Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing.
Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...Dana Gardner
Transcript of a BriefingsDirect discussion on how continuous processes around development and deployment of applications impact and benefit the Internet of Things trend.
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...Dana Gardner
Transcript of a Briefings Direct podcast on why bringing a common management view in to play improves problem resolution and automates resource allocation more fully.
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...Dana Gardner
Transcript of a Briefings Direct discussion on some powerful best practices on making DevOps an accelerant to broader business goals, but at the level of a multigenerational IT activity.
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...Dana Gardner
Transcript of a sponsored discussion on how large-scale monitoring of rainforest, biodiversity and climate has been enabled and accelerated by cutting-edge, big-data capture, retrieval and analysis.
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...Dana Gardner
Transcript of a Briefings Direct discussion on how two organizations have been improving their application’s performance via total performance monitoring and metrics.
Internet of Things Brings On Development Demands That DevOps Manages, Say Exp...Dana Gardner
Transcript of a BriefingsDirect discussion on how continuous processes around development and deployment of applications impact and benefit the Internet of Things trend.
How HTC Centralizes Storage Management to Gain Visibility, Reduce Costs and I...Dana Gardner
Transcript of a Briefings Direct podcast on why bringing a common management view in to play improves problem resolution and automates resource allocation more fully.
DevOps by Design -- Practical Guide to Effectively Ushering DevOps into Any O...Dana Gardner
Transcript of a Briefings Direct discussion on some powerful best practices on making DevOps an accelerant to broader business goals, but at the level of a multigenerational IT activity.
How Big Data Generates New Insights into What’s Happening in Tropical Ecosyst...Dana Gardner
Transcript of a sponsored discussion on how large-scale monitoring of rainforest, biodiversity and climate has been enabled and accelerated by cutting-edge, big-data capture, retrieval and analysis.
A Tale of Two IT Departments, or How Governance is Essential in the Hybrid Cl...Dana Gardner
Transcript of a Briefings Direct discussion on how two organizations have been improving their application’s performance via total performance monitoring and metrics.
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...Dana Gardner
Transcript of a sponsored discussion on how advanced analytics drawing on multiple data sources provides wireless operators improved interactions with their subscribers and enhances customer experience through personalized insights.
How New Technology Trends Will Disrupt the Very Nature of Business Dana Gardner
Transcript of a sponsored discussion on how major new trends and technology are translating into disruption, and for the innovative business -- opportunity.
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Dana Gardner
Transcript of a sponsored discussion on how regulations around data sovereignty are forcing enterprises to consider new approaches to data, intellectual property, and cloud collaboration services.
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Dana Gardner
Transcript of a Briefings Direct podcast on how Globe Testing is pushing the envelope on Agile development and applications development management using HP tools and platforms.
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King AgainDana Gardner
Transcript of a sponsored discussion on how technology providers have teamed as an ecosystem to develop new dynamic and rapid analysis capabilities for the retail industry.
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Dana Gardner
Transcript of a sponsored discussion on how a triumvirate of big players have teamed to deliver a rapid and efficient analysis capability across disparate data types for the healthcare industry.
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...Dana Gardner
Transcript of a sponsored discussion on how the drive to better diagnose diseases and develop more effective treatments is aided by swift, cost efficient, and accessible big data analytics infrastructure.
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Dana Gardner
Transcript of a discussion on how a Canadian maker of containers leverages the Internet of Things to create a positive cycle of insights and applied learning.
How to use blogging more effectively as a content marketing tool. Includes brand examples and advice on topic targeting, hub and spoke promotion, repurposing and co-creating with influencers. Produced by TopRank Online Marketing.
How INOVVO Delivers Analysis that Leads to Greater User Retention and Loyalty...Dana Gardner
Transcript of a sponsored discussion on how advanced analytics drawing on multiple data sources provides wireless operators improved interactions with their subscribers and enhances customer experience through personalized insights.
How New Technology Trends Will Disrupt the Very Nature of Business Dana Gardner
Transcript of a sponsored discussion on how major new trends and technology are translating into disruption, and for the innovative business -- opportunity.
Intralinks Uses Hybrid Computing to Blaze a Compliance Trail Across the Regul...Dana Gardner
Transcript of a sponsored discussion on how regulations around data sovereignty are forcing enterprises to consider new approaches to data, intellectual property, and cloud collaboration services.
Using Testing as a Service, Globe Testing Helping Startups Make Leap to Cloud...Dana Gardner
Transcript of a Briefings Direct podcast on how Globe Testing is pushing the envelope on Agile development and applications development management using HP tools and platforms.
'Extreme Apps’ Approach to Analysis Makes On-Site Retail Experience King AgainDana Gardner
Transcript of a sponsored discussion on how technology providers have teamed as an ecosystem to develop new dynamic and rapid analysis capabilities for the retail industry.
Need for Fast Analytics Across All Kinds of Healthcare Data Spurs Converged S...Dana Gardner
Transcript of a sponsored discussion on how a triumvirate of big players have teamed to deliver a rapid and efficient analysis capability across disparate data types for the healthcare industry.
How New York Genome Center Manages the Massive Data Generated from DNA Sequen...Dana Gardner
Transcript of a sponsored discussion on how the drive to better diagnose diseases and develop more effective treatments is aided by swift, cost efficient, and accessible big data analytics infrastructure.
Manufacturer Gains Advantage by Expanding IoT Footprint from Many Machines to...Dana Gardner
Transcript of a discussion on how a Canadian maker of containers leverages the Internet of Things to create a positive cycle of insights and applied learning.
How to use blogging more effectively as a content marketing tool. Includes brand examples and advice on topic targeting, hub and spoke promotion, repurposing and co-creating with influencers. Produced by TopRank Online Marketing.
50+ thinkers and planners within MSLGROUP share and discuss inspiring projects on corporate citizenship, crowdsourcing and storytelling on the MSLGROUP Insights Network. Every week, we pick up one project and do a deep dive into conversations around it -- on the MSLGROUP Insights Network itself but also on the broader social web -- to distill insights and foresights. We share these insights and foresights with you on our People’s Insights blog and compile the best insights from the network and the blog in the iPad-friendly People’s Lab Quarterly Magazine, as a showcase of our capabilities. This week, our topic is Heineken Ideas Brewery. For more, see: http://peopleslab.mslgroup.com
The state of ad blocking - September 2015sourcepoint
Sourcepoint and comScore have worked together to research and measure the growing ad blocking trend. This document highlights some initial findings and is focused on the incidence of ad blocking from several perspectives.
International Lithium Presentation September 2014Kirill Klip
International Lithium Presentation. J/V with Strategic Partner from China Ganfeng Lithium. Mariana Lithium Potash Project in Argentina. Avalonia Lithium Project in Ireland. Mavis Lake Lithium Tantalum Project in Canada.
Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cybe...Dana Gardner
Transcript of a sponsored discussion on how improving both development speed and security comes with new levels of collaboration and communication across disparate teams.
Unum Group Architect Charts a DevOps Course to a Hybrid Cloud FutureDana Gardner
Transcript of a BriefingsDirect podcast on how Unum Group has benefitted from a better process around application development and deployment using HP tools.
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Dana Gardner
Transcript of a discussion on how cloud security is rapidly advancing and how enterprises can begin to innovate to prevail over digital disruption by increasingly using cloud-defined security.
Let’s Talk With Luis Jaime Gomez Vazquez About DevOps SolutionsCerebrum Infotech
Our Web and mobile app development company offers the most recent developments in DevOps services, which are discussed in this Teck Talk interview about DevOps. Companies can maintain their competitiveness and provide clients with excellent solutions. For further details, check out our blog.
Everything You Need to Know About Unit Testing in Test Driven Development (TDD) with Case Studies!
TDD can be defined as a programming practice that instructs developers to write new code only if an automated test has failed. This avoids duplication of code.
The primary goal of TDD is to make the code clearer, simple and bug-free.
This PDF contains the case studies of Test Driven Development. Special thanks to the Experts- Jeff Langr, Frederico Gonçalves and J. B. Rainsberger for their valuable comments!
These case studies are the part of our blog on "How to do Unit Testing in Test Driven Development(TDD)?" which covers the following topics-
1) What is Unit Testing?
2) What is Test-Driven Development (TDD)?
3) Example of TDD with Unit Tests
4) Best Practices for Writing Unit Tests
5) Benefits of Unit Testing
6) Limitations of Unit Testing in the Traditional Approach
7) Case Studies of TDD
Blog Link-
https://www.simform.com/unit-testing-tdd/#casestudies
Standards Effort Points to Automation Via Common Markup Language for Improved...Dana Gardner
Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money.
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
HP's ALM11 Guides Companies Through Shifting Landscape of Application Develop...Dana Gardner
Transcript of a sponsored BriefingsDirect podcast on application lifecycle management and HP ALM 11 from the HP Software Universe 2010 conference in Barcelona, Spain.
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsEvident.io
Evident is a sponsor of the inaugural DevOps.com eBook titled Rugged DevOps: 10 Ways to Start Embedding Security into DevOps Patterns. Learn more about how to start moving toward a Rugged DevOps mentality through insights shared by security and DevOps experts, including Evident CEO Tim Prendergast, with reporter Ericka Chickowski.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Connector Corner: Automate dynamic content and events by pushing a button
DevOps and Security, a Match Made in Heaven
1. DevOps and Security, a Match Made in Heaven
Transcript of a Briefings Direct discussion on the relationship between DevOps and security and
exploring the impact of security on compliance, risk, and auditing.
Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android.
Sponsor: HP Enterprise
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I'm
Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this
ongoing sponsored discussion on IT innovation and how it’s making an impact on
people’s lives.
Our next DevOps thought leadership discussion explores the impact on security
and how those investing in DevOps models can expect to improve their security,
compliance, and risk-mitigation efforts. To help us better understand the
relationship between DevOps and security, we're joined by two panelists.
Please join me welcoming Gene Kim, DevOps researcher and author focused on
IT operations, information security and transformation. His most recent book is 'The Phoenix
Project: A Novel about IT, DevOps, and Helping Your Business Win', and his new book coming
out soon is called 'The DevOps Cookbook'. Welcome, Gene.
Learn the Four Keys
to Continuous DevOps
Gene Kim: Dana, great to be here. Thank you.
Gardner: We're also here with Ashish Kuthiala, Senior Director of Marketing and Strategy for
HP DevOps. Welcome back, Ashish.
Ashish Kuthiala: Thank you very much Dana. Glad to be here.
Gardner: Ashish, let me start with you. Coordinating and fostering increased collaboration
between development, the testers, and IT operations has a lot of benefits. We've been talking
about that in a number of these discussions, but security specifically. How is
DevOps engendering a safer code and an ability to work towards an iterative,
continuous approach to improved security?
Kuthiala: Dana, I look at security as no different than any other testing that you
do on your code. Anything that you catch early on in the process, fix it, and close
the vulnerabilities is much simpler, much easier, and much cheaper to fix than when the end
product is in the hands of the users.
At that point, it could be in the hands of thousands of users, deployed in thousands of
environments, and it's really very expensive. Even if you want to fix it there, if some trouble
Page 1
Gardner
2. happens, there is security breach, you're not just dealing with the code vulnerability but you are
also dealing with loss of brand, loss of revenue, and loss of reputation in the marketplace.
Gene has done a lot of study on security and DevOps. I would love to hear his point of view on
that.
Promise is phenomenal
Kim: You're so right. The promise of DevOps for advancing the information security objective
is phenomenal, but unfortunately, the way most information security practitioners react to
DevOps is one of moral outrage and fear. The fear being verbalized is that Dev
and Ops are deploying more quickly than ever, and the outcomes haven't been
so great. You're doing one release a year, what will happen if they are doing 10
deploys a day.
We can understand why they might be just terrified of this. Yet, what Ashish
described is that DevOps represents the ideal integration of testing into the the
daily work of Dev and Ops. We have testing happening all the time.
Developers own the responsibilities of building and running the test. It’s happening after every
code commit, and these are exactly same sort of behaviors and cultural norms that we want in
information security. After all, security is just another aspect of quality.
We're seeing many, many examples of how organizations are creating what some people calling
DevOps(Sec), DevOps plus security. One of my favorite examples is Capital One. which calls
DevOps in their organization DevOps(Sec). Basically, information security is being integrated
into every stage of the software development lifecycle. This is actually what every information
security practitioner has wanted for the last two decades.
Gardner: Ashish.
Kuthiala: Gene, that brings up an interesting thought. As we look at Dev and
Ops teams coming together without security, increasingly we talk about how
people need to have generally more skills across the spectrum. Developers need
to understand production systems and to be able to support their code in
production. But what you just described, does that mean that’s how the
developers and planners start to become security specialist or think like that?
What have you seen?
Kim: Let's talk about the numbers for a second. I love this ratio of 100 to 10 to 1. For every 100
developers, we have 10 operations people and you have one security person. So there's no way
you're going to get the adequate coverage, right? There are not enough security people around. If
we can't embed Ops people into these project or service teams, then we have to train developers
to care and know when seek help from the Ops experts.
Page 2
Kim
Kuthiala
3. We have the similar challenge in information security -- how we train, whether it's about secure
coding, regular compliance, or how we create evidence that controls exist and are effective. It is
not going to be security doing the work. Instead, security needs to be training Dev and Ops on
how to do things securely.
Kuthiala: Are there patterns that they should be looking at in security? Are there any known
patterns out there or are there some being developed? What you have seen with the customers
that you work with?
Kim: In the deployment pipeline, instead of having just unit tests being run after every code
commit, you actually run static code analysis tools. That way you know that it's functionally
correct, and the developers are getting fast feedback and then they’re writing things that are
potentially more secure than they would have otherwise.
And then alongside that in production, there are the monitoring tools. You're running things like
the dynamic security testing. Now, you can actually see how it’s behaving in the production
environment. In my mind, that's the ideal embodiment of how information security work should
be integrated into the daily work of dev, test, and operations.
Seems contradictory
Kuthiala: It seems a little contradictory in nature. I know DevOps is all about going a little
faster, but actually, you’re adding more functionality right up front and slowing this down. Is it a
classic case of going slower to go faster? Walk before you can run, until you get to crawl? From
my point of view, it slows you down here, but towards the end, you speed up more. Are you able
to do this?
Kim: I would claim the opposite. We're getting the best of all worlds, because the security
testing is now automated. It’s being done on demand by the developers, as opposed to your
opening a ticket, "Gene, can you scan my application?" And I'll get back to you in about six
weeks.
That’s being done automatically as part of my daily work. My claim would be not only is it
faster, but we'll get better coverage than we had before. The fearful info sector person would ask
how we can do this for highly regulated environments, where there is a lot of compliance
regimes in place.
If you were to count the number of controls that are continuously operating, not only do you
have orders and managing more controls, but they are actually operating all the time as opposed
to testing once a year.
Kuthiala: From what I've observed with my customers, I have two kind of separate questions
here. First, if you look at some of the highly regulated industries, for example, the
pharmaceutical industry, it's not just internal compliances and regulations. It's part of security,
Page 3
4. but they often have to go to the outside agencies for almost physical paperwork kind of
regulatory compliance checks.
As they're trying to go towards DevOps and speed this up, they are saying, "How do we handle
that portion of the compliance checks and the security checks, because they are manual checks.
They're not automated. How do we deal with external agencies and incorporate this in. What
have you seen work really well?
Kim: Last year, at the DevOps Enterprise Summit, we had one bank, and it was a smaller bank.
This year, we have five including some of the most well-known banks in the industry. We had
manufacturing. I think we had covereage of almost every major industry vertical, the majority of
which are heavily regulated. They are all able to demonstrate that not only can you be compliant
with all the relevant laws, contractual obligations, and regulations, but you can significantly
decrease the amount of work.
One of my favorite examples came from Salesforce. Selling to the Federal government, they had
to apply with FedRAMP. One of the things that they got agreement on from security, compliance
groups, and change management was that all infrastructure changes made through the
automation tools could be considered a standard change.
In other words, they wouldn’t require review and approval, but all changes that were done
manually would still require approvals, which would often take weeks. This really shows that we
can create this fast path not just for the people doing the work, but also, this make some work
significantly easier for security and compliance as well.
Human error
Kuthiala: And you're taking on the human error possibility in there. People can be on
vacation, slowing things down. People can be sick. People may not be in their jobs anymore.
Automation is a key answer to this, as you said.
Gardner: One of things we've been grappling with in the industry is how to get DevOps
accelerated into cultures and organizations. What about the security as a point on the arrow here?
If we see and recognize that security can benefit from DevOps and we want to instantiate
DevOps models faster, wouldn’t the security people be a good place to be on the evangelistic
side of DevOps?
Kim: That’s a great observation, Dana. In fact, I think part of the method behind the madness is
that the goal of the DevOps Enterprise Summit was to prove points. We had 50 speakers all from
large, complex organizations. The goal was to get coverage of the industry verticals.
Learn the Four Keys
to Continuous DevOps
I also helped co-host a one-day DevOps Security Conference at the RSA Conference, and this
was very much from a security perspective. It was amazing to find those champions in the
Page 4
5. security community who are driving DevOps objectives. They have to figure out how security
fits into the DevOps ecosystem, because we need them to show that the water is not only just
safe, but the water is great.
Kuthiala: This brings up a question, Gene. For any new project that kicks off, it’s a new
company. You can really define the architecture from scratch, thus enabling you a lot of practices
you need to put in place, whether it's independent deliverables and faster deliverables, all acting
independent of each other.
But for the bigger companies and enterprise software that’s being released -- we've discussed this
in our past talks -- you need to look at the architecture underneath it and see how we can
modernize this to do this.
So, when you start to address security, how do you go about approaching that, because you know
you're dealing with a large base of code that’s very monolithic? It can take thousands of people
to release something out to the customers. Now, you're trying to incorporate security into this
with any new features and functions you add.
I can see how you can start to incorporate security and the expertise into it and scan it right from
development cycle. How do you deal with that big component of the architecture that’s already
there? Any best practices?
Kim: One of the people who have best articulated the philosophy is Gary Gruver. He said
something that, for me, was very memorable. If you don’t have automated testing, and I think his
context was very much like unit testing, automated regression testing, you have a fundamentally
broken cost model, and it becomes too expensive. You get to a point where it becomes too
expensive to add features.
That’s not even counting security testing. You get to a point where not only it is too expensive,
but it becomes too risky to change code. So, just as marketing is too important to leave to the
marketing people, and quality is too important to leave to the QA people -- so too security is too
important to leave just to the security people.
We have to fully empower developers to get feedback on their work and have them fully
responsible for not just the features, but the non-functional requirements, testability,
deployability, manageability, and security.
A better way
Gardner: Assume that those listening and reading here today are completely swayed by our
view of things and they do want to have DevOps with security ingrained. Are there not also
concurrent developments around big data and analytics that give them a better way to do this,
once they've decided to do it.
Page 5
6. It seems to me that there is an awful lot of data available within systems, whether it's log files,
configuration databases. Starting to harness that affordably, and then applying that back to those
automation capabilities is going to be a very powerful synergistic value. How does it work when
we apply big data to DevOps and security, Ashish?
Kuthiala: Good question Dana. You're absolutely right with data sources now becoming easy,
bringing together data sources into one repository and at an affordable cost. We're starting to
build analytics on top of that and this has being applied in a number of areas.
The best example I can talk about is how HP has been working on an IP creation of the area of
testing using big data analytics. So, if we have to go faster and we have to release software every
hour or every two, versus every six to eight months, you need to test it as fast as well. You can no
longer afford to go and run your 20,000 tests based on this one-line change of code.
You have to be able to figure out what modules are affected, which ones are not, and which ones
are likely to break. We're starting to do some intelligent testing inside of our labs and we're
finding that we're about 80 to 85 percent accurate in predicting what to test and not to test and
what features are reflected or not.
Similarly, using the big data analytics and the security expertise that Gene talked about, you need
to start digging through and analyzing exactly the same as we run any test. What security
vulnerabilities do you want to test, which functions of the code? And it’s just a best practice
moving forward that you start to incorporate the big data analytics into your security testing.
Gardner: Gene.
Kim: You were implying something that I just want to make explicit. One of the most
provocative notions that Ashish and I talked about was to think about all the telemetry and all the
data that the build mechanisms create. You start putting in all the results of testing, and suddenly
we have a much better basis of where we apply our testing effort.
If we actually need to deploy faster, even if we completely automate our tests, and even if we
parallelize them and run them across thousands of servers and if that takes days, we may be able
use data to tell us where to surgically apply testing so we make a informed decision on whether
to deploy or not. That's an awesome potential.
Gardner: Speaking of awesome potentials, when we compress the feedback loops using this
data, when development and operations are collaborating and communicating very well, it seems
to me that we're also moving from a reactive stance to security issues, closer to a proactive stance
with certainly as little time as possible.
One of the notions about security is that you can’t prevent people from getting in, but you can
limit the damage they can do when they do get in. It seems to me that if you close a loop between
development operations and test, you can get the right remediation out into operations and
production much quicker. Therefore you can almost behave like we had seen with anti-malware
Page 6
7. software, where the cycle between the inception of a problem, the creation of the patch, and then
deployment of the patch was very, very short.
Is that vision pie in the sky or is that something we could get to when DevOps and security
comes together, Gene?
Key to prevention
Kim: You're right on. The way an auditor would talk about it is that there are things that we
can do to prevent, that’s code review, that’s automated code testing and scanning.
Making libraries available so that developers are choosing things and deploying them in a
secured state are all preventive controls. If we can make sure that we have the best situational
awareness we can of the production environment, those are what allow quicker detection
recovery.
The better we are at that, the better we are at mitigating, effectively mitigating risk.
Kuthiala: Gene, as you were talking, I was thinking. We have this notion of rolling back code
when something breaks in production, and that’s a very common kind of procedure. You go back
into the lab, fix what didn’t work, and then you roll it back into production. If it works, it's fine.
Otherwise, you roll it back and do it over again.
But with the admin of DevOps and those who are doing this successfully, there are no roll backs.
They roll forward. You just go forward, because with the discipline of DevOps, if done well, you
can quickly put a patch into production within hours, versus months, days, and weeks.
And similarly like you talked about security, you know once a vulnerability is out there that you
want to go fix it, you want to issue the patch. With DevOps and security, there are lot of
similarities.
Gardner: Before we close out, is there anything for the future? We've heard a lot about the
Internet of Things (IoT), a lot more devices, device types, networks, extended networks, and
variable networks. Is there a benefit with DevOps and security as a tag team, as we look to an
increased era of complexity around the IoT sensors and plethora of disparate networks? Ashish?
Kuthiala: The more you talk about IoT, the more holes are open for hackers to get in. I'll give
you classic example. I've been looking forward to the day where my phone is all I carry. I don’t
have to open my car with my keys or I can pay for things with it, and we have been getting
towards that vision, but a lot of my friends who are in high-tech are actually skeptical.
What happens if you lose your phone? Somebody has access to it. You know their counter
argument against that. You can switch off your phone and wipe the data etc. But I think as IoT
Page 7
8. grows in number, more holes open up. So, it becomes even more important to incorporate your
security planning cycles right into the planning and dev cycles.
Gardner: Particularly if you're in an industry where you expect to an have an Internet of Things
ramp up getting automation in place, thinking about DevOps, thinking about security as an
integral part of DevOps certainly makes a great deal of sense to me. Gene.
Kim: Absolutely, you said it better than I ever could. Yes.
Gardner: We'll have to leave it there. We've been discussing the relationship between DevOps
and security and exploring the impact of security on things like compliance and risk and auditing
and I would like to thank our guest for very intriguing discussion.
We've been here with Gene Kim, DevOps Researcher and Author focused on IT operations,
information security and transformation. His most recent book is 'The Phoenix Project: A Novel
about IT, DevOps, and Helping Your Business Win', and his new book coming out soon is called
'The DevOps Cookbook'. Thanks so much, Gene.
Learn the Four Keys
to Continuous DevOps
Kim: Thank you so much.
Gardner: And we have been here with Ashish Kuthiala, Senior Director of Marketing and
Strategy for HP DevOps. Thank you, Ashish.
Kuthiala: Thank you very much, Dana.
Gardner: And I'd like to extend a big thank you to our audience as well for joining for this
DevOps and security discussion.
I'm Dana Gardner, principal analyst at Interarbor Solutions, your host for this ongoing series of
HP sponsored discussions. Thanks again for listening and come back next time.
Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android.
Sponsor: HP Enterprise
Transcript of a Briefings Direct discussion on the relationship between DevOps and security and
exploring the impact of security on compliance, risk, and auditing. Copyright Interarbor
Solutions, LLC, 2005-2015. All rights reserved.
You may also be interested in:
• Redcentric Uses Advanced Configuration Database to Focus Massive Merger Across
Multiple Networks
• HP at Discover delivers the industry's first open, hybrid, ecosystem-wide cloud
architecture
Page 8
9. • How Tableau Software and Big Data Come Together: Strong Visualization Embedded on
an Agile Analytics Engine
• Big Data Helps Conservation International Proactively Respond to Species Threat in
Tropical Forests
• How Globe Testing helps startups make the leap to cloud- and mobile-first development
• GoodData analytics developers on what they look for in a big data platform
• ITIL-ITSM tagteam boosts Mexican ISP INFOTEC's operations quality
• Novel consumer retail behavior analysis from InfoScout relies on HP Vertica big data
chops
• IT Operations Modernization Helps Energy Powerhouse Exelon Acquire Businesses
• ECommerce portal Avito uses big data to master rapid fraud detection
• How a Hackathon Approach Juices Innovation on Big Data Applications for Thomson
Reuters
• How Waste Management Builds a Powerful Services Contiunuum Across Operations,
Infrastructure, Development, and IT Processes
• GSN Games hits top prize using big data to uncover deep insights into gamer preferences
Page 9