Second day for the rescue.
1 – Quality for DevOps Teams [Rik Marselis]
Quality Engineering is about team members and their stakeholders taking joint responsibility to continuously deliver systems with the right quality at the right moment.
Shift left – secure quality as soon as possible
- Left: Unit test, pair programming, e2e test.
- Client discovery is on the other side and is expensive.
Types of Code coverage
- Line coverage (100% code coverage does not say much)
- Statement coverage
- Decision coverage and Branch coverage
How to prepare e2e tests?
- Start from the end – What do I need to do to achieve the desired outcome?
2 – Your Journey to Delivering Secure Code Fast
DevSecOps
- Developers need to know security to prevent very expensive security fixes.
Pitfall 1 – security as afterthought
- Is is very expensive and have limited coverage.
Pitfall 2 – all the tools in one shot
- All tools = crazy amount of noise
- Rather start small with just few tools and expend once you are mature enough.
Pitfall 3 – integrate security tools with issue tracker.
We need to automate integration between security findings and our backlog.
- Only high and critical issues
- Developers do not need to log into specific security systems
- We need to mitigate False positives – how to keep the noise low
Pitfall 4 – one security pipeline for a company
- Teams have different maturity, cycles and expectations – doesn’t work
Pitfall 5 – missing git security posture
- Do you control who can change your code?
Pitfall 6 – security as mandatory approver for MR
Pitfall 7 – we do not do Threat model
Pitfall 8 – compliance security trainings
- Does not really help, Security champions are way better
3 – Profiling your Java Application [Victor Rentea]
How to measure method spent time?
- Micrometer and its aspects @Timed
- Can automatically introspects framerok internals
- This data is regularly polled/pushed to other tool like Prometheus
- We can display data using Grafana in charts
How to monitor performance of distrubuted systems?
Zipkin – Request tracing tool for distrubuted systems
- Regularly capture stack traces of all running thread every second
- Record internal JVM events about locks, files, sockets
- Heavily optimized to extra-low overhead (<2%) – usable in prod
- Free since Java 11
4 – Pepperoni, Puppets and Priorities (SLAs, SLOs and SLIs [Matt Simons]
Customers don’t care how proud you are of your SW.
The real question:
Is your SW the right amount of bad?
Dynamics of Quality
Not having features makes some users unhappy
Not having reliability makes all users unhapy
The bucket exercise
Would your customer put token to Quality or Features bucket recent days/weeks/months? Prioritize based on that.
Context
If my context were had by other parties they would be better at their jobs.
- thats what is DevOps about
This lead to Captain DevOps
And at this moment, it might be too much for 1 developer in case you are not Genius. The same was true for Development and Operations before. As we are heading forward, it is probable that all tooling gets easier and better and we will be able to accomplish more as individuals.
- It is possible by vertical product integration
Shaping
T-shaped software engineers were previously specialized on 1 single technology in depth and having basic understanding of lot of other.
We convergate to times where everything will be so optimized and tooled that we will be shaped in terms of business value and understanding the product.
- Devs -> DevOps -> DevSecOps -> ???
Summary
I was glad that I had a chance to see the sessions and fill my head with new ideas. I always complain after each of the conferences that I attended, but the more time passes, the more I appreciate them. I would say that https://devternity.com/ would be a better pick in terms of price/quality/time consumption, but in case you are familiar with ideas from „Big and Popular“ guys, the DevDays may serve you better.
The next thing for me must be in person. Online is nice, but the real people that throw candies at you are always sweeter.
See you next time!
Napsat komentář