Software Supply Chains [#Log4Shell]

Our scheduled topic was supply chains generally, but the Log4Shell vulnerability dominated the discussion. We dove into the challenge of patching and fixing a library that is literally in nearly every device or service for years and years.

That led us to supply chains in the context of software, and specifically Java Log4j. This is a critical topic and our conversation about it was very thoughtful. We really covered the angles of what it takes to produce and maintain a supply chain for software. Then we discussed alternatives and things to consider when you building anything: software products or physical products in which embedded systems and components impact your designs.


Broader Impacts of AWS Outage

We discussed the Amazon outage of December 7. Instead of simply blaming Amazon, we went looking for how the outage impacted people globally. We considered how hyper scalars are being treated and how these outages can be avoided or understood. We focused on who is impacted and what companies who are building on top of Cloud providers can do going forward.

We really took a classic Cloud 2030 approach for a very important and timely topic. Enjoy our discussion about the business impacts, understanding of the market and forward looking approach.


What is Platform Engineering?

What is platform engineering? And why is it necessary and how to make it work compared to DevOps.

In this conversation, we really hit on the challenges of creating automation teams for building automation in scalable ways. Frustratingly, we never really came up with a particularly good answer to “what is a platform team” and why you should care. Strangely, your organization is probably building one.


A Path for Cloud Standardization?

We discuss standards, de facto standards, and cloud standards. It comes down to how we are creating repeatable results for the cloud marketplace.

Ideally, we’re creating marketplaces where standards can be shared. We’d consider Amazon as the primary example, but we also talk about hardware and Kubernetes which have their own marketplaces.

Ultimately, we asked if we are creating standardized cloud infrastructure? The short answer is no.


Securing Software Supply Chains

Today we talked about supply chains, but mainly security and the security aspects of supply chains because we have a very serious challenges here.

We have made software and on boarding software for developers so easy, but haven’t put the same efforts in how to manage production systems! The team really talked about what it takes to build production systems that respect security, supply chains, dependency graphs, and inclusion in a way that cross teams.

It’s an incredibly important topic, and it is the foundation of any successful supply chain hardening effort.


Serverless At The Edge

Serverless at the edge, part one. This is a dynamic and engaged conversation with key questions like:

What is serverless?
Do we need serverless?
How is edge serverless different than cloud serverless?

We see edge environments as collecting data from sensors that needs to be heterogeneous, multi vendor, dynamic and centralized. But where centralized?

I think that the serverless aspect of this really drives home the idea that we need to be able to make small, quick, easy updates into an edge environment into a sensor environment. But how we accomplish that is still to be defined.


Ops Research and Mapping

We explored Operations Value mapping. This lead to an a very interesting discussions of complexity budgets and how to measure complexity budgets. This includes managing supply chain, and value pipelines, and system coupling.

Complexity budgets could be a very powerful measuring tool for understanding operations value In an organization. Overall, this helps you explain the cost of complexity to organizational leadership.


Can we Secure SaaS? RE: facebook & Twitch

During this 20 minute check-in we dive security and SaaS infrastructure.

Can we protect the secrets that people are trusting to SaaS providers to store for us? The topic was inspired by the Twitch leak where a lot of sensitive information was exposed exposed to the public. That comes on the heels of all sorts of other leaks, compromises and down time on systems.

Overall, it seems like bad news is coming faster and faster for operators. The fundamental question is NOT can we trust a SaaS provider to secure information. We know the answer is NO. But what to do about it?

Photo by Joy Marino from Pexels [ID 3054158]

You need an IaC Pipeline! [KubeCon & VMworld retro]

We talk about Infrastructure as Code through a Kubernetes filter. We started with a check in on KubeCon and VMworld, both of which had just ended. Both of those shows are very relevant in our IaC discussion and considerations because we dig into how we build on those platforms.

Ultimately, that lead to the idea of pipelines and processes for building sustainable automation and operations. That got into very interesting places!

Photo by Evan Velez Saxer from Pexels [ID 7417579]