release engineering and rugged devops: an intersection?

R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :

A N I N T E R S E C T I O N ?

J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S

D E V O P S C O N N E C T AT

R S A C O N F E R E N C E

J . PA U L R E E D

• @jpaulreed on

• Host of The Ship Show, @shipshowpodcast on

• Principal Consultant, Release Engineering Approaches

• 15+ years build/release engineering experience

• Today: “A DevOps Consultant™”

@jpaulreed #RuggedDevOps

@jpaulreed #RuggedDevOps

H O W D O T H E Y I N T E R S E C T ?

R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :

@jpaulreed #RuggedDevOps

I Don’t Know.

@jpaulreed #RuggedDevOps

But there do seem to be some similarities…

@jpaulreed #RuggedDevOps

R E L E N G & S E C U R I T Y P E O P L E A R E R E A L LY G O O D AT

E X P L A I N I N G W H AT W E D O A N D W H Y I T ’ S I M P O RTA N T

@jpaulreed #RuggedDevOps

“Please explain to me: what exactly is SecOps?”

@jpaulreed #RuggedDevOps

“What specific things should we do to get that ‘DevOps culture?’”

@jpaulreed #RuggedDevOps

Okey, so maybe our explanations need some work…@jpaulreed #RuggedDevOps

R E L E N G A N D S E C U R I T Y A R E O F T E N I G N O R E D I N T H E

VA L U E S T R E A M

@jpaulreed #RuggedDevOps

@petecheslock

DevOps

Sec

@hijinksensue(via @petecheslock)

@jpaulreed #RuggedDevOps

E V E RY O N E A S S U M E S R E L E A S E E N G I N E E R I N G A N D S E C U R I T Y

“ J U S T H A P P E N ”

@jpaulreed #RuggedDevOps

Totally nailing those non-functional requirements!@jpaulreed #RuggedDevOps

N O O N E S E E M S T O C A R E W H AT W E D O …

U N T I L T H E Y D O

@jpaulreed #RuggedDevOps

And then they really, really care.@jpaulreed #RuggedDevOps

W E H AV E A B I T O F A N E G AT I V E R E P U TAT I O N

@jpaulreed #RuggedDevOps

“But you’re welcome to keep asking us…”@jpaulreed #RuggedDevOps

F U N D A M E N TA L S H I F T F R O M D O I N G T H E T H I N G ™ T O

B U I L D I N G T H I N G S T H AT D O T H E T H I N G ™

@jpaulreed #RuggedDevOps

Individuals performing release-critical tasks does not scale.@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T

• We look… “a little off” to developers & the business™.

• We both can often be found shoveling DevOps Unicorn poop.

• Including our work in project plans/scoping/requirements: maybe?

• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.

• We have a reputation for “No.”

• The nature of our roles is undergoing a fundamental shift.

@jpaulreed #RuggedDevOps

R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T

• We look… “a little off” to developers & the business™.

• We both can often be found shoveling DevOps Unicorn poop.

• Including our work in project plans/scoping/requirements: maybe?

• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.

• We have a reputation for “No.”

• The nature of our roles is undergoing a fundamental shift.

• The industry is starting to “get it.”@jpaulreed #RuggedDevOps

How does Release

Engineering impact/

relate to/ converge with

Security?@jpaulreed #RuggedDevOps

Software Supply Chains@jpaulreed #RuggedDevOps

@jpaulreed #RuggedDevOps

#ItsProbablyFine@jpaulreed #RuggedDevOps

@joshcorman

w/many eyeballs, all bugs are??? Struts

2005$ 2006$ 2007$ 2008$ 2009$ 2010$ 2011$ 2012$ 2013$ 2014$

10.0$9.0$8.0$7.0$6.0$5.0$4.0$3.0$2.0$1.0$

CVE0200503745

CVE0200601546 CVE0200601547

CVE0200601548 CVE0200806504 CVE0200806505 CVE0200802025 CVE0200706726 CVE0200806682

CVE0201001870

CVE0201102087

CVE0201101772

CVE0201102088 CVE0201105057

CVE0201200392 CVE0201200391

CVE0201200393

CVE0201200394

CVE0201201006 CVE0201201007

CVE0201200838

CVE0201204386

CVE0201204387

CVE0201301966 CVE0201302115 CVE0201301965

CVE0201302134 CVE0201302135

CVE0201302248

CVE0201302251 CVE0201304316

CVE0201304310

CVE0201306348 CVE0201400094

CVSS$ Latent 7-11 yrs

via Josh Corman@jpaulreed #RuggedDevOps

One vulnerable library in your product

is a security problem.

Multiple copies of a vulnerable library in your product

is a release engineering problem. — @jpaulreed

@jpaulreed #RuggedDevOps

One vulnerable library in your product

is a security problem.

Multiple versions of a vulnerable library in your product

is a release engineering problem. — @jpaulreed

Looked like a security problem…@jpaulreed #RuggedDevOps

C O N T I N U O U S D E L I V E R Y I M PA C T S U S B O T H• Ability to ship quickly

• Increased shipping frequency

• Continuous Delivery brings (sometimes unwanted) visibility

• Offers the most promise for sustainably integrating our work

@jpaulreed #RuggedDevOps

A F E W O T H E R A R E A S R E L E N G T O U C H E S

• “Old-fashioned” software delivery mechanisms

• Artifact management

• The bold new world of containers

• Every versioning bikeshed ever

@jpaulreed #RuggedDevOps

Because you thought versioning was a solved problem…

@jpaulreed #RuggedDevOps

H O W D O T H E Y I N T E R S E C T ?

R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :

@jpaulreed #RuggedDevOps

Let’s Find Out.

@jpaulreed #RuggedDevOps

J . PA U L R E E D

W W W. J PA U L R E E D . C O M @ J PA U L R E E D

W W W. R E L E A S E - A P P R O A C H E S . C O M S I M P LY S H I P. E V E R Y T I M E .

@jpaulreed #RuggedDevOps

P H O T O C R E D I T S

• Slide 1: https://www.flickr.com/photos/midendian/257795245/

• Slide 3, 33: https://www.flickr.com/photos/midendian/454934149/

• Slide 5: https://www.flickr.com/photos/midendian/170775641/

• Slide 6, 7: https://www.facebook.com/disturbreality/videos/793643314013081/

• Slide 11: http://www.slideshare.net/petecheslock/do-datx-2015#5

• Slide 13: http://pak101.com/funnypictures/Animals/2011/2/7/donkey_in_air_wjhgb.jpg

• Slide 15: https://twitter.com/staypuft/status/702360332807839744

@jpaulreed #RuggedDevOps

P H O T O C R E D I T S

• Slide 17: https://twitter.com/jpaulreed/status/515558395878055936

• Slide 19: http://www.gulfsouthsolar.com/wp-content/uploads/Behind_curtain.jpg

• Slide 22: https://www.flickr.com/photos/halonfury/9939424685/

• Slide 23: http://www.nytimes.com/2012/08/22/realestate/commercial/a-650-million-expansion-of-port-newark-spurs-interest-in-its-environs.html

• Slide 26: http://www.slideshare.net/joshcorman/continuous-acceleration-devopsdaysaustin2015corman#37

• Slide 29: http://dealbook.nytimes.com/2012/08/02/knight-capital-says-trading-mishap-cost-it-440-million/

• Slide 32: https://twitter.com/bdha/status/672497700508594176

• Slide 35: https://www.flickr.com/photos/midendian/257796960/

@jpaulreed #RuggedDevOps