Software rotting - 28 Apr - DeveloperWeek Europe 2022Giulio Vian
"Software rotting or why you need to change your approach to security"
28 April 2022
DeveloperWeek Europe 2022
https://www.developerweek.com/europe/conference/conference-tracks/devops-security/
A new phenomenon stands out in recent years: security must pervade the entire software development lifecycle.
Except it isn't. Current generation of processes and tools is lacking crucial features to properly manage modern security risks.
Think of the Log4J event. Were you able to identify all affected components? Were they internally developed, or you need a vendor support? How fast you were able to deliver a fix?
In this talk we'll explore the challenges, what you can do with current tools, and which gaps should be addressed by communities through better practices and new tools.
Evolving Your Distributed Cache In A Continuous Delivery World: Tyler VangorderRedis Labs
1. The document discusses the evolution of caching strategies at Build.com as their systems and traffic grew rapidly over time. They initially used a Java-based distributed cache and later switched to Redis which proved more effective.
2. As Build.com moved to a continuous delivery model with multiple environments, they needed a "shared" cache that both environments could use. They implemented a unified caching model where each version of code has its own bucket in the cache but objects can be promoted from older versions if they are compatible.
3. The key aspects of the unified caching model are using a serialization checksum to detect changes between versions, using a build number as the cache key so each version is separate, and attempting to promote
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
Is Technical Debt the right metaphor for Continuous Update?Giulio Vian
Conf42 DevSecOps 2022 - December 1st 2022
The environmental pressure on software, mainly security, has dramatically changed in few years. Sticking to the Technical Debt category, will crush IT, and the business. So, let’s introduce a new term: Technical Inflation, and change how we plan, budget, manage changes and implement automation.
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance.
Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production.
In this webinar we will demonstrate:
Deepfence container scanning
Git-to-Kubernetes using FluxCD
Deepfence continuous runtime security
Software rotting - 28 Apr - DeveloperWeek Europe 2022Giulio Vian
"Software rotting or why you need to change your approach to security"
28 April 2022
DeveloperWeek Europe 2022
https://www.developerweek.com/europe/conference/conference-tracks/devops-security/
A new phenomenon stands out in recent years: security must pervade the entire software development lifecycle.
Except it isn't. Current generation of processes and tools is lacking crucial features to properly manage modern security risks.
Think of the Log4J event. Were you able to identify all affected components? Were they internally developed, or you need a vendor support? How fast you were able to deliver a fix?
In this talk we'll explore the challenges, what you can do with current tools, and which gaps should be addressed by communities through better practices and new tools.
Evolving Your Distributed Cache In A Continuous Delivery World: Tyler VangorderRedis Labs
1. The document discusses the evolution of caching strategies at Build.com as their systems and traffic grew rapidly over time. They initially used a Java-based distributed cache and later switched to Redis which proved more effective.
2. As Build.com moved to a continuous delivery model with multiple environments, they needed a "shared" cache that both environments could use. They implemented a unified caching model where each version of code has its own bucket in the cache but objects can be promoted from older versions if they are compatible.
3. The key aspects of the unified caching model are using a serialization checksum to detect changes between versions, using a build number as the cache key so each version is separate, and attempting to promote
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
Is Technical Debt the right metaphor for Continuous Update?Giulio Vian
Conf42 DevSecOps 2022 - December 1st 2022
The environmental pressure on software, mainly security, has dramatically changed in few years. Sticking to the Technical Debt category, will crush IT, and the business. So, let’s introduce a new term: Technical Inflation, and change how we plan, budget, manage changes and implement automation.
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance.
Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production.
In this webinar we will demonstrate:
Deepfence container scanning
Git-to-Kubernetes using FluxCD
Deepfence continuous runtime security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityJohn Willis
The document discusses the divine and felonious nature of cyber security and introduces the concept of DevSecOps. It notes that traditional perimeter-based security is no longer sufficient given changes in applications and infrastructure. DevSecOps integrates security practices like training, requirements, threat modeling directly into the development pipeline from the beginning. This helps automate security testing and monitoring throughout the software development lifecycle and supply chain. When done right, DevSecOps helps create a "new Goldilocks zone" where security is no longer a bottleneck to rapid software development and deployment.
This document discusses improvements to agile methodology through continuous integration using dynamic regression, code bisection, and code quality. It proposes mapping source code to test suites and running only relevant tests after code changes to speed up testing. When failures occur, code bisection is used to quickly identify responsible code changes. Code quality is also assessed continuously using tools like Sonar to monitor for issues. The approaches aim to improve agility, reduce bug fixing time, and ensure high code quality.
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...FINOS
The document discusses how a single application that handles the entire software development lifecycle can help alleviate the "DevOps tool tax" caused by managing and integrating multiple point solutions. It provides an overview of GitLab's Auto DevOps feature which automates the build, test, security, deployment, and monitoring pipelines in a single system. By consolidating tools and processes, Auto DevOps helps reduce integration complexity and accelerate development cycles.
Part 2 improving your software development v1.0Jasmine Conseil
The document discusses improving software development processes through continuous integration using agile tools. It describes how build tools can automate various parts of the software development process, including compiling, testing, packaging, and deploying code. Maven is presented as a common build tool that supports a well-defined development lifecycle. Continuous integration principles are explained, emphasizing how integrating code changes frequently and running automated builds can reduce integration issues. Hudson is introduced as an open-source continuous integration server that supports automation and provides feedback. The JasForge project aims to manage agile tools like Hudson in an integrated platform to control the software development process.
The Anatomy of Continuous Deployment at Scale - 100 deploys a week at Envato ...John Viner
The Envato market development team runs a two sided marketplace platform that powers sites such as themeforest.net and graphicriver.net. This presentation describes how they deploy the application up to 25 times a day while serving up to 200 million requests a week.
Jenkins is an open-source tool for continuous integration that allows developers to integrate code changes frequently from a main branch using an automated build process. It detects errors early, measures code quality, and improves delivery speed. Jenkins supports various source control, build tools, and plugins to customize notifications and reporting. Security features allow restricting access and privileges based on user roles and projects.
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
Presentation of Best student paper award on CASCON2018 intitled: Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
Link to the paper: https://dl.acm.org/citation.cfm?id=3291310
Cloud continuous integration- A distributed approach using distinct servicesAndré Agostinho
In cloud computing services the ability to share and deliver services, scale computing resources and distribute data storage and files requires a deployment process aligned with agility and scalability. The continuous integration can automate process reducing operational effort, improving code quality and reducing time to market. This presentation shows a proposal for distributed continuous integration to use differents cloud computing services, from planning to execution of scenarios.
Help students get familiar with the basic concepts of DevOps processes and technologies and the challenges facing companies who are looking to embrace scalable software deployment.
[This workshop was given to TAU CS students over the years 2015-2016]
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Gerrit is a code review system that tightly integrates with Git. It provides a web-based user interface and API for reviewing changes, managing access control, and integrating with other tools like Jenkins. Key features include fast and easy code reviews, flexible integration options, and tools for managing projects, users, and access control. Gerrit supports code review workflows and allows configuring commit policies and change submission actions.
DevOps aims to bring development and operations teams closer together through automation, shared tools and processes. Automating builds improves consistency, reduces errors and improves productivity. Common issues with builds include them being too long, handling a large volume, or being too complex. Solutions include improving build speed, addressing long/complex builds through techniques like distributed builds, and using build acceleration tools. Automation is a key part of DevOps and enables continuous integration, testing and deployment.
Continuous Integration and development environment approachAleksandr Tsertkov
Continuous integration provides quick feedback on recent code changes through automated builds run regularly from a CI server. Each build has a status of success or failure and publishes artifacts like binaries, test results, and metrics. Peer code review helps improve code quality by having developers systematically review each other's code in small teams using tools like Reviewboard, Crucible, and CodeCollaborator. The engineering environment approach presented utilizes dedicated servers for remote development, with components like Subversion for version control, CruiseControl for continuous integration, and Crucible for peer review to facilitate collaboration.
Keptn is an open-source project that provides tools to enable continuous delivery and automation for modern applications using Kubernetes. It allows developers to focus on code and DevOps teams to focus on tools rather than building custom pipelines. Keptn provides automated multi-stage delivery pipelines, automated quality gates, self-healing deployments, and enables zero-touch toolchain integration and updates. It also supports automated problem remediation in production for continuous operations. Keptn follows cloud-native design principles and provides a common way for organizations to achieve autonomous delivery and operations.
Continuous Integration for Oracle Database DevelopmentVladimir Bakhov
The document provides information about continuous integration (CI) for database development projects. It discusses how version control, automated testing, and continuous deployment can be applied to database code and artifacts. Key points include:
- Storing database scripts, structures, and data migrations in version control to allow for automated deployment and rollbacks.
- Maintaining a "trunk" version that serves as the single source of truth for all changes.
- Taking nightly backups of a production-like environment and deploying changes since the last build to test integration.
- Generating deployment scripts by comparing the trunk to the current production version.
- Running automated tests after each deployment to catch errors early.
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect?
(Keynote for the SHIFT 2020 and IWSF 2020 Workshops, October 2020)
Watch the recorded version of this Webinar here:
Curious about Continuous Integration? Tune in!
Continuous Integration (CI), which is a big part of continuous delivery, is the concept of continuously building and testing software using an automated process. We have learned that utilizing CI could help us catch bugs earlier, enable better visibility, reduce repetitive processes, enable the development team to produce deployable products at a moment's notice, and reduce risk overall.
These slides will identify the various levels of continuous integration and delivery with regards to a release maturity of the development team or parent organization.
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...University of Antwerp
A keynote delivered for the 3rd Workshop on
Validation, Analysis and Evolution of Software Tests
February 18, 2020 | co-located with SANER 2020, London, Ontario, Canada.
http://vst2020.scch.at
Abstract - With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect? The research underpinning all of this has been validated under "in vivo" circumstances through the TESTOMAT project, a European project with 34 partners coming from 6 different countries.
Come implementare la governance nella vostra piattaforma e lavorare felici se...Giulio Vian
DevOps Conf 2024 - Roma - 10 mag 2024
https://devopsconf.dotnetdev.it
Gli strumenti che usiamo per lo sviluppo e il rilascio sono essenziali per controllare i processi in uso e garantire che soddisfino requisiti aziendali, legali, e regolamentari.
In questa sessione illustrerò come passare da norme (policies) astratte a implementationi su piattaforme come Azure DevOps o GitHub delle stesse così da poter prevenire prima e verificare poi il corretto svolgimento delle operazioni. E diventare amici del direttore Rischi e Audit.
Is Technical Debt the right metaphor for Continuous Update - AllDayDevOps 2022Giulio Vian
The environmental pressure on software has dramatically changed in a few years, both in quality and quantity. Security is the main force but other dynamics can be seen, including the adoption of agile, shortest product cycles, and more. As a consequence the software is no more written once and run many times: it must be updated continuously. If we, as an industry, continue to use the classic category of Technical Debt, IT will be crushed by the forces at hand, pulling the business side along. I propose to introduce a new term for this phenomenon: Technical Inflation. It is not simply to mark the difference but to help discuss and explain to other stakeholders what is happening on the technical side and the effect on the entire business. The new perspective impacts how we plan and budget, how we manage changes and automation, and the need to excel in engineering to save the bottom line.
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityJohn Willis
The document discusses the divine and felonious nature of cyber security and introduces the concept of DevSecOps. It notes that traditional perimeter-based security is no longer sufficient given changes in applications and infrastructure. DevSecOps integrates security practices like training, requirements, threat modeling directly into the development pipeline from the beginning. This helps automate security testing and monitoring throughout the software development lifecycle and supply chain. When done right, DevSecOps helps create a "new Goldilocks zone" where security is no longer a bottleneck to rapid software development and deployment.
This document discusses improvements to agile methodology through continuous integration using dynamic regression, code bisection, and code quality. It proposes mapping source code to test suites and running only relevant tests after code changes to speed up testing. When failures occur, code bisection is used to quickly identify responsible code changes. Code quality is also assessed continuously using tools like Sonar to monitor for issues. The approaches aim to improve agility, reduce bug fixing time, and ensure high code quality.
OSSF 2018 - Brandon Jung of GitLab - Is Your DevOps 'Tool Tax' Weighing You D...FINOS
The document discusses how a single application that handles the entire software development lifecycle can help alleviate the "DevOps tool tax" caused by managing and integrating multiple point solutions. It provides an overview of GitLab's Auto DevOps feature which automates the build, test, security, deployment, and monitoring pipelines in a single system. By consolidating tools and processes, Auto DevOps helps reduce integration complexity and accelerate development cycles.
Part 2 improving your software development v1.0Jasmine Conseil
The document discusses improving software development processes through continuous integration using agile tools. It describes how build tools can automate various parts of the software development process, including compiling, testing, packaging, and deploying code. Maven is presented as a common build tool that supports a well-defined development lifecycle. Continuous integration principles are explained, emphasizing how integrating code changes frequently and running automated builds can reduce integration issues. Hudson is introduced as an open-source continuous integration server that supports automation and provides feedback. The JasForge project aims to manage agile tools like Hudson in an integrated platform to control the software development process.
The Anatomy of Continuous Deployment at Scale - 100 deploys a week at Envato ...John Viner
The Envato market development team runs a two sided marketplace platform that powers sites such as themeforest.net and graphicriver.net. This presentation describes how they deploy the application up to 25 times a day while serving up to 200 million requests a week.
Jenkins is an open-source tool for continuous integration that allows developers to integrate code changes frequently from a main branch using an automated build process. It detects errors early, measures code quality, and improves delivery speed. Jenkins supports various source control, build tools, and plugins to customize notifications and reporting. Security features allow restricting access and privileges based on user roles and projects.
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
Presentation of Best student paper award on CASCON2018 intitled: Just-in-time Detection of Protection-Impacting Changes on WordPress and MediaWiki
Link to the paper: https://dl.acm.org/citation.cfm?id=3291310
Cloud continuous integration- A distributed approach using distinct servicesAndré Agostinho
In cloud computing services the ability to share and deliver services, scale computing resources and distribute data storage and files requires a deployment process aligned with agility and scalability. The continuous integration can automate process reducing operational effort, improving code quality and reducing time to market. This presentation shows a proposal for distributed continuous integration to use differents cloud computing services, from planning to execution of scenarios.
Help students get familiar with the basic concepts of DevOps processes and technologies and the challenges facing companies who are looking to embrace scalable software deployment.
[This workshop was given to TAU CS students over the years 2015-2016]
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Gerrit is a code review system that tightly integrates with Git. It provides a web-based user interface and API for reviewing changes, managing access control, and integrating with other tools like Jenkins. Key features include fast and easy code reviews, flexible integration options, and tools for managing projects, users, and access control. Gerrit supports code review workflows and allows configuring commit policies and change submission actions.
DevOps aims to bring development and operations teams closer together through automation, shared tools and processes. Automating builds improves consistency, reduces errors and improves productivity. Common issues with builds include them being too long, handling a large volume, or being too complex. Solutions include improving build speed, addressing long/complex builds through techniques like distributed builds, and using build acceleration tools. Automation is a key part of DevOps and enables continuous integration, testing and deployment.
Continuous Integration and development environment approachAleksandr Tsertkov
Continuous integration provides quick feedback on recent code changes through automated builds run regularly from a CI server. Each build has a status of success or failure and publishes artifacts like binaries, test results, and metrics. Peer code review helps improve code quality by having developers systematically review each other's code in small teams using tools like Reviewboard, Crucible, and CodeCollaborator. The engineering environment approach presented utilizes dedicated servers for remote development, with components like Subversion for version control, CruiseControl for continuous integration, and Crucible for peer review to facilitate collaboration.
Keptn is an open-source project that provides tools to enable continuous delivery and automation for modern applications using Kubernetes. It allows developers to focus on code and DevOps teams to focus on tools rather than building custom pipelines. Keptn provides automated multi-stage delivery pipelines, automated quality gates, self-healing deployments, and enables zero-touch toolchain integration and updates. It also supports automated problem remediation in production for continuous operations. Keptn follows cloud-native design principles and provides a common way for organizations to achieve autonomous delivery and operations.
Continuous Integration for Oracle Database DevelopmentVladimir Bakhov
The document provides information about continuous integration (CI) for database development projects. It discusses how version control, automated testing, and continuous deployment can be applied to database code and artifacts. Key points include:
- Storing database scripts, structures, and data migrations in version control to allow for automated deployment and rollbacks.
- Maintaining a "trunk" version that serves as the single source of truth for all changes.
- Taking nightly backups of a production-like environment and deploying changes since the last build to test integration.
- Generating deployment scripts by comparing the trunk to the current production version.
- Running automated tests after each deployment to catch errors early.
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect?
(Keynote for the SHIFT 2020 and IWSF 2020 Workshops, October 2020)
Watch the recorded version of this Webinar here:
Curious about Continuous Integration? Tune in!
Continuous Integration (CI), which is a big part of continuous delivery, is the concept of continuously building and testing software using an automated process. We have learned that utilizing CI could help us catch bugs earlier, enable better visibility, reduce repetitive processes, enable the development team to produce deployable products at a moment's notice, and reduce risk overall.
These slides will identify the various levels of continuous integration and delivery with regards to a release maturity of the development team or parent organization.
Keynote VST2020 (Workshop on Validation, Analysis and Evolution of Software ...University of Antwerp
A keynote delivered for the 3rd Workshop on
Validation, Analysis and Evolution of Software Tests
February 18, 2020 | co-located with SANER 2020, London, Ontario, Canada.
http://vst2020.scch.at
Abstract - With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect? The research underpinning all of this has been validated under "in vivo" circumstances through the TESTOMAT project, a European project with 34 partners coming from 6 different countries.
Similar to Software rotting - DevOpsCon Berlin (20)
Come implementare la governance nella vostra piattaforma e lavorare felici se...Giulio Vian
DevOps Conf 2024 - Roma - 10 mag 2024
https://devopsconf.dotnetdev.it
Gli strumenti che usiamo per lo sviluppo e il rilascio sono essenziali per controllare i processi in uso e garantire che soddisfino requisiti aziendali, legali, e regolamentari.
In questa sessione illustrerò come passare da norme (policies) astratte a implementationi su piattaforme come Azure DevOps o GitHub delle stesse così da poter prevenire prima e verificare poi il corretto svolgimento delle operazioni. E diventare amici del direttore Rischi e Audit.
Is Technical Debt the right metaphor for Continuous Update - AllDayDevOps 2022Giulio Vian
The environmental pressure on software has dramatically changed in a few years, both in quality and quantity. Security is the main force but other dynamics can be seen, including the adoption of agile, shortest product cycles, and more. As a consequence the software is no more written once and run many times: it must be updated continuously. If we, as an industry, continue to use the classic category of Technical Debt, IT will be crushed by the forces at hand, pulling the business side along. I propose to introduce a new term for this phenomenon: Technical Inflation. It is not simply to mark the difference but to help discuss and explain to other stakeholders what is happening on the technical side and the effect on the entire business. The new perspective impacts how we plan and budget, how we manage changes and automation, and the need to excel in engineering to save the bottom line.
A map for DevOps on Microsoft Stack - MS DevSummitGiulio Vian
This document provides an overview of DevOps on the Microsoft stack. It discusses three ways of implementing DevOps: 1) Flowing work from idea to production using tools like GitHub, Azure Boards, Azure DevOps Server, and infrastructure as code. 2) Gathering feedback using observability tools like Application Insights and alerting. 3) Fostering communication, documentation, learning and fun through tools like GitHub Pages, Teams, LinkedIn Learning and DevTest Labs. The document recommends resources for learning more about DevOps and the Microsoft stack.
Pipeline your Pipelines - 2020 All Day DevOpsGiulio Vian
Giulio Vian discusses automating build infrastructure by treating it as code that can be versioned, backed up, and rebuilt. This allows building environments to be rebuilt if lost, fixes to be deployed to production, and old versions to be rebuilt. Infrastructure as code uses version control, secrets stores, and pipelines to build runtime, CI/CD, and application infrastructure in a fractal manner.
How to write cloud-agnostic Terraform code - Incontro DevOps Italia 2020Giulio Vian
The document discusses how to write Terraform code that is cloud-agnostic and not specific to a single provider. It recommends abstracting common services like networking and computing blocks, and using variables and modules to deploy resources for multiple platforms. Examples are given using count and conditional deployment based on variables, as well as referencing subnets and regions in a provider-independent way. The document aims to help make Terraform configurations reusable across different cloud providers.
The document lists the top 10 pipeline mistakes, including unsafe secrets, untraceable artifacts, environment-specific deploy packages, lack of testing, use of bleeding edge technology, overly complex builds, flaky builds, overuse of versioning, implicit assumptions, and reliance on dubious plugins. The author provides recommendations to address each mistake, such as using secret stores, adding versioning and links to artifacts, deploying the same packages to all environments, including quality checks, ensuring deployable technology and available agents, splitting processes, enabling reproducible builds, adding version specifications, checking tool requirements, and using autonomous pipelines.
Introduction to Terraform with Azure flavorGiulio Vian
Terraform is a tool for provisioning and managing infrastructure as code. It allows defining and deploying infrastructure through configuration files rather than interactive console tools. The configuration files describe the components needed for an application and their relationships, and Terraform uses this information to provision and update infrastructure safely and efficiently. Terraform works by defining resources such as compute instances, storage, and networking components using a high-level configuration language, and then generates and executes the plans to build, change, and version those resources. It supports a variety of cloud platforms including Azure.
How collaboration works between Dev and Ops - DevOps Agile Testing and Test S...Giulio Vian
This document summarizes tools and techniques for collaboration between Dev and Ops teams, including:
- Shared version control of infrastructure as code, secrets stores, and documentation to provide transparency.
- The use of dashboards, chat, wikis, and monitoring and logging tools to share information across teams.
- Having Dev and Ops use the same environment names and classifications to facilitate coordination between pipelines, dashboards, and other systems.
Usare SQL Server for Linux e Docker per semplificare i processi di testing - ...Giulio Vian
DevOps@Work 2020
Roma, 16 January 2020
https://www.domusdotnet.org/events/
SQL Server per Linux apre un nuovo mondo di possibilità per testare il codice SQL in modi che prima non erano pensabili.
Esploriamo alcune opzioni come:
- Ripristinare il database ad uno stato noto tra un test e l'altro
- Provare più varianti di configurazione
- Eseguire test di integrazione nella pipeline CI
- Test delle migrazioni dello schema
- Attach di grossi database eseguendo i container nel cloud
The document discusses automating build and deployment pipelines using infrastructure as code. It recommends:
1. Treating development environments like production by making them automated, disposable, and recreated from code.
2. Not sharing secrets between environments and making credentials, keys, and other sensitive data unique to each automated environment.
3. Automating the creation of all infrastructure components including VMs, containers, Kubernetes clusters from configuration files to ensure they can be recreated identically on any cloud provider.
Why is DevOps vital for my company’s businessGiulio Vian
The document discusses why DevOps is vital for companies in the modern business landscape. It notes that software is now central to many businesses and products, like cars which contain over 150 million lines of code. DevOps applies lean principles to streamline the process of delivering software by reducing waste and improving feedback loops between development and operations teams. Implementing DevOps through systems thinking, amplifying feedback, and continuous experimentation can lead to benefits like less risk, faster feedback, and increased value delivery and organizational efficiency.
GLV OnAir Ottobre 2019
In questa introduzione a GitHub Actions: vedremo gli elementi base, cosa è possibile fare, cosa invece si rivela complicato o impossibile da fare, come trovare informazioni ed esempi.
Terraform for azure: the good, the bad and the ugly -Giulio Vian
Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. The presenter discusses the good, bad, and ugly aspects of using Terraform with Azure. The good includes its simple configuration language and ability to integrate with Azure and automate deployments. The bad includes limitations in its language and some errors being difficult to debug. The ugly involves challenges around managing state files and keeping infrastructure definitions well organized. Overall, Terraform provides benefits but also requires understanding its quirks and handling state carefully.
How we moved our environments to the cloudGiulio Vian
Šibenik, 4 April 2019
http://windays.hr/
In this talk, you will hear about the DevOps journey in our company, from the initial brown-field all-manual state, to our current situation where we migrated (almost) everything to the cloud using automation in a few months. Not a migration but rebuilding the environment using Infrastructure-as-Code tools: Terraform, Powershell, Ansible, TFS/Azure DevOps. In equilibrium between an high-level view and useful practical tips, we will touch on what informed our decisions, in terms of priorities and technologies, some lessons learned, and how the legacy constraints helped or hindered.
Customize Azure DevOps using AggregatorGiulio Vian
Šibenik, 4 April 2019
http://windays.hr/
We will see how to customize Azure DevOps (ex Visual Studio Team Services, ex Team Foundation Server) using a powerful tool like Aggregator.
Version 2 made a simple task adding rules to TFS on-premise, now vervsion 3 offers a full support to Azure DevOps; furthermore rules are more powerful, no more limited to Boards (work items) events, but to new types like Git events.
You can please your _Project Manager_/_Scrum Master_ by automating task creation, or roll-ups; or automatically inject a set of reviewers in a Pull Request.
Even if you will never use Aggregator, you can learn something from its use of Azure and Azure DevOps API and build your own tooling.
Moving a Windows environment to the cloudGiulio Vian
Incontro DevOps Italia 2019
Bologna, 8 March 2019
https://2019.incontrodevops.it/
About the DevOps journey in our company, from the initial brown-field all-manual state, to our current situation where we migrated (almost) everything to the cloud using automation in a few months. Not a migration but rebuilding the environment using Infrastructure-as-Code tools: Terraform, Powershell, Ansible, TFS/Azure DevOps. In equilibrium between an high-level view and useful practical tips, we will touch on what informed our decisions, in terms of priorities and technologies, some lessons learned, and how the legacy constraints helped or hindered.
How's relevant JMeter to me - DevConf (Letterkenny)Giulio Vian
devConf LK 2019
Letterkenny, 23 February 2019
http://bit.ly/devConfLK2019
How do compare Visual Studio Web & Load Test with JMeter? Can I replace one with the other? How hard is this open-source tool? Do I need to install and/or learn Java?
We will answer these questions and more with a practical introduction, exploring:
- Basics of JMeter
- Recording
- Collecting and analyzing results
- Tokens and parametrization
- Scenarios and distributions
- Setting up a test rig
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
Boost Your Savings with These Money Management AppsJhone kinadey
A money management app can transform your financial life by tracking expenses, creating budgets, and setting financial goals. These apps offer features like real-time expense tracking, bill reminders, and personalized insights to help you save and manage money effectively. With a user-friendly interface, they simplify financial planning, making it easier to stay on top of your finances and achieve long-term financial stability.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
Transforming Product Development using OnePlan To Boost Efficiency and Innova...OnePlan Solutions
Ready to overcome challenges and drive innovation in your organization? Join us in our upcoming webinar where we discuss how to combat resource limitations, scope creep, and the difficulties of aligning your projects with strategic goals. Discover how OnePlan can revolutionize your product development processes, helping your team to innovate faster, manage resources more effectively, and deliver exceptional results.
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Software rotting - DevOpsCon Berlin
1. Software rotting
Why you need to change your approach to security…
@giulio_vian
https://www.getlatestversion.eu
http://blog.casavian.eu
https://www.slideshare.net/giuliov
https://github.com/giuliov
Giulio Vian
22 June 2022
8. High-level process
CVE / Security
triggers
Developer Teams
search
Developer Teams
fix
Release
Management
deploy
9. Affected by
Vulnerability
Application stack
Container images
Virtual Machine images
Application itself
Application code
Libraries
Internal
3rd party
Self-contained run-time
Application
Run-time
OS
libraries
Image
Self-
contained
search
10. Find code, easy?
Multiple production branches
release/* and hotfix/*
Untagged releases
SCA† tools pipeline-bound
Rarely built code
Pipeline does not work anymore
† Software Composition Analysis
search
13. What’s normal?
Many teams
Many repos
My company has 3,000 repos
across 100 teams, storing over
13 million lines of code, and
using 2,800 pipelines
A single vulnerability
may affect 10s teams and
100s of repos Image: The Crowd For DMB 1 by Moses
fix
16. Estimate Risk
Probability of an adverse
cyber event
Frequency of attack
Availability of 0-day exploit
Cost factors
Number of systems to patch
% of Components to build
and redeploy
Actuaries already have rich
models
search
Image source: WikiMedia
18. Good SCM
Practices
Standardize SCM to Git
Single management system
with rich API
Standard naming for
Production tags
For branches, also
Rich metadata via tagging
features
Repo owners
Hotfix pipelines
search
Image by David Iliff from Wikimedia
19. Breadth of
change
Fix impacting many
systems at once
Hundreds of concurrent pipelines
Can your build & deploy
tool auto-scale?
Can your approval process
scale?
How fast can you rebuild a
substantial portion of IT
systems?
fix
Image source: public domain
20. Tooling
Your SCA may generate
code changes
e.g. dependabot
Build scripts can be
massively edited
git-xargs, auto-pr, multi-gitter, …
Image: robotic arm in the Conrad Prebys Center for Chemical Genomics by Josh Baxt
fix
21. Good patching
practices
Scan all repos often
Fast-track automated
pipelines for all systems
Thorough automated
regression testing
Expedite approval
process
fix
Image source: public domain
22. Bill of Materials
on steroids
Reverse indexes
Library → Binaries [SCA tool]
O.S. API → Binaries [SAST tool]
Binary → Pipelines [artifact store]
Pipeline → Repo(s) [pipeline tool]
Pipeline
Binaries
Production
Library
Repo
deploy
23. Redeploy.
Every. Day.
Simplest pattern
Once automated
patching is in place
Zero-downtime deploy
in place
Consider pipeline
resources
Image: the gerbil wheel pose by dbgg1979
deploy
24. Expedite
pipelines
Separation of Duties
Regulation / audit requirement
Slows 0-day patching
Tightly controlled usage
Automated checks
Single commit with limited
churn
Additional approvers for
quick turnaround
Image courtesy of SpaceX
deploy
34. App Platform shift
Chrome 1 month patched after 14 days
Node.JS 30 months (LTS) patched every 25 days
6 months
Go 6 months patched every 26 days
Two major releases supported.
MongoDB 30 months patched every 5 weeks
.NET 3 years (LTS) patched every 6 weeks
18 months
Java 3 years (LTS) patched every 12 weeks
6 months
38. Technical
Inflation
Unintended reduction
in value of a software
product over time,
independent of source
code changes.
Depreciation does not
capture two elements:
Unintentionality
Value can be restored Image source: Max Pixel
39. 1974
Continuing Change law
«A[n E-type] system
must be continually
adapted or it becomes
progressively less
satisfactory.»
Image source: WikiMedia
40. Executive
Summary
Software decays rapidly,
and decay rate is speeding
up.
Security is the main force,
but not the only one.
We must improve tooling
and practices to cope with
this increased velocity.
Technical Inflation helps
Management understand
what is going on. Image source: Public Domain
43. References (2/5)
https://heartbleed.com/
Why Every Business Is a Software Business — Watts S. Humphrey Informit, Feb 22, 2002
http://www.informit.com/articles/article.aspx?p=25491
https://en.wikipedia.org/wiki/Watts_Humphrey
https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
https://www.shopify.com/enterprise/global-ecommerce-statistics
https://blog.cloudflare.com/popular-domains-year-in-review-2021/
https://radar.cloudflare.com/year-in-review-2021
https://snyk.io/blog/net-open-source-security-insights/
https://www.contrastsecurity.com/the-state-of-the-oss-report-2021
https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf
…except that the next day, a new vulnerability has reached prime time, and … yes, Joe app is impacted!
How often this happened to you?
Is it happening more frequenty?
Software is not a problem if not deployed. The most secure computer is off and unplugged.
Who am I?
I work at Unum, a Fortune 500 company, with more than a thousand people in IT.
I studied DevOps for over 10 years and I speak at international conferences. Awarded by Microsoft as Most Valuable Professional on Azure DevOps category in the last few years.
If you want to discuss today’s ideas or other DevOps topics you can reach me at Twitter as giulio_vian or email me directly.
While I try to solve a new problem each day, some issues take years to go away.
How we run the process today?
Publication of a CVE triggers the Security team in the organization,Security team instructs Dev Teams to
fix application code as needed,
code must be deployed to Production under Release Management team supervision
A Release Management role may be required by SOX, Basilea, and similar regulation
Deploy where? Production! We don’t care about the rest (although…), so we need to…
Joe stops and thinks: I need to look at my pom.xml (build.gradle, *.csproj, Makefile, package.json, … name it) for references to Log4J (or whatever is vulnerable).
Oh, but I use SLF4J which in turns… indirect dependencies! I need a tool just to find all possible references recursively.
Oh Oh, our Tomcat configuration is using Log4J! I must check more than my JAR file, says Joe.
…and the next question is…
Here we discuss how to identify:1. the code that needs to be patched
2. the pipeline that release that code in Production
and some issues that one may face:
If more than one branch can reach prod, which one you choose?
How do you match the exact version of code?
Software Composition Analysis kicks in only through pipelines? Is triggered by the deploy pipeline?
The deploy pipeline hasn’t been used in months and doesn’t work anymore (e.g. a token expired, or there is no more an apt agent)
…are there tools to support me and detect vulnerabilities in the code I deliver?Yes, there are BLAH
The vulnerability could be a bad code pattern, use of an API, a vulnerable dependency; in any case we need to find the impacted code.
We must scan all repositories that contain production code. Non-production repositories should be included in the search but listed separately to remove noise.
Some patching can be easily automated, in particular library dependencies listed in project file (e.g. package.json, pom.xml,.csproj, …)
† Lack of blue/green, canary, rolling/progressive deployment
When I’ll be next
We had billions of attacks!? Mostly intercepted email, though, one day it will be successful
Ok but what might be the consequences of an attack?
First batch of crucial elements of a solution identifying the qualities required on Software Configuration Management (SCM).
Moving to Git is a prerequisite because any modern development tool shifted to it.
What about the rest?
Consolidate all projects into a single SCM platform – GitHub, Azure DevOps, BitBucket, GitLabThe one listed have rich API that enable automation and integration
Recommend set of branch names and mandatory tag names to identify code that goes/matches productionThis does not translate that all teams use the same process (e.g. GitFlow) but that they use the same conventions for branch names and, especially for tags
Modern systems allows to attach custom properties to Git repositories and Pipeline definitionsA Tag/Label/Property can identify repo in use, archived, or just with experimental codeSame for pipelines, there are builds with limited scope (quick CI) and builds that deploy to production: use Tag/Label/Property to distinguish
As mentioned, on a small scale, it is easy. Problems raise when you need to manage at scale: more than a few teams, repos, or pipeline.
Consider the scenario where a single vulnerability impacts most of your applications (which is probable when you the majority of you code use the same platform, e.g. Log4J impacting all Java-based applications).
You need to patch lots of repositories and deploy lots of components, each through a separate pipeline.
In such scenario, you need new capabilities:
Global editing tool
Launch most pipelines in parallel (consider batching)
Auto-scale build resources to sustain the spike
Single-approval for the set of pipeline runs
These aren’t offered by current systems.
Can be automated? <pause>To my knowledge there are some tools that do some of the work, like GitHub dependabot
It scans sources and proposes changes via a pull-request mechanism
It does not support all package manager, though, and some features requires GitHub
And clearly we need to input which is the correct version to use. We have seen toolchain attacks were the fix was to rollback, haven’t we?
A crucial pattern to implement is the fast-track (expedite) pipeline.
Every deployable component must have a pipeline that delivers just security fixes with as much regression testing as possible within a limited 2-hours timebox and as little manual steps (e.g. approvals) as possible.
Tip: maybe you need some kind of incremental build to minimize build, test and deploy times.
Current tooling may offer some information but a well-rounded process lot of cross-reference data.
Dependency management is a weak spot in general, SCA (Software Composition Analysis) can identify vulnerabilities in libraries.
Use of API may be caught by security scans
Artifact management tool can track the source (build) of binaries if properly used.
Pipeline knows which repositories they use, what we need here is ability to call a REST API that tell us the dependency.
If you can use such tools, great. Maybe you need to follow a bit of conventions and write some query tools.
In the worst scenario, you have to build and maintain your own database.
Deploy where? Production! We don’t care about the rest (although…), so we need to…
A Release Management role may be required by SOX, Basilea, and similar regulation
But you need speed when it is a 0-day exploit.
For example, you must be able to deploy a patch within hours of its release from a 3rd party (an OSS project or a vendor).
fast-track (expedite) pipelines are not for normal usage: there should be some kind of trigger, like a new CVE, a communication from the Security team or upper management.
What is the way to solve this burning problem?
…they are not decreasing, quite the opposite.
Increasing more than linearly!
…display the same pattern, even more.
Why?
Modern app development is not using just a few suppliers like in the past.
A study from Sonatype confirms that we use a lot more libraries, from all kind of sources, in particular Open Source libraries
and attacks leverage this trend.
The graphs illustrate Javascript scenario, but other languages…
Both graphs illustrate that we, as an industry, aren’t exactly great at reacting and fixing our applications.
The one on the left is data about OSS projects.
The one on the right is more interesting because based on telemetry data, a more significant insight on IT organizations.
.NET Core 3.1
3.1.0 December 3, 2019
3.1.22 December 14, 2021
got 22 patch releases in 3 years i.e. every 45 days/6 weeks
Node v14 (Fermium)
Active LTS start 2020-10-27 v14.15.0
2022-02-01, Version 14.19.0
total 19 releases in 463 days or 66 weeks i.e. every 24.4 days
JDK 11
Java SE 11 (LTS)September 25, 2018
11.0.13+8 (GA), October 19th 2021
total 13 releases(updates) in 1121 days i.e. every 12.3 weeks or 86.2 days
Go 1.16 released 2021-02-16
go1.16.14 (released 2022-02-10)total 14 updates in 360 days i.e. 26 days
go1 (released 2012-03-28) -> go1.17 (released 2021-08-16)
17 major releases in 3429 days or 490 weeks
MongoDB 5.0
5.0.0 - Jul 13, 2021
5.0.6 - January 31, 2022
total 6 releases in 203 days or 29 weeks i.e. every 4.8 weeks
What is the way to solve this burning problem?
Agile and DevOps focused on value-flow
«An E-program is written to perform some real-world activity; how it should behave is strongly linked to the environment in which it runs, and such a program needs to adapt to varying requirements and circumstances in that environment»
“On understanding laws, evolution, and conservation in the large-program life cycle” Lehman M.M. - Journal of Systems and Software Vol. 1, 1979–1980, pp. 213-221
Today, I hope to convince you that we have serious problems in the way we patch and deploy applications, problems that we must address as an industry. At the core a perfectly working application today, is a huge risk tomorrow.
That’s why I speak of decay and rotting, because it is not a slow process. Wear, erosion, rust… They do not convey the urgency and work required to preserve from decay.
#1 unless you put it in a fridge or in a can, it starts smelling very soon
#2 those other processes requires time, while rotting requires quick action to stop it
I am not sure big an effort is to fix processes and tool to cope with security-related problems – the one this audience is acquainted to --. Security is the main driver, although not the only one.
To change process and invest in tools, we have to speak to leadership/executive using a simple but effective vocabulary, so I suggest using the word inflation to convey the idea and start a discussion.
As you may guessed, this presentation is a bit visionary, high-level, I will talk about industry trends and process not technology. For those interested in technology details, I recommend the sessions of my friends Michael Kaufmann and Matteo Emili.
Now you have a couple of minutes to switch if you are not interested.