Episode 83: DevOps World 2020 Preview - Maria Schwenger on the Future of AI in DevSecOps

Brian Dawson: Hello. I'm fortunate enough to be here for another episode of DevOps Radio, sponsored by CloudBees. I'm Brian Dawson. Today, we have another exciting and very interesting guest with us, Maria Schwenger, Head of App Security and Data Protection at American Family Insurance, and also giving a guest for the upcoming DevOps World event, where she'll be giving a talk in our leadership track on “DevSecOps: An Ideal Use Case for Applying AI.” And I'm excited to pick that apart. Maria and I have spoken for a bit, we're gonna dig in a little bit more. Hello, Maria—how are you?

Maria Schwenger: Hello! I am well.

Brian Dawson: Great, great. To get started, can you give our listeners an overview of what your role is at American Family Insurance and a little bit of background on your career?

Maria Schwenger: So, today, my main role is to transform the application security and data protection space and build a new culture to bring it as close as possible to DevSecOps and to provide the capabilities to allow us to protect the American Family Insurance enterprises to protect our brand, applications, data.

My strategy is to build a culture of close collaboration, less controlling, more enabling our development team to provide high quality, which, in this case, includes security, and to provide a great experience for our clients. I personally am very passionate about modern data and application security, so you will hear me talking about application security frameworks, I present on conferences about this, except DevSecOps and digital transformation, of course. A lot of my colleagues know me for my cloud work. I used to build frameworks, platforms. The new paradigm of APIs, microservices, managing complex SaaS offerings, migrating data from on-premise to cloud.

I'm also known that I was part of IBM Watson, building artificial intelligence, or as we used to call them, cognitive APIs and frameworks as part of IBM Watson developer cloud. And I also started my career into the data space. Currently, I'm known as a leader in data governance. I'm skilled with working with very large database, data source, relational and non-SQL, and adoption of data stores on-cloud. Think about it from loading data, data cleansing, enrichment to efficient storage management and, of course, security.

Brian Dawson: Wow. That is—you know, I think, Maria, you need to find some more to do. That is an impressive background just, you know, all jokes aside, that’s an impressive background, and I wanna dig into it, especially modern DevSecOps and security, the application of AI in insurance and other spaces, because it’s pervasive.

But, before we do, let’s dig in a bit to your talk at DevOps World, and your talk, again, is called “DevSecOps: An Ideal Use Case for Applying AI.” First, let me ask why this talk? Why are you giving it, why is it important?

Maria Schwenger: Well, you might be disappointed, but my session actually is quite academic.

Brian Dawson: Okay. I love academic, by the way, but—

Maria Schwenger: I'm looking to prove that AI is a valuable accelerator for DevSecOps, possibly on the future path to reforming the way DevSecOps works today.

I think that most people would want to see the result of our experiments. I have a special slide when I show what was our target and what we actually achieved. And I also think that a lot of people would want to know what actually is on our interest and how we structured, what was our target when we attempted to apply AI within the DevSecOps space.

Now, to the second—to the first part of your question, actually, why this is important.

Maria Schwenger: Well, you know, think about it this way. The AI today is helping pilots fly planes, helping doctors be better, helping accountants. In the fun side, you know, we have the IBM Watson who won the Jeopardy! We have Go, chess, Texas hold ‘em—so, that’s on the entertainment side, right?

But really the artificial intelligence—and I would also talk a little bit machine intelligence in my session—is the next big thing. The next accelerator in our technology, in probably every single space of the technology for the next decade.

Brian Dawson: Wow, wow. So, first, I'm intrigued. 

Now, let me ask—you did introduce machine learning and, you know, the abstract and a lot of sort of your focus that we discussed earlier used the term artificial intelligence. For our listeners and myself, do you have a simple way of explaining the difference between AI or artificial intelligence and ML or machine learning?

Maria Schwenger: Sure. So, let’s talk this way in terms of AI or artificial intelligence. For us, these are systems that allow the machines or the computers to imitate or act with human cognitive processes or perform tasks that usually are done by humans, typical for humans.

Now, we also have another slight deviation here. I mentioned that I'm gonna talk a little bit about machine intelligence.

Maria Schwenger: These are going to be systems that are enabled to learn proactively from certain inputs rather than like they've been programmed previously by linear programming, right?

Maria Schwenger: And after extracting of different amount of data, these inputs in different amounts of data—and here, we are gonna talk about using the machine learning approaches, right? Then we can, this machine intelligence is able to establish its own processes, and it arrives to its own conclusion.

Maria Schwenger: In the short term, machine learning on its site includes predictive analytics, data mining, deep learning, statistical modeling—these are usually the areas which people understood when they say machine learning.

Brian Dawson: Okay, and is it fair to say that, with AI, it’s more about modeling the cognitive processes, as you mention earlier, and machine learning, it is—is it fair to say it’s really driven around the inputs and expected outputs, and you can take a more direct approach to programming or use case based approach to programming machine learning algorithms? I'm sure I'm at least 90 percent off, but maybe you can help correct me.

Maria Schwenger: You're pretty close, but let’s try to put this one into perspective.

Maria Schwenger: So, when you say artificial intelligence, what is the definition of artificial intelligence? Artificial intelligence means senses, right? This is the natural language processing, the speech, the text to speech, speech to text, machine translation. We are talking about computer vision. We are talking about expert systems. We are talking about planning and optimization, we are talking about robotics.

So, the machine learning in this case is just one small portion of the deeper artificial intelligence that we use underneath most of the artificial intelligence approaches.

Brian Dawson: Awesome, thank you. And this is the benefit of my job is a free education from accomplished people like you.

Another theme—and we discovered before the show, but it’s also come up, and you have a very varied background. We can also look at your talk, right, and as you've mentioned, kind of this convergence of AI with other industries and other needs or practices such as DevSecOps.

I suspect that your—you know, that the wide view that you've already expressed and we discovered earlier is informed by that very background. So, I want to start to understand, or can you help me understand how you traveled that path from DBA—or databases, data—to cloud to DevSecOps, marrying DevSecOps with insurance? And you also are, I think, within that, very focused on just transformation, culture, soft skills, and change management. What—how did you travel that path? How did you end up covering all of that ground?

Maria Schwenger: Well, once you're a data person, you're a data person for life. So, that will be my answer. I followed the data in my career. So, I started my career as a database person, database developer, DBA, and I probably spent half of my life shredding data and stuffing it into tables, okay? That was the big relational database management system’s life.

Maria Schwenger: At the same time, as we know, 80 percent of the data in the world is non-structured. So, later on, I started to work on non-structured data. And instead of shredding it and stuffing it into tables—which I was very good at [Laughter]—I started to work on processing directly in structured data. And that also brought me to working in IBM Watson and my—this is where my interest in artificial intelligence actually came, too.

Maria Schwenger: So, follow the data would be my path. Now, talking about DevSecOps and the digital transformation—DevSecOps is just one way for me to bring my data to life, to bring it to people, to bring it in an optimized way, and to protect it.

Brian Dawson: So, tell me how cloud, how it takes you to your work with cloud migration, cloud migration strategy and your work in that space.

Maria Schwenger: So, the economics of cloud are clear, right? A lot of companies finally realize—and we are at the times when everybody migrates to cloud. But cloud is giving us, by its own definition, it’s given us an opportunity to really do a lot with the data, because we have a lot of data, so we can store more data. We can process faster more data. We can run complex machine learning algorithms that before, just because even if you don’t have the proper hardware, you don’t have the ability to run, right?

Maria Schwenger: So, the cloud is giving the data a lot of opportunities to provide the value back to the businesses.

Brian Dawson: Ah, well said. And is there a—so, we did focus on the data. Is it fair to say, though, that also, one of our constraints to date to really pushing the field of artificial intelligence and machine learning for it was also compute constraints, compute resources?

Maria Schwenger: Correct.

Brian Dawson: Is it fair to say that there’s also an intersect there?

Maria Schwenger: Yes. We're talking about compute, we're talking also about networking like—I mean, think about all those big payloads that we can go and load to, let’s say, to Google Cloud or to Amazon AWS, right? So, previously, processing of these big amounts of data with the snap of a finger was not possible.

Brian Dawson: Mm-hmm, mm-hmm. So, I want to stay on this track for a minute, but I'm gonna surprise you with something you probably wouldn’t expect. We're gonna dig into DevSecOps and, you know, the deeper technical aspects and learning of this.

But I first want to, I'm fascinated by this journey that you outlined, right, from a database engineer and beyond. And, you know, you also exist as a very influential female in this space where, unfortunately, the impact, which is numerous, that females have provided to computer science is often under recognized. And unfortunately, in certain spaces, women are underrepresented. Fortunately, AI and machine learning isn’t as much one of those.

But I’d like to ask, you know, what inspired and interested you to pursue computer science or STEM overall, and has there been anything of interest to call out or unique about your journey as a female in these spaces?

Maria Schwenger: So, this is an interesting question, and it’s really surprising to me, but my answer is all about the excitement I have about the women in technology. I think this is an area that traditionally has been underrepresented. And right now, there are so many wonderful women entering this space, developing this space, and excelling in this space, leading in this space.

Maria Schwenger: I have a joke for you. Early in my career, I had one of my colleagues naming me “the screwdriver lady,” because I was working on servers and I had a screwdriver, I was carrying, constantly, a screwdriver in my purse.

Maria Schwenger: One of those fashionable ones that you can change the tops, right?

Maria Schwenger: And I kind of laughed, I didn't take it as an insult, it was just a good joke for me. Because, you know, the same guy, he had a screwdriver, kind of one of those big ones, sticking out of his back pocket of his jeans. But one thing that I'm passionate about, and I try to support as much as I can today, is, like, women in technology movement. Like, girls who code.

Maria Schwenger: So, this is—I think this is very, very important for us to persist having.

Brian Dawson: Yeah, and I think that’s an interesting thing that you bring up there, right, it’s that dichotomy, right? You're doing the same thing as your colleague, but we see, you know, Maria with a screwdriver as an exception—we didn't see your colleague as an exception. And it’s also while—there’s a mix, right? We're bringing this up in the context of, really, let’s skip gender and diversity—there’s a lot of great information that you have to provide us. 

So, I always worry about—look, are we making this an exception when I talk about my race, when I talk about your gender? But here’s—and I'm glad you said what you said. My theory is, is no, you're an exception because you're an exceptional contributor to this space, but we only bring up that you exist as a female in this space so we can make sure that we're clear that this is a space where everybody can succeed. It’s based on merit and what you can do, right? I would like any young listeners that listen to Maria or see Maria or listen to me to understand that you don’t have to fit what may be the predominant image to come participate and contribute to STEM. And so, Maria, I appreciate your success, your existence here, but also, you know, your willingness for me to surprise you and to engage on this topic.

So, alright, let’s get you back to tech. Let’s get you back to tech. DevSecOps—you know, we talked about DevSecOps, you know, the need. Look, you have what I'll just call, summarize as important IP that needs to be secured. And really, would it be fair to say, would you agree that practically every business today has data and intellectual property that needs to be secured?

Maria Schwenger: I’ll say no exception.

Brian Dawson: Okay. [Laughter] Categorically. Right, and so, that—actually, that gets into, you know, so, why is DevSecOps—actually, no, let’s not even go there yet. DevSecOps. Well, we've talked about DevOps. I think it’s pretty well captured in these same companies that we talk about that have data that need to be secured are companies that are adopting DevOps. A common question and point of discussion I’d like your point of view on is—why Sec in the middle of DevOps?

Maria Schwenger: So, that’s a good question, because, from a security perspective, security has been traditionally hard to do, right? In the past, we didn't have the great tools that we have today, but maybe we had a little bit more time. I mean, you know, we had months to patch our servers for example, right? But with the modern DevOps and the adoption of the agile practices, the security started to fall behind.

Maria Schwenger: Many developers felt that the security is no longer an enabler. I have a description of one of my colleagues. He turned to me one day and said, “You know, your security is a stick in the wheels of our team.”

Maria Schwenger: That’s the picture I see when you, you know, I talk about security. And so, of course, I was very disappointed and very unpleasantly surprised. So, even when I introduced myself to my colleagues usually, I would generally say I would like to be this enabler, to feel that the security is an enabler for the developer experience, to help the developer to be more successful and to release a high quality code because the security is part, an integral part of the high quality code.

Maria Schwenger: And so, this is how the DevSecOps term came to life a couple of years ago. You know, it was basically putting the Sec between Dev and Ops, because the security professionals were forced to hurry and to become this integral part of the DevOps culture.

Brian Dawson: So, why—that’s interesting, and I've sort of seen the same thing. Well, first, I actually, I want to underline and then circle. This is my op-ed, my soapbox. I love that you said security is quality, and in fact, enabling developers, right? If you strive to innovate to get code out, hopefully, you strive to get quality code out. And if you strive to get quality code out, then that should also mean security code, right? And to an extent, if we look at the underlying principles of DevOps, it is really about ensuring quality continually through the pipeline, right? But so, I—you know, again, underscore, highlight, make it bold—it is important security is quality.

But there’s an interesting thing you said at the end. You said we had to put the Sec in so security could catch up. I may have misphrased it, right, but it did indicate that we were talking DevOps and then the Sec came along later. Can you talk to us about why that’s the case?

Maria Schwenger: I don't know exactly why the security was left behind. I would assume that when we were working in a traditional waterfall model, there was more time, because everything was sequential. So, we had more time to do security. Into the DevOps cycle, think about that—every sprint, every small iteration needs to consist of the security cycle as well. So, we need to take the security cycle and fit it into each of the sprints that we have.

Maria Schwenger: Right? And then, also, keep in mind the rapid acceleration of security today. Today, we are talking about a modern application security approach. We're talking about things like zero trust. Everything has a code, everything is a service. We have a huge open source field to adopt and to grow upon.

Think about, also, how rapidly the developers are releasing code today, and that’s why the security is behind, because the developers are releasing code much more rapidly today. And at the same time, the attackers are way more sophisticated and much faster than before. I mean, think about it this way—one of the CVEs I was reading about today I think was this year’s CVE, I think, was 5902 or something like that. Since it was announced and until the moment it was exploited was, like, two days.

Maria Schwenger: You know, usually, we have CVEs or CWEs into the security space, not exploited for months or years, right? So, we have a lot of more heat coming to the DevOps team to become DevSecOps teams.

Brian Dawson: Mm-hmm, right. Okay, the business pressure is there. The external landscape has changed, and is it, are businesses realizing, like, we talked about, there’s not a business that doesn’t rely on software and data, so there should be no businesses that are not prioritizing DevSecOps.

Maria Schwenger: That’s correct.

Brian Dawson: Okay. And are we finding that people are getting better at it are kind of the business leaders and the business itself, better supporting and encouraging DevSecOps practices, or is there still—

Maria Schwenger: Well, I would say also that the businesses are actually demanding DevSecOps, because that’s their only way to, for a quick time to market. This is the only way to release rapidly and beat the competition and cut on the cost, right?

Brian Dawson: Okay, right, right. Okay, so that’s interesting. So, now you, yourself, have spent time as a DevSecOps transformation leader, and while I think, as you said, we're getting to a place where businesses are not just requesting or encouraging, they're demanding it, but I assume that the path there hasn’t always been easy. So, what are some of the most common mistakes that you've seen, you know, enterprises or businesses make in their effort to implement a DevSecOps model?

Maria Schwenger: So, maybe this answer is a little bit unexpected, but I will answer this question in terms of the people element.

Brian Dawson: Yes. I'm interested.

Maria Schwenger: The people and the process element, because usually, when you talk about DevSecOps, you talk about automation, acceleration of the business goals. But the DevOps or DevSecOps in this case can never be successful unless we bring the things together in a real human collaboration. The core definition of DevSecOps is to bring all minds together, to accelerate the business based on our agile principles, for example.

To put everything together in one coherent execution—so, having this real collaboration will be the very first best practice I would manage.

Brian Dawson: Awesome, okay. 

So, that’s interesting that you call the first best practice a focus on people. How are organizations doing at focusing on that first? You know, are they getting better at it, are they doing good, or are we still seeing people focus on the technical implementation before the people?

Maria Schwenger: I would love to believe that we—all of the leaders would start with the human element. But there is another controversial point, here—think about it this way. Part of DevOps is aiming automation, automation, automation, and really, this means removing the human element out of the process.

Maria Schwenger: That’s kind of interesting, right? First of all, we are saying, “Oh, we need all the people to come together in one great collaboration” and then we still say, “No, no, no—now, we are gonna remove the human element out of this process. We are gonna completely automate it.”

So, I think that these are two interesting, conflicting parts, maybe, but they're both part of the successful building of DevOps or DevSecOps.

Brian Dawson: Okay, yeah, so what I—you know, in my experience, you have to have both. You can’t kind of partially do one, implement all the technical foundation and be successful, so I'm perfectly aligned with you.

Now, look, to give you a scenario, though, kinda get a little more into the “what,” which you've hit on. I'm a developer. I also act as our team’s build person, I've brought in Jenkins, I've built the pipeline. And you know what? I got my company to buy HP Fortify, and we scan. I also do cyclical code checks, make sure that there’s no vulnerable code. So, I'm done, I'm doing DevSecOps. Is that correct?

Maria Schwenger: Maybe in a limited fashion. I would say that—okay, no offending here, but this is an old understanding of DevSecOps or security application, security in general.

Maria Schwenger: So, today, I think that it’s self-understood that everybody is gonna have some type of application security scanning like SAST, DAST, composition analysis for open source and third party products. So, that’s kind of self-understood, it’s kind of a—yeah, you have it. We need to scan and we need to do remediation. It’s self-understood that you have pen testing.

Maria Schwenger: But there is quite more to the modern application security approach. Because think about it this way—we have a widely increase attack surface due to the new technologies. API, cloud native, containers, Kubernetes—all of this increases the attack surface that we need to protect.

Maria Schwenger: And, you know, we are talking also about configuration management being a problem or being a base for application breaches. We're talking about zero trust in all new implementations. So, there is a lot more to this modern security approach, and some of the enablers that I can mention about that is a lot of automation around the security—so, automated security scanning, proper security tools and processes.

Even every company to roll a company-wide SSDLC, secure software development life cycle processes, the big principle of shift security left and proper exception handling, policy compliance and auditability, production application and protection, end to end application security. So, these are some of the enablers of the modern application security approach.

Brian Dawson: Okay, okay. And it’s interesting that you use the word enablers of the modern security approach, because those areas themselves—and I guess I'll put this somewhat clumsily—are extensions that need their own attention to protection.

Maria Schwenger: Correct. And I told you in the beginning, I'm all about presenting the security or making the security part of DevSecOps being an enabler for a better [Cross talk] and a better quality of the code.

Brian Dawson: Right, right. So, I'm gonna shift, because I know there’s a couple of things I wanna get through. Moving forward a bit—well, first, actually, we stopped at best practice one. Are there any other key best practices that you can share with us that you've picked up as a DevSecOps transformation leader that could help the rest of us get to where we should be in terms of security as an enabler?

Maria Schwenger: So, I'll go with a joke. You know, we talk about DevOps and then we go, we talk about DevOops.

Brian Dawson: [Laughter] Yes.

Maria Schwenger: And joke on the side, one of the main DevOps principles is actually fail fast.

Maria Schwenger: And I would want to say that the DevOops is actually a normal face of the DevSecOps process. We do have a lot of good books, a lot of good knowledge, strong DevOps or DevSecOps community, of course, but we all learn as we go, our environments are quite specific and they vary, and so, the fail fast, take the lesson and run with it is probably also one very important principle.

Maria Schwenger: We already mentioned a little bit about automate everything, you know? And we also mentioned the collaboration. There are probably a lot of other important things, but these are on the top of my list.

Brian Dawson: Those are—well, thank you for sharing those. Now, we're actually in, when we talk DevSecOps and security, considering the times that we're in with COVID-19, the pandemic sort of shaking up other organizations and their priorities—in fact, I think it was the CEO of CloudBees I was talking with who sort of described COVID and the pandemic as our chaos monkey for our businesses, right? This is where we're testing how resilient and sound our businesses are, and some have responded by shifting priorities, speeding up their digital initiatives, becoming hyper focused on what the need of customers are at this time.

In regards to DevSecOps, where do you see the current times pushing evolution of DevSecOps and cyber security?

Maria Schwenger: So, COVID-19 really changed everything—the way we work, the way we shop, the way we dress. And this, speaking up, impacted in a both positive and negative way, unfortunately.

So, the acceleration of the digital transformation, I would say this is good. The businesses have always looked to the digital transformation processes for cost improvements, getting their companies to be more efficient, to have more online presence and engagement with their customers, mobile, online. And with COVID-19 right now, this is not a choice. This is now a matter of survival. It’s a new way that we need to start thinking about our businesses.

Being more efficient in the DevOps area is no longer an option, either. [Laughter] We need to get not only more efficient, but also more secure. We are working from home, most of us. We have seen and had to handle a lot of cases of escalating security issues today, being with Zoom is our main communication and, you know, meeting tools or the escalated number of cyber security attacks lately.

Having cloud applications properly secured has turned out to be a mandate today.

Maria Schwenger: And pay more attention to the application security is even much more highly required than usual. We also already mentioned that the attackers are getting more sophisticated, and that really puts a lot of heat on the DevSecOps teams to come up to par.

Maria Schwenger: That requires much staff, much faster patching, involves more rapid testing, and general awareness.

Brian Dawson: So, it sounds like there may be a silver lining to this or at least, you know, the businesses that have responded in general to these crises and made changes to survive, such as pushing digital transformation will also be the businesses that push DevSecOps to a better place as we move beyond this current crisis. Would you agree?

Maria Schwenger: Absolutely.

Brian Dawson: Yeah, yeah. So, you know, shifting yet again, because I know I'm gonna have to let you go soon, I do want to circle back to the talk that you're gonna be giving at DevOps World. And while we dug in, I'm hoping that you can share a bit—not all of it, don’t give the listeners all the information, we want them to see the talk—but can you share a teaser about what you're gonna cover? I mean, in particular, you talk about many companies are just taking initial steps into DevSecOps and others are questioning the practical value AI could bring. Could you talk a little bit to what the value AI can bring to DevSecOps?

Maria Schwenger: Well, that would be too revealing. 

Brian Dawson: Okay. [Laughter] 

Maria Schwenger: But I will tell you what I would challenge data scientists to understand and to come up with their own opinion about. The question, my problem statement is going to be, “Can AI drive the future of DevOps?”

Maria Schwenger: What is the value of an AI powered DevOps today? What are the best use cases to apply AI and DevOps? And things like can the AI expand the human capabilities, which is the main point, but into the DevSecOps area?

Maria Schwenger: And I'm just going to show very little about our experiment, what was our starting point. We wanted to figure out if AI can really play a crucial role in accelerating the DevOps efficiency, in two main areas. You know, we had some common DevOps metrics and tasks, but can AI give us a different point of view of looking at these traditional metrics and tasks? And then on the other side, can we create new DevOps metrics and tasks based on AI or ML capabilities? And I'll just stop there.

Brian Dawson: Ah, see, you got my brain going. I wanna say yes and I wanna start to share ideas, but I won’t. No, that’s compelling—that was really a teaser. I thought you were gonna give us something to nibble on, but you, actually, what you gave us is for us to ponder it ourselves and then hopefully during the talk—well, actually, not hopefully—during the talk, you'll be there available for Q&A. So, I'll double down on that homework assignment. Listeners—think about that. Go to the DevOps World agenda, identify when Maria’s talk is, and present your thoughts there.

Maria, as we get ready to wrap up, you mentioned DevOops earlier, so I have to ask you about your DevOops. What a DevOops is is, a Dev-O-O-O-P-S. DevOops! And it’s really a time in your career when you ran into a software development technical challenge or just a career faux pas that you learned from and hopefully our listeners can learn from as well—do you have something to share?

Maria Schwenger: Yes. I can share my last big learning, and it’s a good lesson. You know, you're a developer. You naturally have a tendency to build everything yourself. But today, we have a wide open source community, and it’s important for people to adopt this open source way of thinking. You know, somebody comes to an idea, I'm gonna come and help this idea, I'm gonna augment it, somebody else is gonna augment it, we're gonna come up with something much more greater.

Maria Schwenger: And you also have vendors that are on the market for DevSecOps tooling, security tooling, right? And so, my last lesson as a leader was to carefully consider when we should build something custom and when we should just use what is already on the market. It doesn’t matter if this is an open source or a vendor product.

Brian Dawson: So, now, I'm curious, because you left me with a teaser, I'm gonna push you a little harder, Maria, and ask—can you…so, that’s an important point not to discount it. I think that’s very important, and in fact, I wanted to say, if you could just imagine if every time you needed something, you know, span of history, we didn't leverage prior work or prior, we didn't work with others, we’d be in a completely different world. So, I think working together, building upon advancements is important.

But I do want to challenge you to be vulnerable enough to share with us when have you made a big mistake and overcame it?

Maria Schwenger: I would say that that’s more on my personal, not on the professional side.

Maria Schwenger: One thing that I believe it was a mistake from my side is, every time I take something more personally, that’s an oops, right? Because think about it this way—when you are invested into what you are building, it’s your baby, it’s your work, it’s your thoughts, it’s your time. And it’s easy to get, I guess, personally involved. And so, when somebody comes and criticizes this baby of yours, it’s very easy to take it more personally than it’s needed. And being able to step back and laugh it out and say, “Yeah, but you know, that’s life, that’s how life works” I think is a good lifetime lesson.

Brian Dawson: Yeah, I think that’s great. I think, you know, it ties back to your other learning, right? It’s, we have to be able to work together. We have to be able to work together to make advancements. To be able to do that, you have to detach yourself enough to be able to take constructive criticism in pursuit of doing better. So, I love that you shared that personal—I wasn’t sure where it was gonna go. I love that you shared that, because it ties all the way back to what you've talked about with people and culture and DevSecOps and the leveraging of OSS, so thank you for sharing that.

I'm gonna hit you with one more. Now that you've given that to our audience, could you also share a book or other resource such as a podcast or blog that you believe is a must consume, a must-read for the audience?

Maria Schwenger: Well, that’s not fair!

Brian Dawson: [Laughter] 

Maria Schwenger: I mean, how can I go with one?

Brian Dawson: Okay, you can have two if you must.

Maria Schwenger: [Laughter] So, assuming that right now the security and the digital transformation are my part so, selfishly, I will kind of recommend books on the DevSecOps and the digital transformation. So, depending on the maturity level where we are in our DevSecOps development, I think that everybody, it’s a must read, The Phoenix Project. You know, this is the story about IT, the operations, and how a team that is under the pressure to win or to get outsourced finds the right path to so-called DevOps, right?

Maria Schwenger: Another, very good introductory book is going to be Secure DevOps by Julien Vehent, the Mozilla security team.

Maria Schwenger: Which teaches us the techniques to integrate the security directly into our product. I really love this book. This is one of my favorite books. I would assume that everyone has already reviewed the traditional DevOps classics like The DevOps Handbook, the accelerated book. 

But for the leaders, I would probably want to recommend the book called Measure What Matters by John Doerr, because it introduces some of the key concepts about the management in the transformational space, the OKRs, the scalable methodology that allows the leaders to set their goals and to achieve, to work on achieving the transformation at scale.

Brian Dawson: Awesome. Thank you for sharing those. And OKRs, objectives and key results, I'm gonna—as I've been doing, I committed to a contract of some things I was gonna talk about, but then I mostly surprised you with things. I'm gonna surprise you with one more—is there a place that somebody new to and interested in the topic of artificial intelligence and machine learning, is there a book or a site that they could go to to start to get informed?

Maria Schwenger: Okay, so, I'm gonna go on the other side, here. I'm gonna say there’s a lot of reading about it, but my advice about artificial intelligence and machine learning is that reading is okay, but up until you get your hands dirty, you actually try some of the artificial intelligence API that every cloud provider has today, almost, you have to do that. That’s the best learning trajectory to take.

Before, only specific people were able to try that. Now this is available for everybody. That’s a democratization that we really need to appreciate and use.

Brian Dawson: Yeah, that is interesting that you said that. I think it came up on a conversation that I had with ThoughtWorks Chief Strategy Officer Chad Wathington—it’s advanced so much. It used to be inaccessible, and I think a lot of people don’t know that there are fantastic APIs available from the major cloud providers as well as in the open source community. So, I was excited myself, not having spent a lot of time on keyboard recently to be able to spend a weekend and jump in and be able to play around. So, I love that suggestion, and it’s benefited me.

I also, it leads me to want to ask you—do you still put hands on keyboard or do you still metaphorically carry your screwdriver?

Maria Schwenger: Well, I do carry the screwdriver.

Brian Dawson: Okay. [Laughter] 

Maria Schwenger: I just had a case when there was a job written in Scala and a person from my team was having a problem and couldn’t fix it. And so, I said, without any context, you know, I just said, “Well, send me the job, I'll take a look at it.” “Oh, but this job is in Scala.” “Okay. Scala is like easy Java—come on, send it to me.” “No. Are you sure? You can’t do it.” And I smiled, and I said, “Hey—try me.”

Brian Dawson: Right, right. [Laughter] 

Maria Schwenger: And I was able to fix the job and everybody was very surprised. And I don't know why—I don’t believe that anybody thought that I can actually fix it. But all knowledge is all knowledge, you know? You're a programmer all your life, right?

Brian Dawson: Yeah, yeah. I’d say the funny thing is, I am—all this talk about polyglot coders, right? And being able to understand multiple languages is great, but I'll tell you what I'm of the opinion of—knowing the language is not as important as knowing how to identify, attack, and solve problems. The language is just access, and I think in that sense, we all are, but that is actually an awesome story, and I'm sure it—even though it wasn’t your pursuit, I'm sure there are people around you and colleagues that gained that much more respect knowing that you're not sitting there in an ivory tower but you can actually get in and work it out with them, so that's awesome.

You know, I do have to let you go, due to this thing called time, but before I do, do you have any final thoughts to share with the listeners?

Maria Schwenger: Well, of course, I would like to invite everybody to come to the session, to listen to the session. And as any other technological space today, the DevSecOps area is rapidly evolving. And this is one of the reasons why I decided to dedicate my session to this advanced topic using AI to mature the DevSecOps. But this is a way for us—again, we should never stay just from the plain technological side, we should translate the technological achievement in meaning of what that means to the business.

Maria Schwenger: We want to allow the business to get a rapid, but also smart way to release software. And when I say smart, I mean more automated, more secure, less expensive, more efficient. And, of course, I'm excited about that and I would love every single question, and I will try to answer every single question when you guys come to the session.

Brian Dawson: Okay. I may come. I know I had a chance to ask a lot, I'll have to leave some for the audience, but I may come surprise you with some more unplanned questions. So, be prepared. 

And, for those that are listening, which is hopefully—I'm sorry, for those that are listening who are now interested in hearing Maria’s talk since she teased us and didn't give us all of the answers, that talk will be Wednesday, September 23rd, at 9 a.m. PT. If you're interested in attending that talk and other DevOps World sessions, you can visit DevOpsWorld.com and register. The event will be free and there will be tons of valuable information, similar to what Maria has shared with us today.

Maria, thank you for your time. I've really enjoyed it, and I look forward to not only seeing your talk but hopefully getting to talk to you some more in the future.

Maria Schwenger: Thank you very much.

Brian Dawson: Bye

Maria Schwenger: Bye