The OWASP Podcast Series

When Derek Weeks and I started All Day DevOps in 2016, we were unsure as to whether anyone would be interested.It's now four years later. Last week we had close to 37,000 people register for the event. We're still trying to wrap our head around the scale of something that generates a world wide audience in the tens of thousands for a 24 hour conference. One of the things that has grown organically from All Day DevOps is a concept called "Viewing Parties". It's an idea the community has created, not something planned by us. Over 170 organizations, meetups or user groups around the world setup a large screen and invited colleagues and friends over to share in the DevOps journeys that were being told throughout the day. Last year, we heard through the grapevine that State Farm had over 600 people show up to participate at their viewing party in Dallas. That's 600 people internally at State Farm. When I heard about it, I knew I had to speak with Kevin ODell, Technology Director and DevOps Advocate at State Farm, the person who coordinated the event. Our initial conversation was a fascinating view into how he pulled off such a large event, internally. We kept in touch throughout the year, leading up to 2019 All Day DevOps. Keeping track of the registrations for Kevin, he soon came to realize what he had created was now a viral event at State Farm. For 2019, State Farm had 4000 of their 6000 developers confirmed to attend All Day DevOps. To me, that's just remarkable. While at the DevOps Enterprise Summit last month, Kevin and I sat down to talk about how he created such an incredible event, the process for getting business buy-in, and how he measures the value of letting 4000 developers collectively watch videos for the day. Even if I wasn't one of the co-founders of All Day DevOps, I'd find this a fascinating story. Stay with us and I think you'll be impressed, too.

Shortly after watching the documentary, Code Rush, I met with Tara Hernandez, the hockey stick carrying lead of the Netscape project that was being documented. We sat down at the Jenkins World Conference in San Francisco to talk about the effect that project had on her career, what she has been doing since with her position at google, and what she hopes to be working on in the coming years. We started our conversation by exploring the relationship between the Netscape project in 1998 and the current state of DevOps. Would DevOps have made a difference... the answer might surprise you.

Edwards Deming went to post-war Japan in the late 1940s to help with the census. While there, he built relationships with some of the main manufacturers in the region, helping them understand the value of building quality into a product as part of the production process, thus lowering time to market, eliminating rework and saving company resources. In his 1982 book, "Out of the Crisis", Deming explained in detail why Japan was ahead of the American manufacturing industry and what to do about. His "14 Points on Quality Management" helped revitalize American industry. Unknowingly, he laid the foundation for DevOps 40 years later. Eli Goldratt published "The Goal" in 1984, focusing on the "Theory of Constraints", the idea that a process can only go as fast as it's slowest part. In fictionalized novel form, Goldratt was able to reach a wide audience who would utilize the theory to help find bottlenecks, or constrainsts, within production that were holding back the entire system. Once again, the theories espoused in The Goal were a precursor to the DevOps movement 40 years later. In January 2013, 40 years after Deming and Goldratt reshaped the manufacturing processes in American, Gene Kim published "The Phoexnix Project". He used the same format as Goldratt, telling the story in a fictional novel format with characters who were easily identifiable within the software manufacturing process, from a manager's point of view. The Phoenix Project is now one of the most important books in the industry, and is used as a starting point for companies interested in participating in a DevOps transformation. It's now six years later, 2019. Gene's new book, The Unicorn Project, will be released at the upcoming DevOps Enterprise Summit in Las Vegas on October 28. This new book has an interesting premise: What was going on with the software development team in the Phoenix Project as the management team was flailing to get the project back on track. It's a novel approach to have parallel timelines in separate books, looking at the same project. In this broadcast, Gene and I talk about how the Unicorn Project aligns with the Phoenix Project, the overlap in storylines, and why he chose to speak for software developers in this iteration of the story. Do a quick review of the Phoenix Project, which is probably already on your bookshelf, and then listen in as we discuss using Deming, Goldratt and Kim as the foundation of the principles of the DevOps movement.

Sacha Labourey, CEO of CloudBees, discusses the growth of DevOps, cultural transformation in companies, All Day DevOps events, and the importance of high-level champions in driving DevOps success. The podcast also touches on enhancing security measures in the IT industry, industry consolidation, and future visions within the DevOps space.

I was affected by it. You were affected by it. We were all affected by the Equifax breach in September 2017. The truly interesting thing about it is, Equifax wasn't the only company hit by the struts 2 vulnerability that day. Many other companies were hit by it within that time period, but Equifax became the poster child for the main stream media. It was just too easy of a target because of consumer visibility. In the two years since the breach, Equifax has been working hard to restore its reputation, not just with consumer protection, but with the companies that depend upon credit data to make real business choices. I wanted to find out what Equifax is doing behind the scenes not just reputation wise, but technology wise when it comes to protecting data. Was it status quo as soon as the buzz died down? Did they pay their fine and go back to business as usual? Or are they making changes under the hood that will make a difference in how financial data is handled and what can be done with it. I met with Sean Davis, Chief Transformation Evangelist at Equifax, while at Jenkins World in August. It had been two years since the breach, and I wanted to hear what was happening internally, what changes have been made and why we should begin to trust Equifax again. I have to say I was surprised. When I sat down with Sean, I thought there would be hesitancy, some caution as to what could and couldn't be talked about. To my surprise, it was a transparent discussion. I asked him questions I wanted to know as a consumer, as well as the technical queries about what's going on under the hood at Equifax, what changes have been made to make my data more secure. Is it time to trust Equifax again? I'll let you decide.

OWASP supports a global conference in North America each year, bringing together the projects, teams and chapters who make this one of the largest security tribes in the world. In this episode of the DevSecOps Podcast Series, I speak with Ben Pick one of the organizers of the conference about what's important about this type of gathering and what you can expect when attending. https://dc.globalappsec.org/

The 2019 State of the Software Supply Chain Report was released on June 25th. The report is an analysis of the answers from over 5500 participants, allowing data researchers the ability to extrapolate what the most productive enterprises are doing when it comes to managing the software supply chain, and how that compares to less efficient development practices. The purpose of the analysis was to objectively examine and empirically document, release patterns and hygiene practices across 36,000 open source project teams and 3.7 million open source releases. In this conversation I speak with Derek Weeks, Project Lead for the report, and Stephen Magil, who along with Gene Kim, acted as research partners on the report. If you've been looking for verified research that can be used to help justify a DevOps initiative, or to validate the value of DevOps projects within your company, you'll want to stay with us.

Let's not talk around the subject here... women are under represented when it comes to speaking or participating in tech conferences. It's a male dominated culture. When I saw Lani Rosales had published, "The Ultimate list of Austin women who can speak at your tech event" in response to the complaint that there are no women speakers available in the tech industry, I called her right away. As co-founder of the world's largest DevOps conference, All Day DevOps, and as one of the core organizers of the global DevSecOps Days series of events, I wanted to hear how the list came together, her motiviation for creating the list and how the tech community has responded to an overt call for women speakers. One of the most surprising topics during our conversation was the continual reference to "the vanity of diversity". Lani is opposed to replacing males speakers just for the sake of having a token female speaker or panelists. As she says it, "Let's not remove male speakers, let's add female speakers." When she said that, it resonated with me. That's how true diversity works: add women, don't subtract men. Lani's vision is to make attendees, all attendees, feel welcome, represented and given the feeling that their way of thinking is welcome in the room, in the conference, and in the community. That's the true reason for diversity, and that's what we'll be talking about today. The Ultimate List of Austin Women Who Can Speak at Your Tech Event https://theamericangenius.com/tech-news/austin-women/

I produced my first concert at the San Anselmo Playhouse in 1979. It was the first in a series of events that has lasted 40 years. I have produced more than 300 events and participated in many hundreds more as a speaker and participant. As the producer of this many events, I have an internal map of what to do to make an event successful, the steps to create and manage the logistics of an event, and how to promote them. All Day DevOps, a live online conference I co-founded with Derek Weeks, has over 30,000 registrations yearly. This type of involvement gives me a unique perspective into why an event is successful. In the past few years, I've been sketching out a "How To.." manual on producing successful events. When the book "Building Internal Conferences" came across my radar, my first thought was "Good! Something I won't have to do." After looking through the book, I called authors Matthew Skelton and Victoria Morgan-Smith to trade stories on tips and tricks for managing successful events. You might ask yourself at this point, "Why is this being covered on a tech podcast?" With so much to choose from when it comes to webinars, meetups, user groups and conferences, many companies are choosing to host their own event internally, or participate as supporters of a regional event. Industry conferences such as DevOps Days, DevSecOps Days, and SharePoint Saturday are run by local teams who are engaged in community development and education. This episode of the DevSecOps Podcast focuses on helping you as an event organizer avoid the "Epic Failures" that would stop your event from being a success. Where to find the book: https://confluxdigital.net/conflux-books/book-internal-tech-conferences

In April 2019, I was invited to host a panel at the International Conference on Cyber Engagement in Washington DC, to discuss "Securing the Software Supply Chain". On the panel were four of the top voices in software supply chain management: - Edna Conway, Chief Security Officer, Global Value Chain, at CISCO - Joyce Corell, Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, US Office of the Director of National Intelligence - Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security - Dr. Suzanne Schwartz, Associate Director for Science & Strategic Partnerships, Center for Devices & Radiological Health, US Food & Drug Administration This episode of the DevSecOps Podcast is the full session from the conference. It is an extended session, running an hour and a half, significantly longer that our usual broadcast. I think you'll find it worth the time. Thank you to the ICCE for allowing rebroadcast of the panel. Pull up a chair, sit back, and listen in as we discuss Securing the Software Supply Chain.