release engineering and rugged devops: an intersection?
TRANSCRIPT
R E L E A S E E N G I N E E R I N G & R U G G E D D E V O P S :
A N I N T E R S E C T I O N ?
J . PA U L R E E D R E L E A S E E N G I N E E R I N G A P P R O A C H E S
D E V O P S C O N N E C T AT
R S A C O N F E R E N C E
J . PA U L R E E D
• @jpaulreed on
• Host of The Ship Show, @shipshowpodcast on
• Principal Consultant, Release Engineering Approaches
• 15+ years build/release engineering experience
• Today: “A DevOps Consultant™”
@jpaulreed #RuggedDevOps
@jpaulreed #RuggedDevOps
H O W D O T H E Y I N T E R S E C T ?
R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :
@jpaulreed #RuggedDevOps
I Don’t Know.
@jpaulreed #RuggedDevOps
But there do seem to be some similarities…
@jpaulreed #RuggedDevOps
R E L E N G & S E C U R I T Y P E O P L E A R E R E A L LY G O O D AT
E X P L A I N I N G W H AT W E D O A N D W H Y I T ’ S I M P O RTA N T
@jpaulreed #RuggedDevOps
“Please explain to me: what exactly is SecOps?”
@jpaulreed #RuggedDevOps
“What specific things should we do to get that ‘DevOps culture?’”
@jpaulreed #RuggedDevOps
Okey, so maybe our explanations need some work…@jpaulreed #RuggedDevOps
R E L E N G A N D S E C U R I T Y A R E O F T E N I G N O R E D I N T H E
VA L U E S T R E A M
@jpaulreed #RuggedDevOps
@petecheslock
DevOps
Sec
@hijinksensue(via @petecheslock)
@jpaulreed #RuggedDevOps
E V E RY O N E A S S U M E S R E L E A S E E N G I N E E R I N G A N D S E C U R I T Y
“ J U S T H A P P E N ”
@jpaulreed #RuggedDevOps
Totally nailing those non-functional requirements!@jpaulreed #RuggedDevOps
N O O N E S E E M S T O C A R E W H AT W E D O …
U N T I L T H E Y D O
@jpaulreed #RuggedDevOps
And then they really, really care.@jpaulreed #RuggedDevOps
W E H AV E A B I T O F A N E G AT I V E R E P U TAT I O N
@jpaulreed #RuggedDevOps
“But you’re welcome to keep asking us…”@jpaulreed #RuggedDevOps
F U N D A M E N TA L S H I F T F R O M D O I N G T H E T H I N G ™ T O
B U I L D I N G T H I N G S T H AT D O T H E T H I N G ™
@jpaulreed #RuggedDevOps
Individuals performing release-critical tasks does not scale.@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T
• We look… “a little off” to developers & the business™.
• We both can often be found shoveling DevOps Unicorn poop.
• Including our work in project plans/scoping/requirements: maybe?
• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.
• We have a reputation for “No.”
• The nature of our roles is undergoing a fundamental shift.
@jpaulreed #RuggedDevOps
R E L E A S E E N G I N E E R I N G / S E C U R I T Y O P E R AT I O N S S I M I L A R I T Y C H E C K L I S T
• We look… “a little off” to developers & the business™.
• We both can often be found shoveling DevOps Unicorn poop.
• Including our work in project plans/scoping/requirements: maybe?
• But when “it” breaks, suddenly: all eyes on us. Really angry eyes.
• We have a reputation for “No.”
• The nature of our roles is undergoing a fundamental shift.
• The industry is starting to “get it.”@jpaulreed #RuggedDevOps
How does Release
Engineering impact/
relate to/ converge with
Security?@jpaulreed #RuggedDevOps
Software Supply Chains@jpaulreed #RuggedDevOps
@jpaulreed #RuggedDevOps
#ItsProbablyFine@jpaulreed #RuggedDevOps
@joshcorman
w/many eyeballs, all bugs are??? Struts
2005$ 2006$ 2007$ 2008$ 2009$ 2010$ 2011$ 2012$ 2013$ 2014$
10.0$9.0$8.0$7.0$6.0$5.0$4.0$3.0$2.0$1.0$
CVE0200503745
CVE0200601546 CVE0200601547
CVE0200601548 CVE0200806504 CVE0200806505 CVE0200802025 CVE0200706726 CVE0200806682
CVE0201001870
CVE0201102087
CVE0201101772
CVE0201102088 CVE0201105057
CVE0201200392 CVE0201200391
CVE0201200393
CVE0201200394
CVE0201201006 CVE0201201007
CVE0201200838
CVE0201204386
CVE0201204387
CVE0201301966 CVE0201302115 CVE0201301965
CVE0201302134 CVE0201302135
CVE0201302248
CVE0201302251 CVE0201304316
CVE0201304310
CVE0201306348 CVE0201400094
CVSS$ Latent 7-11 yrs
via Josh Corman@jpaulreed #RuggedDevOps
One vulnerable library in your product
is a security problem.
Multiple copies of a vulnerable library in your product
is a release engineering problem. — @jpaulreed
@jpaulreed #RuggedDevOps
One vulnerable library in your product
is a security problem.
Multiple versions of a vulnerable library in your product
is a release engineering problem. — @jpaulreed
Looked like a security problem…@jpaulreed #RuggedDevOps
C O N T I N U O U S D E L I V E R Y I M PA C T S U S B O T H• Ability to ship quickly
• Increased shipping frequency
• Continuous Delivery brings (sometimes unwanted) visibility
• Offers the most promise for sustainably integrating our work
@jpaulreed #RuggedDevOps
A F E W O T H E R A R E A S R E L E N G T O U C H E S
• “Old-fashioned” software delivery mechanisms
• Artifact management
• The bold new world of containers
• Every versioning bikeshed ever
@jpaulreed #RuggedDevOps
Because you thought versioning was a solved problem…
@jpaulreed #RuggedDevOps
H O W D O T H E Y I N T E R S E C T ?
R E L E A S E E N G I N E E R I N G A N D R U G G E D D E V O P S :
@jpaulreed #RuggedDevOps
Let’s Find Out.
@jpaulreed #RuggedDevOps
J . PA U L R E E D
W W W. J PA U L R E E D . C O M @ J PA U L R E E D
W W W. R E L E A S E - A P P R O A C H E S . C O M S I M P LY S H I P. E V E R Y T I M E .
@jpaulreed #RuggedDevOps
P H O T O C R E D I T S
• Slide 1: https://www.flickr.com/photos/midendian/257795245/
• Slide 3, 33: https://www.flickr.com/photos/midendian/454934149/
• Slide 5: https://www.flickr.com/photos/midendian/170775641/
• Slide 6, 7: https://www.facebook.com/disturbreality/videos/793643314013081/
• Slide 11: http://www.slideshare.net/petecheslock/do-datx-2015#5
• Slide 13: http://pak101.com/funnypictures/Animals/2011/2/7/donkey_in_air_wjhgb.jpg
• Slide 15: https://twitter.com/staypuft/status/702360332807839744
@jpaulreed #RuggedDevOps
P H O T O C R E D I T S
• Slide 17: https://twitter.com/jpaulreed/status/515558395878055936
• Slide 19: http://www.gulfsouthsolar.com/wp-content/uploads/Behind_curtain.jpg
• Slide 22: https://www.flickr.com/photos/halonfury/9939424685/
• Slide 23: http://www.nytimes.com/2012/08/22/realestate/commercial/a-650-million-expansion-of-port-newark-spurs-interest-in-its-environs.html
• Slide 26: http://www.slideshare.net/joshcorman/continuous-acceleration-devopsdaysaustin2015corman#37
• Slide 29: http://dealbook.nytimes.com/2012/08/02/knight-capital-says-trading-mishap-cost-it-440-million/
• Slide 32: https://twitter.com/bdha/status/672497700508594176
• Slide 35: https://www.flickr.com/photos/midendian/257796960/
@jpaulreed #RuggedDevOps