Production configurations
Highest level of pre-production staffing
Effective pre-production controls
Effective pairing of preventive and detective controls
Source: IT Process Institute
87. Visible Ops: Playbook of High Performers
The IT Process Institute has been
studying high-performing
organizations since 1999
What is common to all the high
performers?
What is different between them and
average and low performers?
How did they become great?
Answers have been codified in the
Visible Ops Methodology
The “Visible Ops Handbook” is
available from the ITPI
www.ITPI.org
89. A Reframed IT Operations Problem Statement
Increase flow from Dev to Production
Increase throughput
Decrease WIP
Our goal is to create a system of operations that allows
Planned work to quickly move to production
Ensure service is quickly restored when things go wrong
Information security built in every stage of Development, Project
Management, and IT Operations
How does this relate to Visible Ops?
We focused much on “unplanned work”
What’s happening to all the planned work?
At any given time, what should IT Ops be working on?
Now we are focusing on the flow of planned work
92. By The Visible Ops Team:
Gene Kim, Kevin Behr, George Spafford
93. The Theory of Constraints Approach To Visible
Ops
Dr. Goldratt wrote The Goal in
1984, describing Alex’s
challenge to fix his plant’s cost
and due date issues within 90
days
Some tenets that went against
common wisdom:
Every flow of work has a
constraint/bottleneck
Any improvement not made at the
bottleneck is merely an illusion
Fallacy of cost accounting as
operational management tool
94. Interested?
If you’re interested in When IT Fails: The Novel or
The DevOps Cookbook, signup for the list at
http://whenitfails.org
Or:
# mail genek@realgenekim.me
Subject: [ slides | research | list ]
Editor's Notes
Tell story of Amazon, Netflix: they care about, availability, securityIt’s not a push, it’s a pull – they’re looking for our help (#1 concern: fear of disintermediation and being marginalized)
At RSA 2009, Josh Corman, Jeff Williams, and David Rice were chatting at the Greylock cocktail party.
So software not only need
…fast, and…
…agile, but it also needs to be…
…rugged. Capable of withstanding…
…the harshest conditions…
…and most unfriendly environments…
[ text ] My personal goal is to prescriptively define 1) what does Dev need to do to become a reliable partner, 2) what does IT Operations need to do to become a realiable partner, and then 3) how do they work together to deliver unbelievable value to the business.Of course, the goal is more than happy coexistence. It’s to replicate the Etsy and LinkedIn stories:Increase the rate of features that we can put into production, while simultaneously maintaining the reliability, stability, security and survivability of the production environment.
[ picture of stock graph ]There are two main characters: Steve the hard-driving CEO, of a $4B/yr manufacturing/retailing company. In an emergency board meeting, the board conveys two messages:You’ve promised us two projects for over years, to close the gap with the competition. It’s now a year late, $10MM over budget. Your competition is Best Buy, and you’re Circuit City. Hold your CIO accountable. Our job is to hire great CEOs, and fire the ones who can’t deliver. If you can’t fix this, we’ll find one who can.
This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.
[ picture of When IT Fails ]But how do we make this an issue that CEOs actually care about, instead of strictly a grass-roots movement?For five years, I’ve been working on a book called “When IT Fails: The Novel.” Which I think can help.The goal of the book is to help bridge the dysfunctional marriage that often exists between the CIO and the CEO.When I told the CIO of Columbia Sportswear about it, he said, “When you finish that book, not only will everyone on my team need to read this, but my boss will need to read this, and my bosses boss will need to read this.”I was so moved by it, that it was one of the main reasons I wrote Tripwire – make completion of the book my sole focus.