This document provides an overview of a presentation given by Joshua Corman and Gene Kim on the topics of security, DevOps, and Rugged DevOps. Some key points:
- Joshua Corman is the director of security intelligence at Akamai Technologies and Gene Kim is a researcher and author known for his work on IT performance and DevOps.
- They discuss how traditional security models are no longer effective due to increasing development speeds and how Rugged DevOps combines principles of DevOps and security.
- Rugged DevOps focuses on operational discipline, situational awareness, and countermeasures to provide security in a way that does not hinder development workflows and speeds.
- The presentation
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Gene Kim
In this presentation, I describe why we've decided to pre-record our talks for DevOps Enterprise Summit, and some of the top lessons learned for any speaker who needs to record their presentations.
I cover microphones, standing up, elevating your camera, adjusting your lighting, picking a good background, and record!
To learn more about the awesome DevOps Enterprise Summit programming here: https://itrevolution.com/london-virtual-what-to-expect/
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
Speaker Recording Tips For Virtual DevOps Enterprise (And Why We're Pre-Recor...Gene Kim
In this presentation, I describe why we've decided to pre-record our talks for DevOps Enterprise Summit, and some of the top lessons learned for any speaker who needs to record their presentations.
I cover microphones, standing up, elevating your camera, adjusting your lighting, picking a good background, and record!
To learn more about the awesome DevOps Enterprise Summit programming here: https://itrevolution.com/london-virtual-what-to-expect/
The Unicorn Project and The Five Ideals (Updated Dec 2019)Gene Kim
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
Talk video: https://www.youtube.com/watch?v=5mbp3SEha38&t=1652s
Blog post: https://itrevolution.com/love-letter-to-clojure-part-1
I will explain how learning the Clojure programming language three years ago changed my life. It led to a series of revelations about all the invisible structures that are required to enable developers to be productive. These concepts show up all over The Unicorn Project, but most prominently in the First Ideal of Locality and Simplicity, and how it can lead to the Second Ideal of Focus, Flow, and Joy.
Without doubt, Clojure was one of the most difficult things I’ve learned professionally, but it has also been one of the most rewarding. It brought the joy of programming back into my life. For the first time in my career, as I’m nearing fifty years old, I’m finally able to write programs that do what I want them to do, and am able to build upon them for years without them collapsing like a house of cards, as has been my normal experience.
The famous French philosopher Claude Lévi-Strauss would say of certain tools, “Is it good to think with?” For reasons that I will try to explain in this post, Clojure embraces a set of design principles and sensibilities that were new to me: functional programming, immutability, an astonishingly strong sense of conservative minimalism (e.g., hardly any breaking changes in ten years!), and much more…
Clojure introduced to me a far better set of tools to think with and to also build with. It’s also led to a set of aha moments that explain why for decades my code would eventually fall apart, becoming more and more difficult to change, as if collapsing under its own weight. Learning Clojure taught me how to prevent myself from constantly self-sabotaging my code in this way.
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
Updated version here (Dec 2019): https://www.slideshare.net/realgenekim/the-unicorn-project-and-the-five-ideals-updated-dec-2019
It is impossible to overstate how much I’ve learned since co-authoring The Phoenix Project, DevOps Handbook, and Accelerate. I’m so excited that after years of work, The Unicorn Project will be published later this year.
This book is my attempt to frame what I’ve learned studying technology leaders adopting DevOps principles and patterns in large, complex organizations, often having to fight deeply entrenched orthodoxies. And yet, despite huge obstacles, they create incredibly effective and innovative teams that create beacons of greatness that inspire us all.
In this book, we follow a senior lead developer and architect as she is exiled to the Phoenix Project, to the horror of her friends and colleagues, as punishment for contributing to a payroll outage. She tries to survive in what feels like a heartless and uncaring bureaucracy, forced to work within a system where no one can get anything done without endless committees, paperwork, change requests, and approvals. Decades of technical debt make even small changes difficult or impossible, often causing catastrophic outcomes and fear of punishment.
I get tremendous delight and gratification that this book is not about the bridge crew of the Starship Enterprise -- instead, it is about redshirt engineers, which as it turns out, whose heroic work matters most to the long-term survival of almost every organization.
In my previous books, I’ve focused on principles and practices (e.g., Three Ways, Four Types of Work). However, I’ve always wanted to describe the spectrum of cultural, experiential and value decisions we make that either enable greatness, or create chronic suffering and underperformance. They are currently as follows:
• The First Ideal — Locality and Simplicity
• The Second Ideal — Focus, Flow and Joy
• The Third Ideal — Improvement of Daily Work
• The Fourth Ideal — Psychological Safety
• The Fifth Ideal — Customer Focus
In this talk, I’ll share with you my goals and aspirations for The Unicorn Project, describe in detail the Five Ideals, along with my favorite case studies of both ideal and non-ideal, and why I believe more than ever that DevOps will be one of the most potent economic forces for decades to come.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
This presentation describes my interpretation of the Why and How of DevOps, and the key findings from my 15 year study of high-performing IT organizations, and how they simultaneously deliver stellar service levels and rapid implementation of new features into the production environment.
Organizations employing DevOps practices such as Google, Amazon, Facebook, Etsy and Twitter are routinely deploying code into production hundreds, or even thousands, of times per day, while providing world-class availability, reliability and security. In contrast, most organizations struggle to do releases more every nine months.
He will present how these high-performing organizations achieve this fast flow of work through Product Management and Development, through QA and Infosec, and into IT Operations. By doing so, other organizations can now replicate the extraordinary culture and outcomes enabling their organization to win in the marketplace.
2012 Velocity London: DevOps Patterns DistilledGene Kim
2012 Velocity London,
Presentation by Patrick Debois (@patrickdebois), Damon Edwards (@damonedwards), Gene Kim (@realgenekim), John Willis (@botchagalupe)
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
GenOrganizations and development teams are moving beyond waterfall models to those embracing a continuous delivery/DevOps-style set of processes. The deployment of doing tens, hundreds, or even thousands of deploys per day as 'normal' does not align to the SDLC, separation of duties, and common controls expected by auditors.
In this presentation, we will describe what auditors look for in a compliance audit, how to develop alternate control procedures that fulfill those reporting requirements, how to avoid “red flags” that indicate inadequate controls, and real world case studies and reporting artifacts.
Gene Kim has been studying high performing IT organizations since 1999 and helped develop the SOX scoping guidelines with the Institute of Internal Auditors in 2005. James DeLuccia IV is the leader for the Ernst & Young Americas Certification Services, James oversees all of the audits against common industry standards, and champions several global program implementation roll-outs. Developing and 'translating' the control environment behaviors of clients, such as Google, Amazon, Workday, and others is difficult. This discussion will bridge the needs of auditors with the community of developers by sharing examples, discussing the assurance expectations, and how to communicate to pass an audit.
Why Everyone Needs DevOps Now: 15 Year Study Of High Performing Technology OrgsGene Kim
This presentation describes my interpretation of the Why and How of DevOps, and the key findings from my 15 year study of high-performing IT organizations, and how they simultaneously deliver stellar service levels and rapid implementation of new features into the production environment.
Organizations employing DevOps practices such as Google, Amazon, Facebook, Etsy and Twitter are routinely deploying code into production hundreds, or even thousands, of times per day, while providing world-class availability, reliability and security. In contrast, most organizations struggle to do releases more every nine months.
He will present how these high-performing organizations achieve this fast flow of work through Product Management and Development, through QA and Infosec, and into IT Operations. By doing so, other organizations can now replicate the extraordinary culture and outcomes enabling their organization to win in the marketplace.
2012 Velocity London: DevOps Patterns DistilledGene Kim
2012 Velocity London,
Presentation by Patrick Debois (@patrickdebois), Damon Edwards (@damonedwards), Gene Kim (@realgenekim), John Willis (@botchagalupe)
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Elevating Tactical DDD Patterns Through Object Calisthenics
Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed
1. Security is Dead.
Long Live Rugged DevOps:
IT at Ludicrous Speed…
Joshua Corman & Gene Kim
Session ID: CLD-106
Session Classification: Intermediate
2. About Joshua Corman
Director of Security Intelligence for Akamai Technologies
Former Research Director, Enterprise Security [The 451 Group]
Former Principal Security Strategist [IBM ISS]
Industry:
Expert Faculty: The Institute for Applied Network Security (IANS)
2009 NetworkWorld Top 10 Tech People to Know
Co-Founder of “Rugged Software” www.ruggedsoftware.org
BLOG: www.cognitivedissidents.com
Things I’ve been researching:
Compliance vs Security
Disruptive Security for Disruptive Innovations
Chaotic Actors
Espionage
Security Metrics
2
3. About Gene Kim
Researcher, Author
Industry:
Invented and founded Tripwire, CTO (1997-2010)
Co-author: “Visible Ops Handbook”(2006), “Visible Ops Security” (2008)
Co-author: “When IT Fails: The Novel,” “The DevOps Cookbook” (Coming
May 2012)
Things I’ve been researching:
Benchmarked 1300+ IT organizations to test effectiveness of IT controls vs.
IT performance
DevOps, Rugged DevOps
Scoping PCI Cardholder Data Environment (#FAIL)
3
4. Agenda
Problem statement
What is DevOps?
What is Rugged?
What is Rugged DevOps?
Things you can do right away
4
5. Potentially Unfamiliar Words You Will See
Kanban
Andon cord
Sprints
Rugged
DevOps
Bottleneck
Systems thinking
Controls reliance
5
21. High Performing IT Organizations
High performers maintain a posture of compliance
Fewest number of repeat audit findings
One-third amount of audit preparation effort
High performers find and fix security breaches faster
5 times more likely to detect breaches by automated control
5 times less likely to have breaches result in a loss event
When high performers implement changes…
14 times more changes
One-half the change failure rate
One-quarter the first fix failure rate
10x faster MTTR for Sev 1 outages
When high performers manage IT resources…
One-third the amount of unplanned work
8 times more projects and IT services
6 times more applications
Source: IT Process Institute, 2008
Source: IT Process Institute, 2008
22. 2007: Three Controls Predict 60% Of
Performance
To what extent does an organization define,
monitor and enforce the following?
Standardized configuration strategy
Process discipline
Controlled access to production systems
Source: IT Process Institute, 2008
56. DevOps: It’s A Real Movement
I would never do another startup that didn’t
employ DevOps like principles
It’s not just startups – it’s happening in the
enterprise and in public sector, too
I believe working in DevOps environments will
be a necessary skillset 5 years from now
58. The Prescriptive DevOps Cookbook
“DevOps Cookbook” Authors
Patrick DeBois, Mike Orzen,
John Willis
Goals
Codify how to start and finish
DevOps transformations
How does Development, IT
Operations and Infosec
become dependable partners
Describe in detail how to
replicate the transformations
describe in “When IT Fails: The
Novel”
59. Arc 1: Decrease Cycle Time Of Releases
Create determinism in the release process
Move packaging responsibility to development
Release early and often
Decrease cycle time
Reduce deployment times from 6 hours to 45 minutes
Refactor deployment process that had 1300+ steps spanning 4
weeks
Never again “fix forward,” instead “roll back,” escalating any
deviation from plan to Dev
Ensure environments are properly built before deployment begins
Control code and environments down the preproduction runways
Hold Dev, QA, Int, and Staging owners accountable for integrity
60. Arc 2: Increase Production Resilience
To preserve and increase throughput, elevate preventive
projects and maintenance tasks
Document all work, changes and outcomes so that it is
repeatable
Protect the flow of planned work (e.g., tickets bouncing
around for weeks, causing features to slip into next sprint)
Ops builds Agile standardized deployment stories
Maintains adequate situational awareness so that incidents
could be quickly detected and corrected
Standardize unplanned work and escalations
Continually seek to eradicate unplanned work and increase
throughput
61. Arc 3: Remove Complexity, Attack Surface And
Waste
Elective complexity adds to technical debt
Infosec (and everyone) wins when we take work
out of the system
Understand where controls reliance is placed
and what matters to the business
61
62. Meeting The DevOps Leadership Team
Typically led by Dev, QA, IT Operations and
Product Management
Our ultimate goal is to add value at every step in
the flow of work
See the end-to-end value flow
Shorten and amplify feedback loops
Help break silos (e.g., server, networking, database)
63. Definition: Agile Sprints
The basic unit of development in Agile Scrums,
typically between one week and one month
At the end of each sprint, team should have
potentially deliverable product
Aha Moment: shipping product implies not just code –
it’s the environment, too!
63
64. Help Dev And Ops Build Code And
Environments
Dev and Ops work together in Sprint 0 and 1 to
create code and environments
Create environment that Dev deploys into
Create downstream environments: QA, Staging,
Production
Create testable migration procedures from Dev all the
way to production
Integrate Infosec and QA into daily sprint
activities
66. Integrate Ops Into Dev
Embed Ops person into Dev structure
Describes non-functional requirements, use cases
and stories from Ops
Responsible for improving “quality at the source”
(e.g., reducing technical debt, fix known problems,
etc.)
Has special responsibility for pulling the Andon cord
67. Integrate Dev Into Ops
MobBrowser case study: “Waking up developers
at 3am is a great feedback loop: defects get
fixed very quickly”
Goal is to get Dev closer to the customer
Infosec can help determine when it’s too close (and
when SOD is a requirement)
68. Keep Shrinking Batch Sizes
Waterfall projects often have cycle time of one
year
Sprints have cycle time of 1 or 2 weeks
When IT Operations work is sufficiently fast and
cheap, we may decide to decouple deployments
from sprint boundaries (e.g., Kanbans)
70. IT Operations Increases Process Rigor
Standardize deployment
Standardize unplanned work: make it repeatable
Modify first response: ensure constrained
resources have all data at hand to diagnose
Elevate preventive activities to reduce incidents
71. Help Development…
Help them see downstream effects
Unplanned work comes at the expense of planned
work
Technical debt retards feature throughput
Environment matters as much as the code
Allocate time for fault modeling, asking “what
could go wrong?” and implementing
countermeasures
72. Help QA…
Ensure test plans cover not only code
functionality, but also:
Suitability of the environment the code runs in
The end-to-end deployment process
Help find variance…
Functionality, performance, configuration
Duration, wait time and handoff errors, rework, …
73. Help IT Operations…
“The best way to avoid failure is
to fail constantly”
Harden the production
environment
Have scheduled drills to “crash
the data center”
Create your “chaos monkeys” to
introduce faults into the system
(e.g., randomly kill processes,
take out servers, etc.)
Rehearse and improve
responding to unplanned work
NetFlix: Hardened AWS service
StackOverflow
Amazon firedrills (Jesse Allspaw)
The Monkey (Mac)
79. Case Studies And Early Indicators
Almost every major Internet online services
company
VERACODE Rapid SaaS Fix Blog Post
http://www.veracode.com/blog/2012/01/vulnerability-
response-done-right/
Pervasive Monitoring
Analytics at LinkedIn viewed by CEO daily:
LinkedIn Engineering: “The Birth Of inGraphs: Eric
The Intern”
81. Things To Put Into Practice Tomorrow
Identify your Dev/Ops/QA/PM counterparts
Discuss your mutual interdependence and shared
objectives
Harden and instrument the production builds
Integrate automated security testing into the build
and deploy mechanisms
Create your Evil/Hostile/Fuzzy Chaos Monkey
Cover your untested branches
Enforce the 20% allocation of Dev cycles to non-
functional requirement
82. Resources
From the IT Process Institute
www.itpi.org
Both Visible Ops Handbooks
ITPI IT Controls Performance Study
Rugged Software by Corman, et al:
http://ruggedsoftware.org
“Continuous Delivery: Reliable Software
Releases through Build, Test, and
Deployment Automation” by Humble,
Farley
Follow us…
@JoshCorman, @RealGeneKim
mailto:genek@realgenekim.me
http://realgenekim.me/blog
83. Interested In “The DevOps Cookbook?”
Give Gene your business card, and get exclusive
access to the first 100 pages of "When IT Fails:
The Novel" and "The DevOps Cookbook" for free
We’ll send it to you as soon as it’s ready!
86. Common Traits of High Performers
Culture of…
Change management
Integration of IT operations/security via problem/change management
Processes that serve both organizational needs and business objectives
Highest rate of effective change
Causality
Highest service levels (MTTR, MTBF)
Highest first fix rate (unneeded rework)
Compliance and continual reduction of
operational variance
Production configurations
Highest level of pre-production staffing
Effective pre-production controls
Effective pairing of preventive and detective controls
Source: IT Process Institute
87. Visible Ops: Playbook of High Performers
The IT Process Institute has been
studying high-performing
organizations since 1999
What is common to all the high
performers?
What is different between them and
average and low performers?
How did they become great?
Answers have been codified in the
Visible Ops Methodology
The “Visible Ops Handbook” is
available from the ITPI
www.ITPI.org
89. A Reframed IT Operations Problem Statement
Increase flow from Dev to Production
Increase throughput
Decrease WIP
Our goal is to create a system of operations that allows
Planned work to quickly move to production
Ensure service is quickly restored when things go wrong
Information security built in every stage of Development, Project
Management, and IT Operations
How does this relate to Visible Ops?
We focused much on “unplanned work”
What’s happening to all the planned work?
At any given time, what should IT Ops be working on?
Now we are focusing on the flow of planned work
92. By The Visible Ops Team:
Gene Kim, Kevin Behr, George Spafford
93. The Theory of Constraints Approach To Visible
Ops
Dr. Goldratt wrote The Goal in
1984, describing Alex’s
challenge to fix his plant’s cost
and due date issues within 90
days
Some tenets that went against
common wisdom:
Every flow of work has a
constraint/bottleneck
Any improvement not made at the
bottleneck is merely an illusion
Fallacy of cost accounting as
operational management tool
94. Interested?
If you’re interested in When IT Fails: The Novel or
The DevOps Cookbook, signup for the list at
http://whenitfails.org
Or:
# mail genek@realgenekim.me
Subject: [ slides | research | list ]
Editor's Notes
Tell story of Amazon, Netflix: they care about, availability, securityIt’s not a push, it’s a pull – they’re looking for our help (#1 concern: fear of disintermediation and being marginalized)
At RSA 2009, Josh Corman, Jeff Williams, and David Rice were chatting at the Greylock cocktail party.
So software not only need
…fast, and…
…agile, but it also needs to be…
…rugged. Capable of withstanding…
…the harshest conditions…
…and most unfriendly environments…
[ text ] My personal goal is to prescriptively define 1) what does Dev need to do to become a reliable partner, 2) what does IT Operations need to do to become a realiable partner, and then 3) how do they work together to deliver unbelievable value to the business.Of course, the goal is more than happy coexistence. It’s to replicate the Etsy and LinkedIn stories:Increase the rate of features that we can put into production, while simultaneously maintaining the reliability, stability, security and survivability of the production environment.
[ picture of stock graph ]There are two main characters: Steve the hard-driving CEO, of a $4B/yr manufacturing/retailing company. In an emergency board meeting, the board conveys two messages:You’ve promised us two projects for over years, to close the gap with the competition. It’s now a year late, $10MM over budget. Your competition is Best Buy, and you’re Circuit City. Hold your CIO accountable. Our job is to hire great CEOs, and fire the ones who can’t deliver. If you can’t fix this, we’ll find one who can.
This story is about how Bill, the thoughtful and methodical VP IT Operations, who saves some of the largest problems of the company. It’s a story about a Visible Ops and DevOps style transformation. It’s how Bill saves the company, helping it achieves their project goals, operational goals, security and compliance goals.And Steve the CEO realizes that Bill, the lowly VP of IT Operations, is the person who saved the company.
[ picture of When IT Fails ]But how do we make this an issue that CEOs actually care about, instead of strictly a grass-roots movement?For five years, I’ve been working on a book called “When IT Fails: The Novel.” Which I think can help.The goal of the book is to help bridge the dysfunctional marriage that often exists between the CIO and the CEO.When I told the CIO of Columbia Sportswear about it, he said, “When you finish that book, not only will everyone on my team need to read this, but my boss will need to read this, and my bosses boss will need to read this.”I was so moved by it, that it was one of the main reasons I wrote Tripwire – make completion of the book my sole focus.