DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

GitLab Commit Preview - Measuring success with DevOps Analytics

GitGuardian developer advocate Mackenzie talks with Chris Riley from Splunk about his up and coming talk at the GitLab commit conference. They touch on what is DevOps analytics, how it can be impactful for the entire team as well as some of the key points his presentation will cover. This presentation will be on day 1 of GitLab commit August 3rd, make sure you don't miss it. Register for free here https://gitlabcommitvirtual2021.com/

Video Transcript

okay so i'm here with chris riley and we're talking about get lab commit which is a conference that of course is coming up uh on august the third and fourth now chris is a devops and tech advocate who works for splunk splunk not only is one of my favorite companies you're also a partner of my favorite formula one team mclaren so it's great uh great to have you on here uh chris you have a talk coming up measuring the success of your devops with pipeline analytics what's that talk going to be about and who do you reckon is going to benefit from from coming in and hearing this yeah well i like that you brought up the mclaren because uh it's actually part of part of the narrative that i that i use about it's it's hard to go fast if you don't have a safety safety equipment to allow you to go fast right then it's just terrifying and i think that one of the things that if you quantify most of the devops conversations you've had a lot of times what you talk about is velocity it's just go fast go fast go fast now the thing with velocity and i agree that that's the outcome higher quality faster is that i've seen it not sustain well so a lot of organizations will build for velocity without thinking of like how do we make sure that we maintain this and how do we know if we're doing a good job or not a lot of times they'll do it as an afterthought and then it's too little too late and so pipeline analytics is a tool that is not complicated it's a practice um that is not complicated but you do it today because without doing it today you don't have a baseline to really measure your entire delivery chain from the point a feature is defined to the point that feature is running in production thus you have no way of measuring success and like i said it's not tremendously difficult in in in terms of who should be interested everybody in the engineering org because there is data that can be surfaced that helps you optimize measure understand better how you do what you do so i mean a lot of i think what what i'm hearing in here is that these devops pipelines are set up with the best intentions that are working well but there's this missing component with maintenance because we don't have visibility over kind of the analytics and what's what's working well is that is that yeah kind of along the lines yeah and then of course there's another you know cliche that the the thing with these cliches it gets really old when you hear them but they tend to be correct which is you can't measure what you can't see and it's always boggled my mind why organizations haven't thought about this the tools in your tool chain produce data get that data visualize it in a meaningful way now the meaningful way is the hard part so even though i could tell you that every engineering team should be investing in pipeline analytics um deciding what to measure is is difficult in deciding what to focus on like do you focus on the compliance and security lens by trying to spot secrets for example or do you focus on the release velocity lens say how fast is our engineering team going in and how does that release cadence relate to bugs or roll backs things of that sort yeah i do like the the secrets you threw in there because i'm all about i'm all about that but uh do you feel that sometimes one of the missing areas of devops is that there's this missing understanding throughout the whole team because a lot of what i'm passionate about at the moment is devsecops and shifting left and bringing everybody in involved in security and everyone involved in operations but i mean there can just be this big black box of mystery sometimes yeah does providing analytics help everyone kind of get that visibility and get on board with with what we're all trying to achieve yeah absolutely yeah so i i like the devsecops lens as well and i i think when you start to think about the two first use cases in devsecops which is build more secure applications and secure the software factory and secure the software factory as you know is like what's all over the news right now delivery chain attacks are are scary and they're becoming more prevalent and so for both of those how does the security team have confidence that you're actually doing it they don't speak the same language so developers think hey i'm really good at my visibility silo i have amazing prometheus grafana dashboards i understand them i can open them up understand them the security professional can't understand them so what happens they stop you eventually they say okay we got to stop everything we just need to know are you doing vulnerability scans how are you managing your secrets do you even know how you're managing secrets which is what a lot of organizations don't even know and so that becomes very problematic and in any developer who hears the term shift laughter like you're just giving me more work that shift left the customer of shift left is a delivery chain not the developer so it doesn't necessarily mean that everything should be thrown in their lap without enabling them they have to be enabled and the thing is developers don't like to get interrupted one of the big metrics that i'm very fond of is this metric of unplanned work how much time it's a measure of time that the developer is spending on stuff that is not building new functionality well developers are part of the problem because by creating these visibility silos that you mentioned they contribute to their own unplanned work because somebody will come knocking on the door due to them speaking a completely different language and that's their responsibility and so part of pipeline analytics is creating that unified understanding so that i as a security professional can open up a dashboard know what's going on without interrupting you that sounds absolutely fascinating well chris i don't want to give too much of the presentation away uh but i think it's going to be a really fundamental one for for everyone to understand and what i love about it so much is that what you said before is that this isn't overly complicated but it can be quite powerful and in its delivery and what it does so chris's presentation on devops success pipeline analytics is on tuesday the 3rd of august so make sure that you're registered for gitlab commit and uh have that one marked down in your calendar it's going to be an awesome presentation chris i'd like to thank you so much for your for your time here today and can't wait to see the presentation yeah thanks for inviting me kenzie awesome thanks