Velocity NY Speaker Preview: Ty Sbano

Photo by Billy Onjea, Courtesy of StockSnap.io

— This is Part 4 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.

For a long time, the relationship between security professionals and developers was pretty contentious and maybe even a little adversarial.

Developers would spend a bunch of time writing code before pushing it to a staging area only to have security tell them it can’t be deployed. Both parties had the best interest of their organization in mind, but there had to be a better way for them to get along.

Security expert Ty Sbano says the onset of the Continuous Integration/Continuous Delivery (CI/CD) and the DevOps revolution has changed that relationship for the better — at least in his experience.

“Security needs to be empowering the business,” Sbano said. “DevOpsSec is one of the patterns that enables the automation and the transparency to give businesses what they deserve and need. That’s the ability to quickly deliver better service to our customers.”

Sbano will be presenting “Security with the Speed of Continuous Delivery” alongside Tapabrata Pal Oct. 12 at Velocity NY, in which they’ll tackle how security fits into the CD cycle and share experiences from their time within Financial Services.

The old method of infosec used to be certifying every piece of code before deployment, or creating “security gates,” as Sbano put it. Having hard security gates with sign-off for all code is just not realistic in a CI/CD cycle, but he said the dissipation of gates is a good thing.

Sbano’s point is if a bug is released in a software update now, it might only be out there for a few days, maybe even a few hours. Before, a security vulnerability might not be caught for 18 months, which would obviously be a much bigger problem.

And Sbano said security through CI/CD and DevOps can strengthen the cohesiveness of the infosec and development teams.

“If we’re continuously identifying bugs through automation and manual security techniques, we can move forward quickly by addressing technical debt through the speed enabled by Continuous Delivery,” Sbano said. “Because of our partnership with development and architecture, we’re fixing bugs at a faster rate because we have the opportunity and the resources. That’s created a better partnership to achieve high-quality code. If there is ever a show-stopping vulnerability, DevOps enables us to roll back or remediate quickly. Everyone wins together.”

Focus on the problem, then find the tools

Even though Sbano and Pal will be sharing their experiences from Capital One and other past roles, Sbano was quick to point out that this talk won’t be specifically about the tools they used. It’s more about the ideas that got their security and development teams working in concert and efficiently deploying new software and updates.

“I’m going to be vendor agnostic,” Sbano said. “The goal is really around education. What are you going to do with static analysis? What are you going to do with that manual penetration testing? How do you wrap all that stuff together?”

Sbano also said he and Pal won’t be looking to “change anyone’s mind” on security’s role in CI/CD or persuade them to adopt their line of thinking. The main goal of the presentation is to share their experiences: What’s worked, what’s failed and what they did to pivot after failing.

Security is cool — seriously

Now that the relationship between developers and infosec is strengthening through CI/CD, Sbano said security doesn’t have to be viewed as an albatross for companies to carry.

“There are really good models and examples when it comes to training and the mindset of security in your organization,” Sbano said. “Security is becoming pretty cool. People are thinking more about it.”

Part of people thinking more about it has been the rise in security-focused talks at conferences such as Velocity, Sbano said. While the conference has historically focused on web performance and development practices, the community has embraced infosec’s role in efficient web development and innovation.

“Velocity is highly regarded,” Sbano said. “It’s my first time going a little out of the security world to speak at a conference, but a lot of people have told me that Velocity is a great place to do it, and I’m excited.”

— Attend this session and many more at Velocity NY. Use this coupon code — RAGNAR20 — for 20 percent off your pass. CLICK HERE TO REGISTER.

Contact us anytime on Twitter, Facebook or LinkedIn and let us know if you’re attending Velocity. We’re always happy to meet up and chat.

Read More

Velocity NY Speaker Preview: Blackrock 3 Partners

Photo by Anthony Delanoix, Courtesy of StockSnap.io

— This is Part 3 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.

“It was impossible to get regular work done because we were running around putting out fires all day.”

Does that sound familiar?

When it comes to your website, app, API, SaaS product or infrastructure, a minor problem can turn into a major crisis very quickly, and that can hurt your reputation with customers and cost you time and money.

That’s why Blackrock 3 Partners, a team made up of firefighters and technology professionals, are coming to Velocity NY to teach you the finer points of incident management.

In their tutorial, Incident Management for DevOps, Rob Schnepp, Ron Vidal and Chris Hawley will demonstrate the parallels between putting out a five-alarm fire in an apartment building and responding to a data breach.

“There’s a lot of interest in how the fire service does business because we look organized and it works,” said Schnepp. “But there’s a mystique about it because not everyone understands how organized and structured it really is.”

Blackrock 3 uses terms like “Peacetime vs. Wartime” communication and operations, “war games in production” and other phrases traditionally used by the military.

That’s not because a crashed server is equivalent to a person being seriously injured in battle, but it’s because handling adverse conditions is a skill that can be learned, practiced and fine-tuned.

The team at Blackrock 3 stresses that software companies can create an ecosystem to respond to emergencies, minimize impact and learn from those experiences. That includes setting strategies for immediate response, practicing how to start correcting problems in the middle of the crisis and designating an “incident commander.”

In order to do that, Blackrock 3 often goes to their “war games in production” strategy with their clients, which can be surprising to some.

“There are times where we go in to work with a company and plan to break stuff on purpose,” said Vidal. “Sometimes people are taken back by that at first, but how else can you prepare for the randomness of the world unless you really have to solve a problem under some level of pressure?”

After an incident has been controlled and resolved, Blackrock 3 puts a heavy focus on thorough after action reviews — commonly known by many as “post mortems.” Emergency services even have a structured plan for post mortems, too, which is another practice Blackrock 3 is bringing to its partners.

“Post mortems almost always focus on the technology aspect of a problem,” said Schnepp. “They rarely evaluate the human response and how to make that better.”

Blackrock 3 suggests striving for honest, blame-free after action reviews that analyze people’s thought process and logic during a crisis and how future training can improve responses moving forward.

While people normally wouldn’t think the fire department or other emergency services has much in common with technology companies on the surface, Schnepp and Vidal said startup founders, CTOs and everyone they’ve worked with “gets it” from the beginning.

“The same management tactics people use on oil spills can work in the tech business,” said Schnepp. “It’s not a magical formula, but the results are magical.”

Check out Blackrock 3’s Book

The team’s vast experience responding to a wide range of catastrophic events not only led them to forming Blackrock 3, but they recently authored the book, Incident Management for Operations, published by O’Reilly Media.

— Attend Blackrock 3 Partners’ tutorial and much more at Velocity NY. Use this coupon code — RAGNAR20 — for 20 percent off your pass. CLICK HERE TO REGISTER.

Contact us anytime on Twitter, Facebook or LinkedIn and let us know if you’re attending Velocity. We’re always happy to meet up and chat.

Read More

Discounted Ticket to Velocity NY + A Free Load Impact Shirt

While conferences and events are one of the most fun parts of our job, we know buying passes for dozens of events each year can be costly.

Read More

Velocity NY: A Gratuitously Early Preview

Velocity NY is 75 days away, and we’re already super excited to meet the attendees, presenters and sponsors.

So, here’s a gratuitously early preview of a few presentations that are sure to be awesome.

HTTP/2 vs. HTTP/1.1: A Performance Analysis

HTTP/2 is on its way, and developers, ops, testers, QA and (of course) DevOps need to be ready for it.

This presentation focuses on the results of a study by Load Impact founder Ragnar Lönn alongside curl and libcurl founder Daniel Stenberg.

The Swedish duo’s study measures the performance impact of HTTP/2 and how user experience will differ between the two protocols.

And as a special treat for the audience, Lönn and Stenberg will be unveiling a free tool for that shows how any existing website will behave on HTTP/2.

The Chronicles of the Lion

While this presentation is the early front-runner for our favorite title of a talk, the substance is pretty great, too.

ING, the largest retail bank in the Netherlands, recently pivoted its development strategy to the DevOps methodology — and now they’re onto another step in evolving their software strategy — citing the popular Spotify model.

Presenters Ingrid Algra and Jan-Joust Bouwman are two IT leaders at ING who are helping implement the change in the massive bank.

Perhaps the best part of the presentation is that ING’s transition to this development strategy only started in April, so the findings will be fresh. Also, it’s important to consider they likely submitted this abstract to Velocity before making the change — which is a pretty confident move considering gigantic organizational changes are never easy!

Canary in the Coal Mine: Introducing a Deployment Process to the Enterprise

While DevOps and Continuous Delivery have been around for a while, many larger, more traditional companies are just now changing their software development strategy.

It’s been said many times that all companies are basically becoming software companies, and transitioning to agile and DevOps is the next wave of that evolution.

In this talk, Daniel Lockhart of Verizon Digital Media Services will lay out the old way of software deployment and describe the challenges he faced when implementing new processes at Verizon.

Read More

Velocity 2015 in Santa Clara: Highlights

(Photo Courtesy of O'Reilly Conferences Flickr)

We love what we do, and there’s nothing better than engaging a conference with hundreds of like-minded people.

Velocity 2015, in beautiful Santa Clara, Calif., served as another reminder that not only are we in the right business, but we’re in a competitive space surrounded by brilliant professionals who genuinely care about making the Internet a better place for everyone.

After a weekend to think about all the great stuff we saw, here are a few highlights.

Securing Organizations through Bad Behavior

Speaker: Laura Bell, CEO of SafeStack

Overview: This talk challenged the audience to think like a hacker with bad intentions. What better way to secure your organization than to think about what you would want to steal — whether that’s money, information, etc.

We highly recommend you watch this presentation because not only is it incredibly thoughtful and informative, but we think you’ll really enjoy Laura’s style and delivery.

Putting Web Performance Best Practices Together

Speaker: Chris Love of Love2Dev

Overview: In this 90-minutes session, Chris covered the best practices in web performance optimization for single-page applications, which included info from his appropriately named book.

The presentation held the attention of a packed ballroom that seated at least 300 people, and even included a large group of standing-room only spectators.

Chris also provided one of Velocity’s most impactful visual highlights — a slide claiming "the web is obese" with some interesting statistics on the average website. Although, there might be something else in the picture that grabbed people’s attention.

DevOps Kung Fu for Everyone

Speaker: Adam Jacob, CTO of Chef

Overview: While Chef was at the forefront of the DevOps movement, Adam’s presentation was about how the methodology doesn’t really “belong” to anyone in particular. In fact, plenty of companies are now moving to DevOps, and it’s fair to say no two processes look the same.

Here’s Adam giving this presentation at ChefCon earlier this year. The information is great, and it’s definitely worth watching for a well-placed Dave Chappelle/Wu Tang Clan reference in the middle.

API Marketing

Speaker: Vanessa Meyer, Marketing Director at Load Impact

Overview: And last, but certainly not least, Load Impact’s Vanessa Meyer owned the main stage and talked about using APIs as a marketing tactic.

Vanessa taught attendees how in some cases an API is a company’s core product, and in other cases a company’s API can be used as an effective growth hacking tool.

Check out the presentation below, and feel free to leave comments if you want to chat about it.

Read More

Posts by Topic

see all