Category: Organizations

DevOps = Libertarianism = DevOps = …

DevOps = Libertarianism = DevOps = …

We are both very interested in DevOps and good development culture, and more recently, freedom and Libertarian principles.

We found some interesting similarities between the two. Both focus on individual responsibility and accountability, both have been compared to “self-organizing anarchy” or “chaos that works.” Both favor empowered, informed distributed decision-making over centralized decision-making – essentially, both advocate for moving the authority to make decisions as close to the data, as close to the situation, as possible.

An Introduction to DevOps

There is no perfect definition of DevOps, and there are a lot of debates about what is and what is not DevOps. However, here’s a definition that covers the major elements and purposes:

“DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.” – AWS

DevOps is a reaction to what came before it. [needs a connection to:] In Big Design Up Front software development, every requirement and element of software was designed, then it was all built, then it was all tested, then someone else had to run it, in a one-way process that was brittle, slow, and had massive lacks in communication – and led to a lot of software failure. There were a lot of fingers being pointed. Central planners created plans, others had to live with them, even if they made no sense. Everybody had good intentions (mostly?), but they weren’t a team, they didn’t communicate, and they all worked towards their own goals that were not always the same.

In a DevOps model, there is shared understanding and two-way communication in a community of people tasked with the fruition of a shared goal: building working software. They each have some amount of the responsibility to design, create, validate, secure, and run that software.

DevOps seeks to maximize the ability of the team to execute on their goals in the way they see fit.

DevOps incorporates manufacturing cultural and process revolutions that occurred in the 1980s: a focus on products being produced that deliver value, rather than making individual steps in the journey efficient. Instead of localized success, the focus was shared, whole-team success, with success being defined as delivering a valuable product.

The end result is the removal of huge pain points in the software delivery process, leading to a massive improvement in software delivery efficiency. Many companies that build software are attempting to convert their processes and teams to DevOps, with some big successes, and also many lessons learned along the way.

“Culture change is hard.”
– everyone who’s ever done it, or lived through it

There are a lot of tools, technology, and architecture that make all of this easier to do now as compared to 20 years ago when we started doing software development. However, Josh’s first software project way back in the day was made out of 4 people who were empowered to make their own implementation decisions, and they had shared responsibility from design to running the software – so software development was really fast and efficient. This model pre-dates the technology innovations that have helped DevOps explode, but it worked even then.

An Introduction to Libertarianism

There are many definitions of Libertarianism (the first of many similarities to DevOps…), but here’s one that’s pretty solid:

“As Libertarians, we seek a world of liberty: a world in which all individuals are sovereign over their own lives and are not forced to sacrifice their values for the benefit of others.

We believe that respect for individual rights is the essential precondition for a free and prosperous world, that force and fraud must be banished from human relationships, and that only through freedom can peace and prosperity be realized.

Consequently, we defend each person’s right to engage in any activity that is peaceful and honest, and welcome the diversity that freedom brings. The world we seek to build is one where individuals are free to follow their own dreams in their own ways, without interference from government or any authoritarian power.”

Libertarian Party

Libertarianism has a lot of deep roots. The US Libertarian Party is pretty new as US political parties go, created only in 1971. It was created as people reacted to the government increasing its control over peoples lives, and the desire to remove that control. Libertarians are opposed to legal restrictions on marriage, legal restrictions on who can associate, legal restrictions on drug usage, and legal restrictions on individual property.

A tongue-in-cheek-but-not-really summary of Libertarianism is, “my political philosophy can be summarized thusly: I want gay married couples to be able to protect their marijuana plants with machine guns they bought with Bitcoin.” This is another, funny variation:
Is that too much to ask for? : Anarcho_Capitalism

The basic idea is that individuals are better at deciding about their lives than the government – that centralized control is not the optimal way to decide how people should behave, and, given this, the government causes more problems than it solves.

Examples of this include legalized slavery, legally requiring racist or discriminatory behavior, prohibitions on moral behavior such as drug use or usage of restricted medicines, wars of imperialism, police brutality, and putting businesses and their staff out of business with taxation. Generally, the government gets in peoples lives and makes a mess of things.

Said differently, Libertarians believe that governmental control backed by the threat of violence is fundamentally immoral. If you don’t pay your taxes or avoid smoking the wrong plant, the government will attempt to take you away from your family, life, and friends, and throw you in jail. If you resist going to jail, they can and may well shoot you. This is morally repugnant.

Libertarians believe that governmental control backed by the threat of violence is fundamentally immoral.

Libertarianism values individual consent over societal control.

Wouldn’t it be nice not to have to pay all of the taxes that fund foreign wars? To choose NOT to give the money that you earn for something that you don’t believe in? Think about what you could do with all that money. Wouldn’t it be nice not to fund corporate bailouts? That’s also a whole lot of money. And…that’s just the taxes you pay from your paycheck. Imagine if there were fewer restrictions (created by bureaucrats and lawyers) on every single product you buy – how many legal loopholes have to be navigated to set up those restrictions, and to maintain them. Guess who pays for all of that navigation? Spoiler alert, it’s you. Have you ever looked up what the price of a bottle of fine scotch as if there were no taxes? Talk about depressing…

There is no perfect Libertarian system in place, but Libertarians have been working for years to legalize drugs, improve property rights, reduce government control, and reduce policing policies that harm individuals.

Similarities

Both philosophies believe that there is no perfect environment, and there is no control structure perfect and wise and knowledgable enough to control things from afar. For a removed human control structure to be work, people in control have to consistently and constantly behave selflessly and efficiently on behalf of everyone they represent, which…isn’t a thing humans are capable of. The expectation of that sets even the best people up for failure. There is no perfect world, but both systems believe that the right answer comes from individuals with the ability to choose for themselves, and communities who voluntarily agree to move towards a shared purpose.

Both systems believe that control should be pushed down to the individual.

Both systems arose from a struggle with the people in control, who want to tell people what to do and how to do it in ways that don’t make a lot of sense. Both systems struggle with the fight to separate from those control structures, and to give people the freedom to make choices.

Both systems struggle with getting people to trust that their model works, because it requires trust, and it also seems impossible.

However, the old systems don’t work, and both movements are growing as more people see that and yearn for something different.

Both systems have realized that while rules and laws don’t actually control behavior, clarity and freedom does help them make good decisions.

DevOps is the acknowledgement that centralized planning and control removes the agility and freedom to make good decisions as situations change, and that centralized control slows things down and gets in the way.

Libertarianism is the acknowledgement that centralized (government) control removes the flexibility and freedom of the individual to live their life and find their own joy and happiness, and that centralized government is a cure worse than the disease.

Differences

There are some critical differences between these two cultural phenomena. Government typically is more overbearing and uses fear much more than practitioners of Big Design Up Front software design. The government will tell you that you need them to be safe, that you need to be controlled because you can’t possibly control yourself – much like an awful, abusive, codependent ex. Government will tell you that they need to drop bombs on people in foreign countries, because violence to others…somehow, keeps you safe. Government will tell you that only they can keep you safe, and if you take measures to defend yourself, you’ll only hurt yourself – but if the government threatens or does violence to you, it’s for your own protection.

…JKLOL, it’s just more similarity.

Culture change is hard.

With DevOps, you affect how people do their jobs. You give responsibility to some people, and take it from others, moving it in general towards the people who are most affected, who are most directly involved in the subject at hand. Some people don’t like having less responsibility, not realizing that the end goal of any leader (and we all should be leaders) is to make yourself redundant, and then take up more valuable pursuits.

With Libertarianism, you affect how people live their lives. You give responsibility to people for how they live their individual lives, by giving them freedom to live as they see fit. You take responsibility away from centralized planners and government agents, who…again, generally, really don’t like having their power taken away.

So, basically, Libertarianism is DevOps writ large, with similar benefits and efficiencies, and similar challenges to overcome. Only…with higher stakes.

A Culture Change Example: Security

DevOps

One of the major concerns about DevOps involves security. If everyone is doing DevOps and design, development, testing, and running is flowing fast and efficiently, then the next bottleneck is often IT Security teams. No one told them the software would be built and delivered 100x faster, and that technology would move at about that rate as well, and that all of their security tests and processes would have to keep up.

However, some teams figured out that if they apply DevOps principles and processes to security, then delivered software can be even more secure, even while moving 100x faster. This revolution, adding security into the DevOps processes or maybe DevOps’ing security, is called “DevSecOps.” It involves even more culture change and even more trust, because security is not something to mess around with. But, for those that could navigate the cultural, process, and tool changes to get there, software was delivered faster, with less effort, and changes were released faster, while finding and fixing security problems equivalently fast. Turns out, doing things this way made security easier and more effective too.

Libertarianism

One of the major concerns about Libertarianism is, “if my abusive ex the government doesn’t protect me, who will?” This matters way more than IT security, because if someone steals your credit card number from a website, you can sort that out – but if you expect the police to come when someone’s robbing you, and they don’t, you could experience serious harm to property and self/family.

An unfortunate reality is that in most situations, the police merely arrive to take a report and perhaps do some investigating after the fact. They have no obligation or duty to protect you.

On the other hand, the criminals that people typically worry about the government keeping them safe from aren’t even in the same ballpark as the governments who kill their own people. For some ballpark numbers, approximately 20,000 people are murdered by individual criminals in the US per year, roughly. Author R.J. Rummel asserted in a 1997 book that government murdered 169,202,000 people in the 20th century – or an average of 169,202 people per year. Lest you say, “yeah but some of those people died as a result of war, ” that number excludes wars. That’s just governments murdering their own people. From R.J. Rummel’s book, “this democide murdered 6 times more people than died in combat in all the foreign and internal wars of the century. Finally, given popular estimates of the dead in a major nuclear war, this total democide is as though such a war did occur, but with its dead spread over a century.”

We would also like to point out that most of this governmental murder occurred in states where the government had a massive monopoly on violence: heavily armed police vs. disarmed citizens. Somethin’ to think about as the current US government massively up-arms its police and passes laws to disarm its citizens.

Also check out The Monopoly on Violence, a fantastic documentary on this subject and also Libertarianism as a whole.

A wonderful thing about personal responsibility is if you have the freedom to defend yourself, you are always on the scene when you need defending. The cops may be ten minutes away, but you are always right there.

Security really matters. It can be kind of scary. But pretending that false security is real security, and choosing to abdicate all of your responsibility for your own security, is not the right answer – and it can be shattered when reality arrives.

Toward a more perfect culture

There is no perfect culture. There is only the path by which we pursue perfection, built on personal choice and continually striving to learn and implement better.

There is no perfect DevOps implementation, only people attempting to work together in a clearer, more transparent, agile way, with responsibility for success and decision making pushed to the same shoulders. Or…said another way…there is only the path by which we pursue perfection, built on personal choice and continually striving to learn and implement betterTADA!

There has not been a perfectly Libertarian society, once we realized that tribes could conquer each other. However, the cultural change that made DevOps successful can be applied to the larger culture: reduce centralized planning and control (and the expense thereof), eliminate centralized controls and monopolies on things societies need, and push freedom and responsibility onto the people who can accept it. Reducing laws that restrict important freedoms, such as decriminalizing drug use, and removing restrictions on marriages between consenting adults are examples of baby steps.

Conclusion

Both systems are “self-organized anarchy” and “chaos that works.” Both systems emphasize that the “best decisions are made on the ground,” and therefore we should “move the decision closest to the data.” Both systems emphasize freedom, and individual and community responsibility. We know freedom leads to massive innovation and adaptability and success, and we know centralized control leads to brittle, slow-changing, miserable culture.

There are no perfect systems of software development, or government. We know what doesn’t work (centralized control that requires perfect wisdom and selflessness), and we have some ideas about what does work. We know that the ability of people to choose their own adventure is hugely important, and that it seems to align with the things we’ve learned while trying to understand how to be a person, and a Christian. Seeing patterns like this, especially seeing the model seem to work on a smaller but still important scale, gives us hope that maybe it can work on a larger scale too.

We will continue to consider how these cultural movements compare, and attempt to apply lessons from one system to the other. We’ll keep you posted.

On Bullies

On Bullies

First, some history (and context!) from Laine…

I was overweight as a kid. Actually, I was overweight until I was in my mid-twenties, and then again for a while after I had my kids. But as a kid, in the 90s, it was an offense punishable by social ostracization. I was picked on throughout elementary school, to the point where I started calling myself fat so that other people wouldn’t do it first.

I moved at the end of 6th grade, to a much larger school. They mostly didn’t bully me for being overweight, but they did bully me for making out with my (female) best friend – which I did not, not that that matters aside from pissing me off even MORE about the sheer unfairness of it. I moved again at the end of 8th grade, to a smaller school, and found friends, and slipped into blessed nerd + “I’m in the school musical every year” semi-obscurity.

I dealt with one bully as a young adult, after I started my first job. I can see, looking back on it, that he probably felt threatened because, a) I was good at my job, b) I was on “his” project, and c) he perhaps felt like I was overstepping.

And then…no bullies. For a long time.

And then…more bullies showed up.

We’ve written about pieces of what happened at the church we were both members of. We have not written about what happened where we were formerly employed, out of (probably legitimate) fear of retaliation of some kind. But…suffice it to say that we’ve both run into a lot of bullies over the past few years. People we worked with, people we trusted. People we loved.

We try to explain a lot of patterns here. Patterns about fear and faith and hope and love, and how all of that comes together and applies to being a person. Patterns about how all of that scales to relationships (especially with God), and how it scales to and for organizations. A lot of these patterns, we figured out because…we lived them. We ran into really scared people trying to control what we did – and getting very very angry when we said no. That’s it. Just… no. We didn’t say, “you have to do what I say,” or “I’m going to make your life miserable for trying to tell me what to do.” Mostly we said, “please stop hurting us,” and “why are you trying to make me do something that I am sure is wrong?” and then eventually, just… no.

Sometimes “no” is a revolutionary act.

Decisions must be made…

Laine initially drafted this post in September of 2020. That’s actually the opposite of our usual process, typically we talk about things until it seems draft-able, then Josh does the initial draft. But this post began because Laine ran into a (comparatively mild) bully at work. And it brought back a lot of feelings about the other bullies we’ve recently run into, and a lot of sheer…exhaustion.

And then the election happened, and that brought with it more related feelings, and more exhaustion. And both the minor work bully and the election brought with them some clarity around what happens with bullies.

Bully (n): someone who does willful, targeted damage to other people in an effort to control them.

Because…bullies seem to win. The world actually seems to be structured for bullies – and for the control of other people. If you choose not to control other people, if you don’t play that game, if you flat-out refuse to play that game, then…you are an outlier. You stand out. You seem to invite bullies to take shots at you. But…that isn’t quite what happens.

Simply by existing, by living your life without controlling other people, you show the people around you that they too could choose not to control. You demonstrate, clearly, that another choice, a different choice, exists. This has the effect of forcing the bullies around you to choose if they will continue to bully – because some people behave this way because they don’t know another choice exists.

Bullies also force you to make a choice. Bullies force you to choose if you’re going to a) hide who you are in order to avoid the damage they might do, or b) very deliberately NOT hide, but instead choose that any damage is worth being yourself. As best as we’ve been able to figure out, bullies bully because they’re afraid they’re going to lose something that they think keeps them safe. Bullies need to control what they think keeps them safe so much that the people “in the way” become…dispensable.

So…if you’re the target of a bully, if you feel like your very existence invites bullies to take shots at you, then…that means that you’ve stumbled into the thing that they’re trying to hide away from the world – the thing they’re afraid they’ll lose. And it means that they don’t much like the fact that people exist who can’t be controlled into supporting their fears, and it means that they’re afraid that perhaps none of it was necessary at all.

It’s not your fault.

We’re going to say that one more time. It’s not. your. fault. We are emphasizing this because, again, it took us a long time to understand and accept it.

Mostly, with this post, we wanted to make something very clear – adult bullies exist. They exist anywhere that people exist, because people get scared, and sometimes those scared people end up with some kind of authority – real or imagined – over you and your life. This can be your boss, or your religious leader, or your government, or your significant other. Sometimes these people get SO scared that they forget entirely that you’re a person, and they just…want you to stop whatever you’re doing that seems to be a threat to them.

Regardless of what they say, it isn’t your fault. Bullies will tell you that it is, because they’re trying to convince you to change, and to hide, so that they feel more safe. You don’t have to do that. It’s scary not to, but…it is your choice. You can say no, and you can choose to be who you really are even if the bullies of the world don’t like it.

Sometimes “no” is a revolutionary act.

You won’t be alone.

The more we sort of…lean into this plan, the “be you and have fun” plan, the more we find other people who have figured this out. These people are some of the most truly supportive relationships that we have. So…while saying no to the bullies in your life, and choosing to be yourself, seems scary and like you’ll definitely be alone… you won’t. You will find your tribe, your people, your chosen family, and you will thrive. It’s worth it.

….aaand we’re back!

….aaand we’re back!

It’s been a long time since we blogged.

We’ve missed it. A lot. But…like our blog says, life is simple, not easy, and we’ve found that sometimes soul repair takes a lot of resources.

One thing we say in our talks is that transformational change starts with changes that individual people make in or for themselves. We think that’s probably always true, that large-scale change typically starts with individuals, and, meta, we’ve spent the time that we weren’t blogging working through a lot of stuff – stuff inside of our own souls and lives that needed to be processed, changed, and understood.

One major example of that is that we both got divorced. We each had to work through a lot – like a lot – of related feelings. Damage and scars, and…well, basically all of the feels. 

This is an accurate representation of what that process looked like:

I Just Have A Lot Of Feelings GIFs - Get the best GIF on GIPHY
Having a lot of feelings, thanks Mean Girls!

We both came to points in our marriages where they were too broken to proceed. Divorce is complicated, and figuring out life going forward is a lot of work.

But we’ve done a lot of that work (probably not all of it, wince), and, as often happens, it’s turned out better than either of us thought possible. We expect that we’ll probably write more on the topic of divorce, but if you have any questions about the process or just want someone to talk to, feel free to reach out – our contact info is all over the place. I (Josh) didn’t even see it as an option for a long time, and only when Laine decided to do it did I even realize that I didn’t have to be stuck forever.

We’re both still processing a lot of what happened there, but it seems relevant given the other cultural things we’ve experienced. We wrote and delivered a new talk called Not a Cultural Fit, and we each drew on our marriages to see and explain and double-check as valid the patterns that we discuss in that talk. In the end…sometimes people just don’t fit, and trying to grimly power through only makes everyone miserable. You can find a new job, and you can find someone, or some organization, who actually likes you instead of tolerates you. (oof)

Our plan for the blog is to get back in the swing of making content regularly, continuing with our opinions on stuff, and also things, and the observations that we have. Basically, we’re going to pivot again and always toward our favorite piece of advice, for everyone:

Be you, and have fun.

If you’ve stuck it out, waiting for us to come back, we really really appreciate it. If you’re new, hi! Either way…

The Emperor's New Groove
BOOM, baby. We’re back.
Tech Leader Summit and ArchConf 2019

Tech Leader Summit and ArchConf 2019

Before we start the actual post, today is the blog’s 1st birthday! <3 (Our first post.) Thanks to anyone who has been reading, or anyone who will read in the future. We blog because we love it, and we appreciate…well, everything related to it.


Last month, we spoke at Tech Leader Summit and ArchConf, which are conferences from the No Fluff Just Stuff tour. We also spoke this summer at UberConf, which is on the same tour. We had an AMAZING time, and we wanted to record and share some of it for posterity.

Read More Read More

Building Alliances – or, Why Security is Awesome

Building Alliances – or, Why Security is Awesome

Time to Go Fast

We work with a lot of people who are implementing Continuous Delivery. We see that when various bumps and boulders get out of the way of delivering software stably and rapidly, there’s a strong push to go very very fast. When this happens, there are often barricades put up in the name of security – because traditionally speed and security have been considered enemies. Traditional enterprise IT security would say, you can’t possibly go fast in a safe way, 

Read More Read More

Disorganized Religion

Disorganized Religion

A long time ago (comparatively, time moves very oddly these days…), I (Laine) wrote this post about my experience thus far with the first church I’d ever regularly attended. Coming to Christianity as an adult has been…an experience. Especially as a strong, capable, independent, female (I wish it didn’t matter, but I’m not convinced it doesn’t) adult who is as committed to God as I know how to be.

See, the thing is, I came to Christianity as an adult – I did not come to faith as an adult. My faith is independent of any church, and my relationship with God is the oldest, strongest relationship I have.

Read More Read More

Applications are Gold

Applications are Gold

We’ve talked previously about how developers drive organizational success: they deliver the applications by which companies deliver their competitive advantages. Because they are a way for companies to deliver products to customers, those delivered applications are critically valuable. Application development is a lot like extracting gold – it creates value out of raw resources.

Application development is a lot like extracting gold – it creates value out of raw resources.

Gold, wealth, needs to have some amount of protection.

Read More Read More

What Happened at Capital One?

What Happened at Capital One?

There have been many words written about the Capital One breach – but a lot of them didn’t explain what actually happened. We care a lot about security in general, and cloud security in specific, so Josh set out to find some words that did explain what happened:

The Krebs article might be the best for this. However, as far as we could tell, no one’s tackled it from a “what can enterprises learn from this?” standpoint, and…that’s what we really care about.

TL;DR: The Event

A hacker named Erratic, who was a former AWS employee, took the following actions:

  1. Owned the Web Application Firewall (WAF) on Capital One’s Amazon Web Services (AWS) Virtual Private Cluster (VPC)
  2. Used the credentials of the WAF to connect to other AWS resources in the VPC, including their storage objects (S3 Object Stores)
  3. Synced (copied) the object store to her own storage

“With this one trick, you can get 100M Credit Card Numbers! The secret THEY don’t want you to know!”
– Best ClickBait Ad Ever

ELI5: The Event

So…there’s a lot about the mechanics of this that’s unclear. But we can explain what seems to be widely accepted as fact. First, some definitions:

  • A Web Application Firewall (WAF) is basically an entry point into a system – it isn’t intended to be entry, though, it’s intended to be a layer of defense.
  • AWS is Amazon’s public cloud.
  • A virtual private cluster (VPC) is a cordoned-off part of a cloud – so, it was an area of AWS that was specifically for Capital One.

So…

  1. Somehow the hacker Erratic was able to log in to one of Capital One’s WAF.
  2. From there, she got to their storage objects that represented information about people – specifically, people who had used the business credit card application…application. Overloaded words are the best!
  3. Finally, she copied those storage objects that represented people to her own area of AWS – like copying a file from someone else’s Google Drive into your Google Drive.

Questions Outstanding

…there are a lot.

It’s not clear to how Erratic did #1, logging in to the WAF. The most likely answer is that the username/password was something not complicated enough – like maybe the default of admin/admin. But there are also other possibilities, and if Capital One has disclosed this piece, we couldn’t find it.

There are a few ways step #2 could have happened – the WAF could have already had access to all of the storage objects, or Erratic could have given the WAF direct access to the storage objects. The J Cole Morrison article above explained one possible scenario: Amazon IAM could have been used to take advantage of the fact that she was already in the WAF and then extended the default trust of “well, you’re in the WAF, so okay” – security people call this a “pivot”.

Step #3 is basically…copy/paste. There are probably some interesting nuances here, like…if she didn’t give the WAF authority to read the objects, why did the WAF have the authority? What business use case would require giving an access point read access to an entire store of customer data? Also she would have had to have given something access to write to her own AWS space, at least temporarily.

The Pain: $100M-$150M

The Capital One press release stated that this incident will “generate incremental costs of approximately $100 to $150 million in 2019.” Capital One was one of the earliest companies to go to AWS/the cloud, and they made a lot of noise about it – here, and here. Explaining technology success is one of our favorite things, but there are trade offs if you could otherwise manage to keep your backing infrastructure a secret.

This has lead to egg on AWS’s and Capital One’s faces, which is unfortunate, because this really doesn’t have much to specifically do with AWS or clouds in general….

…or does it?
– Not Intended to be ClickBait

Clouds in General

This isn’t the first AWS data breach (see end of the blog for a list of others). The list is not small, unfortunately.

Please raise your hand if you are sure you haven’t been hacked?

We’re gonna say this is partially because AWS is the biggest, been around the longest, and had to figure out hyperscale stuffs without anyone to copy from because they were the first.

But still… yikes.

A big part of this is that Amazon makes things super easy. So easy a caveman could do it, right? And…that’s the trick. It’s super easy to type in a credit card (or even an AWS gift card, I (Josh) have one they gave out at a trade show) and spin up some storage and compute. Unfortunately, it isn’t super easy to spin up security tailored to clouds.

We used to have to wait for infrastructure teams in our data centers to (hopefully) handle the security for us. They’d put your request in a queue, and get to it a week later…then they’d ask the storage admins and VM admins for some data and some compute, and that request would go into a queue…and then, several steps later, the firewall admins would get involved…but doggone it, eventually the pros would secure things like they were trained.

VM-based infrastructure has been around a long time, and the kinks have been worked out. Cloud infrastructure is newer, and exponentially faster to use – that’s one of the biggest appeals. Unfortunately, because it’s newer and because it’s so fast, kinks still exist – and one of the biggest is how to make it secure without slowing down the people using it.

Clouds are not all insecure, the sky is not falling – but they do require more deliberate attention to security than perhaps we’re used to in most of IT.

Takeaways and Recommendations

With Infrastructure as a Service that’s as fast and easy as cloud-based, it’s clear that there are often times when the right security-aware folks are not involved. It’s extremely easy to get going with platforms like these, which is…kind of the point. Simply put, you can get insecure systems faster and easier than you can get secure systems – for now, anyway. The industry knows this, and is trying to make it better.

Until security catches up to the speed of IaaS, companies need people who can secure their systems to be involved in setting up new platforms, and setting up best practices for their use. The balance point of that is not removing too much of the speed and agility gains of advances like IaaS because of security – ideally security should be something that everyone agrees is worth the trade.

So…after all of that, here are some recommendations:

  1. Single layers of security are not enough. You need Defense in Depth, and vital areas like customer data need to be strongly protected regardless of the platform trying to access them.
  2. Security practices and implementations should be transparent, at least within a company, and questions should be welcomed and encouraged. Open culture helps with security, too.
  3. Security should be automated as much as possible, and that automation should also be transparent (infrastructure as code).
  4. Enterprises need to choose platforms that are secure, that have people dedicated to the security of that platform as their job.

Other AWS Data Breaches

We’re on Hiatus for a bit – but for a REALLY GOOD REASON.

We’re on Hiatus for a bit – but for a REALLY GOOD REASON.

We really love this blog. We started it almost exactly 6 months ago and it means a ton to both of us. We started with two posts a week – and then Josh started a new job. We downshifted to one post a week – and then Laine got a new job. We’ve managed to keep on keepin’ on at one post a week since then, which… well, we really love this blog.

One of the first things we ever did that made us sit up and realize that maybe we made a seriously effective team was give a nerd presentation – we talked about feature toggles as an architectural concept. A few months after that, we went to UberConf in Denver. That was Laine’s first IT conference, and we had a blast. That’s a pretty good “God does stuff everywhere” story, which we should probably tell at some point…

After that conference, as we adjusted back to normal life, we talked about how seriously amazingly cool it would be to give nerd presentations at a nerd conference of that level – national, and with nerd-famous people like Mark Richards and Neal FordJosh definitely fanboy’d when Mark Richards included him in a demo in a presentation. We also befriended one of the speakers on the tour, who lives nowhere near us. We filed away the plan to some day speak at national nerd conferences in general, and at UberConf specifically, in the “haha, sure, that might happen some day” file.

We called this a goal, but…it was a dream. It was a dream in the way that little kids gleefully dream about being an astronaut when they grow up.

Laine was off work for 6 months. Again, another story for another time. But while she was off work, we started to apply to speak at conferences. Josh’s new job was friendly to the idea, Laine had no job, it was something to think about, so…we sort of figured why not.

We applied to speak at O’Reilly’s Open Source & Software Convention (OSCON), who was having a themed Inner Source day this year. Once Laine understood what on Earth “inner source” meant, we were sort of like, “hey it is us and one of the things we love the most!!” We submitted two talks.

We also started conversations about getting onto a No Fluff Just Stuff stop, semi-local – NFJS organizes UberConf along with a lot of other regional conferences, all throughout the year. The other major conference they organize is ArchConf, in December – which was also on our Nerd/Astronaut Dreams Bucket List.

And then, on a Friday afternoon, we found out the following:

  1. One of our talks was accepted for OSCON.
  2. One of the speakers for UberConf had to drop out, there were some spots open, and we could have them if we wanted.
  3. We were officially in for also Tech Leader Summit and ArchConf.

God does weird, wonderful, lavish, unexpectedly awesome stuff

…you mentioned a hiatus?

Yes! We did.

OSCON and UberConf are the same week, the week of July 15th. We got lucky (jklol pretty sure it was God doing more awesome stuff) and our talk at OSCON is that Tuesday, and our talks (4!!) at UberConf are Wednesday and Friday. So…we decided to do both conferences.

J: Should we do both?
L: Are we really crazy enough to try that? :thinking:
Us: Yep!!

We’re getting ready for those talks now. We are both extremely dedicated, prolific workers, but even we have limits. We have several posts in varying stages of done, but the kinds of thing we write require focus and attention and time and soul – and we pretty much only know how to make any content we produce in that same way.

“A man’s got to know his limitations.” – Harry Callahan, Magnum Force

We will be back. We have so many thoughts and feels and did we mention we love this blog?

Logistics

These are the descriptions and scheduling of our talks:

Please come say hello if you’ll be at either OSCON or UberConf. (If you are not attending and would like to, we have discount codes!) We love these topics, we love talking about them, and we are so stupid excited to be doing this.

Also, we will have stickers. We bought binders for them and everything. 

Developers Drive Organizational Success

Developers Drive Organizational Success

Developers are a huge part of organizational success. Way back in 2013, Stephen O’Grady said that developers are “kingmakers” – so this idea is not new.

As a society, we’re increasingly connected – to each other, and to the businesses we choose. Those connections, and those businesses, run on software. We’ve moved to hitting a website or using an app to do business instead of picking up the phone – and even if we call a company, the person we’re talking to is definitely using software on our behalf.

Pikachu, I choose YOU.

We said that we’re more connected to the businesses we choose – and we do have significantly more choice about which businesses we use. The business’s software is part of how we make that choice – if it’s engaging and easy to understand and use, then working with the business as a customer is easier. If working with a company is easier, we’re more likely to go back. If, on the other hand, the website or app doesn’t work, or it’s confusing, we’re more likely to use one of the many alternatives that the internet allows for. Basically…

Customer service is characterized, facilitated, and proven by a company’s software.

Software driving a business’s success is also not a new idea – in fact, it’s the core concept behind the ideas of digital transformation and digital disruption. If we accept that it’s true, the next thing to consider is how to make software successful.

Software’s success is determined by how well it’s designed, built, and maintained. Great software can’t be built by mediocre developers using mediocre architecture, running on and designed for mediocre platforms. So…that means that businesses really need to know, “how do we enable our people to create amazing and engaging software?”

Software drives a business’s success – and software’s success is driven by how well it’s designed, built, and maintained.

How to Enable Developers – Technology

Enabling via Architecture

What do developers need to be successful? Well…they need several things, but first they need to understand the rules of the software they’re building: what is it intended to do? How does it communicate with other software? What APIs, services are available? Where is data permanently stored? What languages can I write it in?

These questions are all architecture. The answers should be clear and consistent, and they should allow for flexibility in implementation. They should also allow for development speed and developer familiarity – usually by using modern, standard technology with lots of community support.

Open source technology is usually the best for enabling happy developers. The communities around open source development are strong, and they’re full of skilled, passionate people who love the technology they’re contributing to – and they contribute to technology that they would love to use. Spring (Java framework), NodeJS (JavaScript run time environment), Ruby (general purpose, object-oriented programming language, like C++ and Java), MongoDB (document database), and Kafka (pub/sub messaging) are all examples of great open source architecture ingredients that developers actually like to use.

Enabling via Tools

Developers need to know what tools are at their disposal to develop, test, and run their software. They also need those tools to be kept up to date – via updates, or via new tools that accomplish what they need better, faster, or less painfully.

They need an IDE they understand – and enjoy using (we like IntelliJ, but nerd tools are something like holy flame wars, so…you do you. Laine quite happily made entire web pages in Notepad++ as a teenager, soooo…). Think about your office, or the primary tool you use to do your job – that’s an IDE for a developer. It needs to be comfortable.

They need code repositories (Git-based, Bitbucket is great), and security scanning (Sonarqube, and a dependency scanner), and test automation, ideally built in as early in the process of development as possible. They need fast build tools so they aren’t forced to stop everything and wait in order to even see if a change works (Maven, or Gradle), and automation where and how it makes sense, for builds, or deployment, or…whatever (Jenkins, or Ansible).

They need a good platform on which to run their software, ideally one that gives them the ability to self-serve…well, servers, so they don’t have to wait a week or a month or even a day to move forward once their code is ready (OpenShift).

Enabling Developers – Culture

Enabling via Processes

Confusing release processes, slow purchase processes, unclear approval processes for free tools – these are all processes that choke innovation, and worse, choke a developer’s ability to even execute. To enable developers, a business actually wants them to have some freedom to stretch out – to use their skills, and to discover new skills.

Independent of IT processes, there are also HR processes – like rules that dictate many hours must be worked, or rules that don’t “count” any work done from anywhere other than on site. IT is an art, not a formula – IT brains are constantly designing and adapting and connecting information – and then refining those designs, adaptations, and connections. Expecting, and behaving as though, X developers = Y lines of code, and Y lines of code = Z business priorities delivered causes pain and actually slows developers down.

IT is an art, not a formula.

So…there are bad processes that, if stopped or lessened or sometimes just explained will enable developers. There are also good processes – giving them a comfortable means to communicate with each other (Slack! <3), or encouraging easy ways to learn and grow and try things without repercussions.

Enabling via Support

Application developers need support – people backing them up and fighting for them, and supporting the tools they need to do their jobs in the least painful way possible. They need Architects setting architecture standards, and making sure that people talk to each other and agree about how all of the software into, out of, and within a company will interact. They need Platform Architects (sometimes called Enterprise Architects or Infrastructure Architects) setting up their platforms and making sure their apps run, and giving them access to get clear, fast feedback about their applications from those platforms.

They need people who will cut through any cultural red tape to get them the information and tools and good processes that they need. They need HR managers who support their career and their personal and professional growth. They need technical leadership who teach and advocate – new architecture patterns, how to actually use new tools, what works and definitely does NOT work between teams and in other companies. They need people explaining how to use the tools provided and giving them permission to adapt the “how” in such a way that the tool is not onerous.

They also need each other people who are native speakers of their language, who are trying to accomplish roughly the same things in the same ways with the same barriers.

Teams Drive Organizational Success

Developers drive organizational success, but they need teams around them – supporting them, and fighting for the processes and tools that will help them be successful.

A healthy ecosystem is vitally important to developer success.

So…it isn’t actually just developers who drive organizational success – it’s teams. Teams centered around development, and enabling that development, but…definitely teams.

Successful businesses have successful software. Successful software is made by enabled developers. However, the truth of the matter is that because we are all so connected, no one exists in a vacuum. Developers need architects, and infrastructure people, and leadership (HR and technical, along with vision setters and vision communicators), and cutters of red tape, and purchasers of tools, and each other to truly be successful.