Mark Miller and Derek Weeks - All Day, Every Day, DevOps

Andre Pino: Welcome to today's episode. Today we're joined by a couple of friends, Mark Miller and Derek Weeks from Sonatype. Mark is the business development and developer evangelist at Sonatype. Derek is the VP and DevOps advocate at Sonatype. Welcome, guys.

Mark Miller: Hi, Andre. Good to talk to you again.

Derek Weeks: Andre, very good to talk to you.

Andre: Great to have you and Happy New Year.

Mark: Thank you. You as well.

Andre: Mark, I'm looking at a picture of you that I have in my notes here, and you don't have your black hat on. I can't believe it.

Mark: That's bad news.

Derek: Who caught him without his hat on?

Mark: It's actually one of the ways that people recognize me at conferences. They're just like, "Go find the guy with the hat." So I'm very surprised you have one of those.

Andre: You'll have to fix that.

Andre: Mark, while I'm talking to you, you've branded yourself as the DevOps connector. What exactly do you mean by that? What is that all about?

Mark: If you read The Tipping Point, you know that one of the things that Malcolm Gladwell talks about are the people that know everybody in the community and can help other people make connections. As an example, if there was somebody, a DevOps or a DevSecOps influencer that you personally would like to get a hold of, Andre, you know that you can call me and say, "Hey, Mark, can you help me connect with this guy?" So in general, what a connector does is build their network as deeply as they can, so they can help the community in those cross-ties and conversations.

Andre: That's awesome. And you do a great job of it, Mark, I must say.

Mark: Thank you.

Andre: The other thing our audience may or may not know is that both of you were founders and leaders of the very successful All Day DevOps event. Can you tell us how that all got started?

Derek: Mark, do you want to tell the story or do you want me to jump in and tell it?

Mark: I'll jump in and correct you as you go along. That's fine.

Derek: Awesome. I always appreciate your color commentary to get me back on track. So it's a pretty exciting project that we embarked upon. In 2016, Mark and I had both been to maybe 40 different DevOps conferences or meet-ups or something like that, out within the community. We were able to meet a ton of great people, like yourself, Andre, Brian Dawson, who we worked with on a number of occasions at CloudBees, folks like Gene Kim and John Willis and Damon Edwards, and also a lot of people that we met at these conferences in the hallways that a lot of us haven't heard of before. But as we traveled out to these different places, we recognized that we were getting a ton of value individually from these meetings. As we were all trying to learn or improve our maturity on our way through our own DevOps transformations, we realized that there were people that weren't getting that same experience, where we might meet one or two people from any given organization, but in the conversations with them we knew that there might be 10 or 20 or 100 other people back in their organizations that didn't have access to it, where we thought about organizations, you know, people in organizations in Kansas where they didn't yet have the DevOps Days conference, or people in the far reaches of the world where DevOps Days hadn't yet gotten to or the meet-ups hadn't yet gotten to. We thought there was enough momentum, really, out there in the industry to reach more people and to do something online as a virtual conference, where anyone could attend, and a real theme behind All Day DevOps was to bring DevOps to the world. So partnering with Mark – Mark and I have worked together for many, many years now, and Mark said, "If we're gonna do this, we're gonna do it big. So let's not just do a small online conference." The first year, we went out with 15 hours of programming across three tracks, 57 sessions, all online, for free. We had 13,000 people attend that first thing, and a matter of 90 days to plan and execute it. I think it caught everyone by surprise, in terms of how many people the concept resonated with, and also, how many people we were able to help. I think when that caught fire, I think everyone was excited to jump in and see what we could do if we had more time to plan it and execute it.

Mark: Derek, can I jump in there for a second?

Derek: Yeah.

Mark: One of the interesting things for me, for what you just described, there's two things. One is you and I, when we first started the concept, we went and said, "Hey, do you think we can get 1,000 to 1,500 people to show up?" That was the really high bar we had set for ourselves. So by the time we got to 10,000, we went, "Whoa. Somebody underestimated what's gonna go on here." The second thing is – and, Andre, I want to throw it back to you, too, because CloudBees jumped in with us at the beginning. There were people that understood intuitively, like you, what we were trying to do, and the support that the community brought to this event is invaluable.

Andre: It was pretty amazing to watch, to be honest with you, to see that first event grow to 13,000. Who could have predicted? But I think that this last event was, what, 30,000-plus.

Mark: Derek, it's yours, go.

Derek: Thirty-three thousand people participated this year, which was I think super-exciting for all of us, because everyone kept asking, "How big do you think this thing could get?" I have no estimate of how many people are in the DevOps community worldwide, but we had a platform that could scale to any level, to millions of people. So we were inviting anyone and everyone to show up and to hear what we did. This year, we expanded it to – a lot of really cool things came out of this year. One is we expanded the event to 24 hours. Mark and I stayed up with our team of people inside Sonatype and outside Sonatype for 24 hours. We ran five tracks at the conference. We had 100 sessions that we did live online for everyone to attend. We registered over 30,000 conversations on the Slack channel, where people were able to interact with us and ask questions of the speakers, anyone that was online that had free access to Slack. The other thing that was really exciting that came out of this year's conference was that there were a lot of groups that said, "Hey, we'd like to do something in our neighborhood. So can we set up these viewing parties?" We made it really easy for people to say, "If you have a URL that people can register, to sign up to attend your live viewing party," I think we called them, this year, “then send us that URL. We'll put it on the site and we'll help get some visibility to it." We ended up with 45 satellite viewing parties in 18 countries. That just blows my mind when we think about how this whole thing came together, and how it came together with supporters like CloudBees as well as we had, I think, more than 250 community groups from around the world that helped us spread the word to all of their members on this free educational opportunity.

Mark: It's interesting on that front, too, Derek, when you're talking about the viewing parties. That's 45 that we knew of. When you and I had dinner with the head of DevOps at Verizon, when we were in San Francisco a couple months ago, he said that he had set up multiple dojos around various Verizon locations, and had set up the big screen so that anybody could walk by during the day and watch. I think that's incredible.

Derek: Yeah. It's amazing when you meet people and they're like, "I know that All Day DevOps thing."

Mark: Yeah. The funny thing that happened to me on that, too, and, Andre, this might resonate with you, is we went to Jenkins World and we said, as people were walking by, "Hey, have you heard of All Day DevOps," and everybody said, "No, not really." Then we'd show them a postcard with that screaming boy in front of the microphone and they'd go, "Oh yeah. I know that." So the branding of it has gone global. There were 250-plus organizations that on their own said, "Hey, how can we support you?" It was truly a globally supported community event.

Andre: Yeah. It was very interesting to watch, to see the growth of it, and also to see how the community has rallied around this as a true industry event, for sure.

Derek: Yeah. The other thing that I'll add here, I mean the numbers are fascinating. The scale of what we did is fascinating, even to those of us that were behind the scenes pulling it off. During the conference, it was hard for me to sit down and watch a lot of the sessions because we had our organizer caps on, but I've gone back and watched a number of the sessions. I still haven't watched all hundred, but I've started watching them and blogging about my notes on the sessions and what was covered there. For those of you listening that don't know, this was all practitioner led conversations. No vendor pitches were allowed as part of the conference. But the quality of the presentations, whether it’s Jez Humble and Damon Edwards, and J. Paul Reed, those guys all gave great presentations during the conference. But there were other people like BJ Schleen from Aetna, or John Jediny from GSA, or Leonel Garciga from the Department of Defense, or the guys from Under Armour that presented on a variety of different topics that we had in the five different tracks. I was just amazed at hearing what some of the people were sharing, and their experiences and their advice. It warmed my heart to hear, oh my gosh, we actually made this possible for other people to hear and experience out there. So it was very cool.

Mark: You know Andre, one of the things that you know well is it's very, very hard to get above the noise. There's so much hype. There's so much of that hype cycle going on right now. One of the things that we were extremely pleased with was that this was not perceived as just an extended webinar. People really saw this as a conference, and talked about it as a conference with their peers. That really, really means to me that we've hit into something that's very useful for people and they're perceiving it in a different way.

Andre: I think that speaks, actually, volumes about the actual content that you were able to pull together, and the value of that content to the various roles that were probably sitting out in the audience.

Derek: It's funny. The community is really forcing us to up our game on All Day DevOps. For those of you that actually worked with the team at All Day DevOps, there's a group of maybe 50 volunteers that contribute any number of hours of time to putting this on, and more so, just a couple of months leading up to it. But there were people making comments in the community, like, "Wow. If I was at a real conference, they would have done this kind of thing or this kind of thing." I was thinking, "Wow. If we were professional conference organizers, we should be doing that." But if people only know how part-time of an effort – like, every one of those 50 people has a day job. This is just something that we – my initial call to you, Andre, I'm like, "Hey, you should come in and help us out with this. I think we can get 1,000 people." We were just doing this small, little thing, and all of a sudden it boomed into 33,000 people. We've touched 40,000 people over the two years of the conference. People actually think that we are professional conference organizers pulling this off. So in a lot of ways, seeing their comments make us think, "Gosh. We have to really up our game to meet the expectation levels of the O'Reillys and DevOps Enterprise Summits that are the really good, in-person DevOps conferences. Also, I'll throw out a plug for all the DevOps Days organizers out there that throw live events together.

Andre: What's your projection for this year?

Derek: Big! I hope that all 33,000 people return next year and invite a couple of friends. I'd love to see how many people we can reach around the world. Again, I don't know how big this community is, but I think there's incredible value in the content that people are sharing and the conversations that people are having, and so I’d really not like to put a limit on it. I think beyond the kind of one-day, 24-hour thing, Mark and I have talked about how we extend the reach of the community across the year, and give it more opportunities to interact, for people to interact and learn from one another. So I think it gets bigger, but I think, as Mark knows, any time I ever put a number on it we quickly surpassed it. So I'm very bad at predictions.

Mark: The other thing that extends this whole idea, Andre, which is exciting for me, is that we are able to help support a community that either can't afford financially to come to a conference or can't get to a conference because of restrictions in travel and distance. We're able to reach those outlying communities that don't usually get this kind of content, live, and are able to actually talk to the practitioners that are doing the work. So as I look to the future of this, I love the idea of building hybrid conferences. Now, the idea that everybody in the world should be able to attend the big level conferences, not necessarily in person, but they should be able to participate live.

Andre: I totally agree with you. I think that's the only way to reach that extended audience that is really interested in the conference topics. Like you said, not everybody has the luxury of traveling. Well, congratulations. I think that, obviously, you've hit on something that's really a great need in the community, and we're looking forward to this year's event for sure. But I'd like to change topics real quick, if I can, to another area that is growing in significance and importance in our industry, and that's DevOps and security. I know it's a topic that's very passionate for both of you. So, Derek, where do you see our industry at today with respect to DevOps and security?

Derek: That's a really good question. I think certainly the interest has grown over the last number of years. Going back three or four years, I think there were very few of us that were talking about it. There were some early thought leaders that were bringing up the concept, but it wasn't a cultural transformation that a lot of organizations had achieved yet or even thought of achieving. But I think it's one of the big milestones that organizations that are progressing in their DevOps maturity are trying to reach. As anything with DevOps, I think the cultural transformations and the organizational transformations are perhaps the toughest parts of achieving DevSecOps or implementing DevSecOps. I don't think there's an endpoint per se, but in terms of improving the maturity where security is really embedded and integrated into a DevOps practice. So there's definitely the cultural side, the maturity side. There's also the tooling side of it and I think people are really looking towards solutions, what solutions are out there in the market, what people have done already. Mark and I are working, you know, in addition to the DevSecOps track that we hosted as part of All Day DevOps, we're really trying to get more of the voices in the DevOps and security community out there and noticed. As I mentioned earlier, there are people like DJ Schleen at Aetna, who is a practitioner and evangelist, people like Shannon Lietz, fairly well known in the DevOps community at Intuit, that are doing really good work. We're engaging with folks like Hasan Yasar at Carnegie Mellon, who are taking the DevSecOps from an academic perspective, bringing their knowledge to life. People in the government like John Jediny, who recently posted the DevSecOps framework for GSA, that also included some maturity model level things. So I think there's a lot of people out there in the community that are doing stuff, and we're trying to help give them a platform or spread knowledge of what they're doing around the community, to talk about the changes that they've implemented within their environment as they've matured their DevOps practices.

Mark: I worked with Alan Shimel on the DevSecOps Day track at RSA 2018 this year, Andre. One of the things that we're doing to expand this network, as Derek described, is we're having the luminaries, the top guys in DevSecOps actually nominate and host a new speaker. So we'll get somebody like John Willis is gonna come, and he's gonna introduce a practitioner that he found, I would say out in the wild, that he found, and say, "You need to hear this story." Shannon Lietz is gonna bring somebody. Damon Edwards is gonna bring somebody. So one of the things that we can do as the connectors, as the people that can actually get the community to grow is introduce new people to the community that the community should hear their story. It's an interesting story. It's a powerful story. And it's things that can be implemented by the people that are listening. We've grown at that conference. We started three years ago and initially – well, four years ago. It's gone from 200 to 400 to 800. I think we're gonna go over 1,000 people in that room this year at RSA. So I am looking at it and I'll say it here. It's January 9th, and I'm gonna say right now that 2018 is gonna be the year of DevSecOps. It's gonna be the year that that message is gonna start to resonate across the community, because it is the major piece that's missing in the DevOps movement. How do you integrate? How do you automate security across the entire pipeline?

Andre: I think you're right. I think we're seeing it as well from where we sit also, because so many organizations were focused from a DevOps standpoint on their continuous delivery process and the automation that was necessary for it, and now they're finding that security is left to a topic at the end of the process, which we all know is never the way to implement anything. So as an industry, I think we have matured to a point where we all recognize that much like quality needs to be built in from the beginning, security also needs to be built in from the beginning.

Mark: That's gonna be the fun part. As an example, Sonatype and CloudBees are critical parts of most pipelines when we're talking about this, but to work together as disparate companies to actually secure that pipeline together, I see that as a fun initiative, but it's gonna be very, very highly-valued.

Derek: No doubt. And your point earlier, Mark, about conferences and the new practitioners that some of these industry luminaries bring to the table I think is a really important one, because most people who attend conferences want to be able to walk away with something actionable. All the stories about the value and benefits of moving to a new environment or a new process are great, but, at the end of the day, people want to be able to go back to their organizations and put something in place that's gonna add value. So I think you're onto something there as well.

Derek: Andre, one of the things that you hit on was, I think, a challenge that a lot of organizations have, and that's the security bolted on to the end of the process. I think when people have been successful at their DevSecOps practices, they've found out how to embed security practices early in the development lifecycle and continuously throughout the development lifecycle. I think there are a number of different stories that come to mind on what organizations have done out there and how they've achieved that. I remember Shannon Lietz at Intuit, who shared a lot of different stories with me over the years, but one where she talked about really embedding security people into the development organization, where security and developers sit side-by-side, where the security team talks about how they, internally, could attack the applications through the code that was being developed at Intuit. They really developed a relationship that was complementary and collaborative. The one thing that I remember stuck in my mind about that conversation, was Shannon said, "Look, do you want your colleague sitting across the table from you to attack your code, or do you want the nation state to do it when it's in production?" It was that kind of – you just have to change your perception on what value can be added here. Another conversation I was having with the CISO at Amdocs and talking about completely different perspectives that DevSecOps practitioners bring. He said, "I'm in the process of evaluating a number of different vendors for DevSecOps solutions I want to bring in." He's the head of security for the organization, and he understood that his customer was the development team. He said if there was a vendor coming in here that couldn't analyze some code or an application or some part of the network and give me information, especially information helpful to the developer, and surface that in under five minutes, then he couldn't work with them, because he knew that the developers were looking for immediate, you know, not only automation of security that gets integrated in, but immediate feedback loops on what was working and what wasn't working. So he set a new bar for the organization and instead of just delivering information about security, he set a five-minute bar and said for the vendors, "If you can't meet it, then we can't talk." He was talking about some vendor that came in and said, "Yeah, we set this up. Let's start analyzing an application and then we can go to lunch, because if we take a long lunch it might be finished by the time we get back." He said, "That just doesn't work for the built-in integrated security that we're looking for." I think it's those kinds of experiences and that kind of guidance of people like Shannon or the CSO that help people understand there is a path, and people are doing this, and we can build DevOps native security practices into what we're all trying to achieve.

Andre: I think you said it earlier. The DevOps cultural transformation needs to be extended to incorporate security into it from a team standpoint and when people sit side-by-side and work together to release quality, secure code, I think magical things are gonna happen.

Andre: You guys also produce the OWASP 24/7 podcast. Tell us about that.

Mark: That is a very well received podcast series. I think I've got 225,000 listens on that. I took over that from Jim Manico about two years ago, two or three years ago. What I tried to do initially is to get more exposure for the OWASP projects like Zap, the stuff that Colin was doing over there with his stuff. There wasn't enough visibility yet, and it's gradually morphed into what we just talked about, that the idea of security is not something that's done standalone. It's an integrated part of the process. So I've gradually morphed the series over into how do you integrate developer and operations into security, because OWASP is security-oriented. The idea now is to get practitioners that are talking about security, that are doing open source security, things like that, to come and give their message to the OWASP community, so that OWASP can see how they can integrate into the rest of the industry.

Andre: That's great.

Andre: Well, Mark and Derek, as always, it's been a pleasure. Thank you so much for joining us today on DevOps Radio.

Mark: You're welcome. It's always fun to talk to you.

Derek: Thanks, Andre. It's a pleasure and we definitely need to catch up on some other stuff soon. So I'll be reaching out to you again.

Andre: You bet. Thanks, guys.