The next meeting of Austin’s cloud computing trailblazers is next Tuesday, Sep. 21. Event details and signup are here. Some gentlement from Opscode will be talking about cloud security, and then we’ll have our usual unconference-style discussions. If you haven’t, join the group mailing list! It’s free, you get fed, and you get to talk with other people actually working with cloud technologies.
Monthly Archives: September 2010
DevOps “From the Trenches” Report – HomeAway
We were out at HomeAway for a technical discussion, and DevOps reared its head as it does so frequently nowadays. In the context of talking about their preparation to scale up for their big Chevy Chase Super Bowl commercial, they were doing all kinds of stuff. One of the things they noted was that the traditional dev and ops headbutting changed due to the long hours of work they had to put in together. They tried going off and doing “their parts” separately – ops doing network, servers, load balancers, and hosting and developers doing coding, caching, tuning, and testing – but the time pressure, importance, and complexity of the project forced them together into a room, and once they started to collaborate they just stayed there, working in close proximity, for the duration. When asked about the big takeaways from the entire project, the developers noted that “Leaning how everything interacts has changed how we build things” – for example, doing “pull the plug” fault testing has made for more resilient architectures and higher confidence and quality of life for both the dev and ops teams! They didn’t describe it as “DevOps,” but that’s what it boils down to.
The more I talk to other successful Austin tech companies – HomeAway, BazaarVoice, Pervasive – the more that I hear DevOps concepts mentioned as keys to their success – and they didn’t do them because they “wanted to do this cool DevOps thing,” but they did what was needed to succeed and it turns out that a part of that is bringing development and operational concerns together into a whole. It reminds me of the story behind the Visible Ops book, where the authors researched what high performing IT shops had in common and then realized those successful behaviors all mapped to certain ITIL areas (mainly change management). That is a compelling validation of its efficacy.
Anyway, I urged them to consider doing that presentation in public venues; it really was a great story and hit on many of the best practices that have been emerging from the ops and performance world over the last few years. They must be doing something right because they’re growing like gangbusters – if you want to take a vacation and rent someone else’s house/condo instead of going to a hotel, go try out homeaway.com!
Filed under DevOps
DevOps Cafe Podcast
Damon Edwards and John Willis run the DevOps Cafe Podcast. It’s a great listen, and they have a lot of people on talking about exciting advances in the ops world (including Allspaw, John Kim, kaChing, Shopzilla). And for this last one, they interviewed me! Apparently we’re on the cutting edge of doing DevOps in a traditional type organization as opposed to a lil’ Web startup.
So if you want to hear me natter on about DevOps and the lessons I’ve learned over my career that have brought me to it for 40 minutes or so, here you go.
Filed under DevOps
Application Security Conference in Austin, TX
I thought I would take this opportunity to invite the agile admin readers to LASCON. LASCON (Lonestar Application Security Conference) is happening in Austin, TX on October 29th, 2010. The conference is sponsored by OWASP (the Open Web App Security Project) and is an entire day of quality content on web app security. We’ll be there!
The speaker list is still in the works, but so far we have two presentations from this years BlackHat conference, several published authors, and the Director for Software Assurance in the National Cyber Security Division of the Department of Homeland Security just to name a few, and that’s only the preliminary round of acceptances.
Do you remember a few years ago when there was a worm going around MySpace that infected user profile pages at the rate of over one million in 20 hours? Yeah, the author of that worm is speaking at the conference. How can you beat that?
I have been planning this conference for a few months and am pretty excited about it. If you are can make it to Austin on October 29th, we would love to meet you at LASCON.
Filed under Conferences, Security
DevOps and Security
I remember some complaints about DevOps from a couple folks (most notably Rational Survivability) saying “what about security! And networking! They’re excluded from DevOps!” Well, I think that in the agile collaboration world, people are only excluded to the extent that they refuse to work with the agile paradigm. Ops used to be “excluded” from agile, not because the devs hated them, but because the ops folks themselves didn’t willingly go collaborate with the devs and understand their process and work in that way. As an ops person, it was hard to go through the process of letting go of my niche of expertise and my comfortable waterfall process, but once I got closer to the devs, understood what they did, and refactored my work to happen in an agile manner, I was as welcome as anyone to the collaborative party, and voila – DevOps.
Frankly, the security and network arenas are less incorporated into the agile team because they don’t understand how to be (or in many cases, don’t want to be). I’ve done security work and work with a lot of InfoSec folks – we host the Austin OWASP chapter here at NI – and the average security person’s approach embodies most of what agile was created to remove from the development process. As with any technical niche there’s a lot of elitism and authoritarianism that doesn’t mesh well with agile.
But this week, I saw a great presentation at the Austin OWASP chapter by Andre Gironda (aka “dre”) called Application Assessments Reloaded that covered a lot of ground, but part of it was the first coherent statement I’ve seen about what agile security would look like. I especially like his term for the security person on the agile team – the “Security Buddy!” Who can not like their security buddy? They can hate the hell out of their “InfoSec Compliance Officer,” though.
Anyway, he has a bunch of controversial thoughts (he’s known for that) but the real breakthroughs are acknowledging the agile process, embedding a security “buddy” on the team, and leveraging existing unit test frameworks and QA behavior to perform security testing as well. I think it’s a great presentation, go check it out!