Imagine a world with no perimeter firewalls (Photo Courtesy of StockSnap.io)
— This is Part 5 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
O’Reilly Media prides itself on organizing conferences that feature interesting speakers with a wide range of expertise and the ability to look beyond the status quo.
Evan Gilman, an operations engineer at PagerDuty, the downtime-fighting operations performance software, is redefining the norm when it comes to network architecture in his Velocity NY session, Perimeter-less networks: The Death of the LAN.
“I’ve found that people hold on to private address space and centralized security management quite strongly — almost with a death grip,” Gilman said. “My goal is to show attendees that it’s OK to let go of your private address space.”
For years, there was a sense of security behind private networks, VPN tunnels and perimeter firewalls, but Gilman says those days are long gone now that the best and brightest companies are operating in the cloud.
So, Gilman urges companies to tear down the firewalls and private networks, and as the title of his talk suggests, he thinks companies should be employing a “perimeter-less” approach.
What Inspired This Idea?
In Gilman’s previous work as a network engineer, he gained a lot of experience working with working with large, publicly addressable networks. He formed “kind of a distaste” for private networks in that time, and that’s when he started to expand on his ideas for how any business could operate on a public network.
When Gilman got to PagerDuty, he had the freedom to explore his ideas and execute his plan to completion. He described it as “a breath of fresh air.”
“I have the opportunity to remove private address space,” Gilman said. “And I also have the opportunity to take that one step further and get rid of perimeter firewalls and the things that typically become choke points or single points of failure inside of a network infrastructure.”
Gilman said one of the many things he’s enjoyed about working at PagerDuty has been the freedom to tackle this project.
“We can take this publicly addressable network and make it even better,” Gilman said. “We can remove all the topology. We can do point-to-point everywhere. So, the needs of the PagerDuty infrastructure were the impetus for our [network] design and the talk, as well.”
Gilman said the talk is going to give some real insight into how he and PagerDuty have taken on this architecture pivot, and he’s ready to be met with some hesitance.
“I tell people what we’re doing with our current architecture, and they’re usually very surprised,” Gilman said. “Well, we’ve found a lot of success with this, and we think there is a lot less complexity in this model than the other models that people are kind of married to.”
Gilman’s session is on the final day of Velocity, and he’s hoping to inspire a few people before they head back home from the conference.
“Hopefully I can drum up some excitement about this,” Gilman said. “I think it’s the future, and it makes a lot more sense than what most companies are doing now.”
Our event might even have these sweet balloons (Photo Courtesy of StockSnap.io)
We’ve told you all about our upcoming appearance at Velocity NY. Now we’re adding a post-Velocity event to our social calendar, and you’re invited!
We’ll provide the free pizza and craft beer — and you can come enjoy a night of networking and intelligent conversation on HTTP/2 and web performance.
The main event of the evening will be Load Impact founder Ragnar Lonn showing off HTTP/2 vs. HTTP/1.1: A Performance Analysis, an innovative application that helps web developers understand how their websites will perform on HTTP/2.
HTTP/2 vs. HTTP/1.1 gives you real insight into your website's performance
As for the event, here’s a quick rundown of the meetup’s agenda:
6:15 pm: Guests Arrive — Pizza and Beer!
6:30 pm: Introduction and The Future of Web Performance with Robin Gustafsson
6:45 pm: HTTP/2 vs. HTTP/1.1: A Performance Analysis with Ragnar Lonn
7:10 pm: Networking, and time to finish the leftover pizza and beer!
The meetup will be hosted by our friends at Betterment, the innovative investment platform built for the connected generation.
Each talk will be followed with a brief Q-and-A, and both presenters will be available after their talks to chat with guests.
If you want to get an earlier look at HTTP/2 vs. HTTP/1.1, check us out at Velocity NY, where Ragnar and HTTP/2 contributor Daniel Stenberg will be unveiling the findings from their study on the new protocol that promises better web performance. Register for Velocity NY with the promo code RAGNAR20 to get 20% off your pass.
— This is Part 4 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
For a long time, the relationship between security professionals and developers was pretty contentious and maybe even a little adversarial.
Developers would spend a bunch of time writing code before pushing it to a staging area only to have security tell them it can’t be deployed. Both parties had the best interest of their organization in mind, but there had to be a better way for them to get along.
Security expert Ty Sbano says the onset of the Continuous Integration/Continuous Delivery (CI/CD) and the DevOps revolution has changed that relationship for the better — at least in his experience.
“Security needs to be empowering the business,” Sbano said. “DevOpsSec is one of the patterns that enables the automation and the transparency to give businesses what they deserve and need. That’s the ability to quickly deliver better service to our customers.”
Sbano will be presenting “Security with the Speed of Continuous Delivery” alongside Tapabrata Pal Oct. 12 at Velocity NY, in which they’ll tackle how security fits into the CD cycle and share experiences from their time within Financial Services.
The old method of infosec used to be certifying every piece of code before deployment, or creating “security gates,” as Sbano put it. Having hard security gates with sign-off for all code is just not realistic in a CI/CD cycle, but he said the dissipation of gates is a good thing.
Sbano’s point is if a bug is released in a software update now, it might only be out there for a few days, maybe even a few hours. Before, a security vulnerability might not be caught for 18 months, which would obviously be a much bigger problem.
And Sbano said security through CI/CD and DevOps can strengthen the cohesiveness of the infosec and development teams.
“If we’re continuously identifying bugs through automation and manual security techniques, we can move forward quickly by addressing technical debt through the speed enabled by Continuous Delivery,” Sbano said. “Because of our partnership with development and architecture, we’re fixing bugs at a faster rate because we have the opportunity and the resources. That’s created a better partnership to achieve high-quality code. If there is ever a show-stopping vulnerability, DevOps enables us to roll back or remediate quickly. Everyone wins together.”
Focus on the problem, then find the tools
Even though Sbano and Pal will be sharing their experiences from Capital One and other past roles, Sbano was quick to point out that this talk won’t be specifically about the tools they used. It’s more about the ideas that got their security and development teams working in concert and efficiently deploying new software and updates.
“I’m going to be vendor agnostic,” Sbano said. “The goal is really around education. What are you going to do with static analysis? What are you going to do with that manual penetration testing? How do you wrap all that stuff together?”
Sbano also said he and Pal won’t be looking to “change anyone’s mind” on security’s role in CI/CD or persuade them to adopt their line of thinking. The main goal of the presentation is to share their experiences: What’s worked, what’s failed and what they did to pivot after failing.
Security is cool — seriously
Now that the relationship between developers and infosec is strengthening through CI/CD, Sbano said security doesn’t have to be viewed as an albatross for companies to carry.
“There are really good models and examples when it comes to training and the mindset of security in your organization,” Sbano said. “Security is becoming pretty cool. People are thinking more about it.”
Part of people thinking more about it has been the rise in security-focused talks at conferences such as Velocity, Sbano said. While the conference has historically focused on web performance and development practices, the community has embraced infosec’s role in efficient web development and innovation.
“Velocity is highly regarded,” Sbano said. “It’s my first time going a little out of the security world to speak at a conference, but a lot of people have told me that Velocity is a great place to do it, and I’m excited.”
If you're not yet familiar with HTTP/2, it's the updated version of HTTP — which is the protocol that delivers us websites over the Internet. Simply put, HTTP/2 was designed to help websites load faster by opening a bigger line of communication between the sites and servers. Check out this great article from Engadget for a little more background.
— This is Part 3 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
“It was impossible to get regular work done because we were running around putting out fires all day.”
Does that sound familiar?
When it comes to your website, app, API, SaaS product or infrastructure, a minor problem can turn into a major crisis very quickly, and that can hurt your reputation with customers and cost you time and money.
That’s why Blackrock 3 Partners, a team made up of firefighters and technology professionals, are coming to Velocity NY to teach you the finer points of incident management.
In their tutorial, Incident Management for DevOps, Rob Schnepp, Ron Vidal and Chris Hawley will demonstrate the parallels between putting out a five-alarm fire in an apartment building and responding to a data breach.
“There’s a lot of interest in how the fire service does business because we look organized and it works,” said Schnepp. “But there’s a mystique about it because not everyone understands how organized and structured it really is.”
Blackrock 3 uses terms like “Peacetime vs. Wartime” communication and operations, “war games in production” and other phrases traditionally used by the military.
That’s not because a crashed server is equivalent to a person being seriously injured in battle, but it’s because handling adverse conditions is a skill that can be learned, practiced and fine-tuned.
The team at Blackrock 3 stresses that software companies can create an ecosystem to respond to emergencies, minimize impact and learn from those experiences. That includes setting strategies for immediate response, practicing how to start correcting problems in the middle of the crisis and designating an “incident commander.”
In order to do that, Blackrock 3 often goes to their “war games in production” strategy with their clients, which can be surprising to some.
“There are times where we go in to work with a company and plan to break stuff on purpose,” said Vidal. “Sometimes people are taken back by that at first, but how else can you prepare for the randomness of the world unless you really have to solve a problem under some level of pressure?”
After an incident has been controlled and resolved, Blackrock 3 puts a heavy focus on thorough after action reviews — commonly known by many as “post mortems.” Emergency services even have a structured plan for post mortems, too, which is another practice Blackrock 3 is bringing to its partners.
“Post mortems almost always focus on the technology aspect of a problem,” said Schnepp. “They rarely evaluate the human response and how to make that better.”
Blackrock 3 suggests striving for honest, blame-free after action reviews that analyze people’s thought process and logic during a crisis and how future training can improve responses moving forward.
While people normally wouldn’t think the fire department or other emergency services has much in common with technology companies on the surface, Schnepp and Vidal said startup founders, CTOs and everyone they’ve worked with “gets it” from the beginning.
“The same management tactics people use on oil spills can work in the tech business,” said Schnepp. “It’s not a magical formula, but the results are magical.”
Check out Blackrock 3’s Book
The team’s vast experience responding to a wide range of catastrophic events not only led them to forming Blackrock 3, but they recently authored the book, Incident Management for Operations, published by O’Reilly Media.
While conferences and events are one of the most fun parts of our job, we know buying passes for dozens of events each year can be costly.
— This is Part 2 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
As we approach Velocity NY, we've been thinking about our last Velocity experience in Santa Clara, Calif. earlier this year.
— This is Part 1 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
Bryan Liles of DigitalOcean isn’t looking to solve the diversity and inclusion problem in tech, but he knows he can leave the industry better than he found it.
Bryan’s Velocity keynote, The Darker Side of Tech, will explore the cognitive biases that prevent people from trying new software or new development processes and hiring from a more diverse pool of employees and executives.
“People’s biases are not allowing them to see the problems they are causing,” Bryan said. “It’s not just about diversity — it’s about inclusion.”
The problem of inclusion in tech (and many other industries) is systemic in the United States. It started with hundreds of years of people not getting opportunities based on race, religion and economic standing.
Bryan’s presentation at Velocity will relate operating system bias to racial bias — not something people might expect — but it makes perfect sense after brief examination.
As an example of how bias can hinder technical progress, Bryan will point to the genesis of Linux and how decision-makers’ bias blinded them from something amazing for years. While its beginnings are traced back to 1991, it took nearly two decades for many mainstream companies to understand the power and security of Linux and implement it.
As Jeffrey Hammond of Forrester Research said in 2010, “Linux has crossed the chasm into mainstream adoption.”
But why did it take so long for people to see the light on Linux, and how will Bryan compare that to inclusion in tech?
“People only know what they know, and we’re missing out on extremely smart people when our biases get in the way,” Bryan said.
So, it doesn’t matter if we’re talking about adopting Linux or hiring someone from an “urban” area with a “black” or “ethnic” name. Either way, decision-makers hurt their company by not giving every option and candidate a fair chance to succeed — even if they don’t know they’re doing it.
One of the barriers Bryan has encountered when giving this kind of presentation is it can make people uncomfortable, which is somewhat understandable. However, he knows that’s not a good reason to shy away from talking about it. Bryan’s seen plenty of people shuffle for the door when he’s started to make points about inclusion in previous talks, and that doesn’t help anybody.
“Whenever I’m saying this, I’m not saying that you personally are a racist,” Bryan said. “I’m saying the people who benefit from this aren’t doing enough to make it better.”
One of the promising things we’re seeing is technology has become more available for a wider demographic, and Bryan noted that can help break down some of the barriers people have to entering the tech industry.
Even then, it’s important to consider that schools like Stanford, MIT and Carnegie Mellon are incredibly expensive and still aren’t reasonably available for everyone. So, the deep roots of the problem will take time to remove.
Bryan is adamant that a couple of keynotes and editorials aren’t going to fix the problem, but again, he doesn’t want us to “solve” anything right now.
“All we need to think about is a bunch of little wins,” he said. “If we can make it better for this guy, or this girl, and they can pay it forward, we’ll be better off than we once were, and that’s all I’m trying to do.”
“I just want to leave the things I touched better off than how I found them.”