Deploying the Swift Method to Modernize a Singapore Government Legacy System - Good description of what it feels like to be stuck in the legacy trap: “The [Singapore] government agency in this case study faced a similar issue with a legacy system that supported critical business processes, integrated with other business-critical applications, and was developed and maintained by third-party vendors. Over time, the codebase had become highly coupled within different business domains and contexts, making it difficult for developers to work on. This situation led to product development squads being slowed down by dependencies on the support team for this legacy system. The development squads also lacked confidence to make changes to this system themselves—given the low automated test coverage—and faced uncertainty about what they would be able to deliver for their own work streams independently.” You can see the original talk this is based on here.

Only 22% of software developers say they have a clear understanding of what they need to do to comply with security policy, to make sure the applications they're writing for their organization, are good in a security sense.

Now, it'd be easy to say the developers are just dopes and they don't know what they're up to. But I think what this is indicating is that figuring out how to practically do security policy at the software layer is difficult.

And that's where this concept of “shift left” comes in.

The idea of shift left comes the Extreme Programming and agile world where you are bringing unit testing closer to developers, and then from DevOps where you’re doing the same with automation and configuration, and even releasing and managing software.

You're bringing it all of that “left” into the application lifecycle, close to when the app code is being written.

That kind of literally makes sense. But nowadays, when you start hearing about shift left for security, that shouldn’t mean having the developers take on even more responsibilities.

If only 22% of them even know what they should be doing, you should probably not ask them to do security things. My colleague Darran recently called this “shift left and leave.” Instead, I think you need to “shift left and stay.”

What shift left means in a security and compliance context nowadays is moving your security and compliance activities closer to that part of the application lifecycle, where the coding is actually done.

What this often means is automating a lot of the checks, and also enforcing a lot of the compliance you have. You do this by using things like default templates and setting up for your developers to take full advantage of how cloud native architectures let you split up and divide things. Darran and I discussed what that means in our talk today.

There's another thing that Richard Seroter, mentioned recently, which is the idea of “shifting down,” which is to say, if you have the opportunity to just build something like security and compliance into the platform, to just remove it from anyone's concern, you should definitely focus on that. As analogies, you can think about at a very basic layer like file services, networking, even the way that UIs are rendered on screens. All of these have been “shifted down” into the stacks that app developers use. This was not always the case!

So if you're thinking about shifting security left - which people sometimes talk about is “DevSecOps” or even “secure software supply chains” - don't assume that means having your developers do a lot of work. Remember: only about 22% of them really know what that means!

Instead think about how you can go back into the application lifecycle and add security earlier in the application lifecycle. There’s a lot of new capabilities you’ll have if you’re using cloud native architectures, platforms, and thinking.

https://substackcdn.com/image/fetch/w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F85f30641-3576-4bfa-a461-f342f20b2f7c_970x702.png 424w, https://substackcdn.com/image/fetch/w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F85f30641-3576-4bfa-a461-f342f20b2f7c_970x702.png 848w, https://substackcdn.com/image/fetch/w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F85f30641-3576-4bfa-a461-f342f20b2f7c_970x702.png 1272w, https://substackcdn.com/image/fetch/w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F85f30641-3576-4bfa-a461-f342f20b2f7c_970x702.png 1456w” sizes=“100vw” loading=“lazy”>

Relative to your interests

• In the face of volatility, CFOs—and their organizations—adapt- Belt-tightening watch. Lots of micromanagement and management by finance metrics ahead: “In the year ahead, CFOs plan to increase their focus on operational value drivers, management of KPIs, cash management, and capital structure. Other priorities have decreased in importance since Q3 2022.”

• IBM takes on AWS, Google, and Microsoft with Watsonx - If it works, and also, it lets enterprises build up huge, custom trained models, and it has enough governance controls, it’d be a big deal for IBM. They key things learned from ChatGPT is that it has to be super easy, frictionless to get started with. That’s difficult for enterprises software makers, and it’s also hindered by governance, access control, and pricing per seat and data access. To be valuable to individuals, a company will need to put as much of their data into their models as possible. If you’re just querying your own email and files, it won’t be impressive enough to show long-term value to individuals. And if you restrict the model to just a handful of people (as is done with most corporate data), then it also will be hard to show long-term value. This will freak out security people and lawyers. Back in the 2000’s when file sharing in enterprises (like SharePoint and intranet search) became popular, there was a wave of people freaking out that previously hidden in plain sight documents were now findable.

• Beware the Digital Whiteboard - The assertion: writing with whiteboarding/Sticky notes is not good, and can lead to leaky abstractions. Seem more like a “right tool for the job” thing, plus the usual garbage in, garbage out, regardless of the tool used to process the garbage.

Upcoming

Talks I’ll be giving, places I’ll be, things I’ll be doing, etc.

July 19th Improving FinTech with cloud native think, speaking. July 19th Stop Tech Debt and Start Using Faster, More Secure Paths to Production. August 21st to 24th SpringOne & VMware Explore US, in Las Vegas. Sep 6th to 7th DevOpsDays Des Moines, speaking. Sep 13th, stackconf, Berlin. Sep 14th to 15th SREday, London, speaking Sep 18th to 19th SHIFT in Zadar, speaking. Oct 3rd Enterprise DevOps Techron, Utrecht, speaking

Logoff

I’m writing the MC script for our upcoming SpringOne conference keynote session, it’s part of VMware Explore this year. And I’ll be co-MC’ing it as well. Writing a script like this is fun, and unique, sort of. You have tiny slices of time between talks where you follow a pretty basic format: (1) wow, how about that!, and, (2) here’s what’s coming next! There’s the opportunity to throw in a couple of fun easter eggs (I snuck two into last year’s SpringOne MC script). And then at the end, of course, you tell people when and where the free drinks and snacks party is.

I don’t write scripts much, at all, so doing that in the past few years has been something new to learn. Also, for the last SpringOne I worked on our CEO’s talk, which was especially educational. It’s interesting to put yourself in the head of someone else by learning their presentation style, mixing it in with what you know they like talking about and that they can talk about well, putting in the company strategy and then adding your own perspective and, like, “spin” on it. Then you see (as with the CEO and the two MCs) them present it, and you close out a very educational feedback loop.

Anyhow! You should come to SpringOne this year to see it all gel together :)

In the face of volatility, CFOs—and their organizations—adapt - Belt-tightening watch. Lots of micromanagement and management by finance metrics ahead: “In the year ahead, CFOs plan to increase their focus on operational value drivers, management of KPIs, cash management, and capital structure. Other priorities have decreased in importance since Q3 2022."

IBM takes on AWS, Google, and Microsoft with Watsonx - If it works, it lets enterprises build up huge, custom trained models, and it has enough governance controls, it’d be a big deal for IBM. They key things learned from ChatGPT is that it has to be super easy, frictionless to get started with. That’s difficult for enterprises software makers, and it’s also hindered by governance, access control, and pricing per seat and data access. To be valuable to individuals, a company will need to put as much of their data into their models as possible. If you’re just querying your own email and files, it won’t be impressive enough to show long-term value to individuals. And if you restrict the model to just a handful of people (as is done with most corporate data), then it also will be hard to show long-term value. This will freak out security people and lawyers. Back in the 2000’s when file sharing in enterprises (like SharePoint and intranet search) became popular, there was a wave of people freaking out that previously hidden in plain sight documents were now findable.

Beware the Digital Whiteboard - The assertion: writing with whiteboarding/Sticky notes is not good, and can lead to leaky abstractions. Seem more like a “right tool for the job” thing, plus the usual garbage in, garbage out, regardless of the tool used to process the garbage.

Our final talk in our software stuff for financial organizations is coming up tomorrow. Above is a little anecdote that Darran made to me as we were working on it. If you’re into security, compliance, that kind of thing, check out the third part of our series: “How Cloud Native Improves & Ensures Security, Governance, and Trust in Finance.”

Summarizing Articles with ChatGPT Works Again

Recently, I’ve been complain that I can't use ChatGPT to summarize things anymore because it won't pull from URLs. This was what I ChatGPT for the most when it first came out. It was amazing! It’d good for more than just summarizing. I’d also use it to see if I wanted to spend the time to actually read the article in more detail; the ChatGPT summaries are a little shallow, of course, but they’d be good at telling me if it’d be worth reading more. Second, if you use the same chat session for multiple summarization requisitions, you can keep a log of things you’ve looked at and ask things like “make a list of things I summarized today” or “what are some common themes, etc.”

Anyhow, this stopped working several months ago.

But, now you can do dit again! If you have plugins, enable Link Reader, and then it'll work again.

Instead of creating a new chat window for each article, I create one chat window every day or so where I just keep getting summarys. I'll rename the chat something like "20230710 tl;dr" with the theory that I'll go back and look at these some days.

Here's the prompt I've been starting the chats with: "When I paste a link here, retrieve the text of the article and summarize the article in detail using bullet points. Simplify and clarify the writing. Output in rendered markdown. Start by listing the title of the article and make the title of the article a link to the URL. Then write a paragraph summarizing the most interesting/novel points, and then make a bullet point summary of the article."

With that, I can just copy-paste a URL in there and get summaries.

Garbage Chairs of Amsterdam

Wastebook

• Headstone: “Ran out of Takes.”

• We think of the hype cycle more in terms of time and maturity of new tech. A neglected point of it is that most new technology has unrealistic hopes and dreams, like 20x reality. That is: most new tech will be a lot less group breaking than you think. Thus, when the new tech fails to deliver on its promises, the new tech isn’t so much a “failure” as your early calibration on its outcomes.

Relative to your interests

• Pulling On Threads - I forgot about the “bring your whole self” thing.

• Unleash developer productivity with generative AI, McKinsey survey - Their survey says it’s good in four areas: Expediting manual and repetitive work, Jump-starting the first draft of new code, Accelerating updates to existing code, Increasing developers' ability to tackle new challenges.

• Adopt Platform Engineering to Scale Application Security Practices - “Gartner Survey Data Reveals a Missed Opportunity - Platform teams focus on improving developer experience, developer productivity, software quality and delivery speed. According to Gartner’s 2022 Software Engineering Leaders Role Survey, only 25% of respondents cited “reduced security risks’’ as one of the top three goals for platform engineering and only 6% ranked it as the topmost goal.” // Here we are, about to finally have a moment that’s just focused on making appdev better, and of course security has to come in and try to grab all the attention. This already happened with Kubernetes in the past few years. And: maybe it was a good idea to keep all this stuff separated in its own team so that each team can focus.

• Steve McQueen by, John Dominis - That guy made being cool look easy.

• Island Series: 6 Pack - These look like more amazing notebooks from a boutique shop.

• Threads, The Fastest Growing Product Since ChatGPT - ’Threads, it hit 30 million sign-ups in less than 24 hours, which would be 60x faster than the 60 days it took ChatGPT to hit 30 million (as I hit send, I’m seeing rumors its passed 50 million, but nothing’s been confirmed yet)’ // This characterization is a little unfair. If Threads had just been a feature added to the Instagram app, no one would be calling those sign-ups. A sign-up should imply that people wanted something so bad that they put up with the friction of creating a new account. But, whatever: the point is still valid. // Also, this is a take if Threads with a positive tone instead of the usual shit-all-over-it mission.

• ChatGPT web traffic falls 10%, analytics show - Indeed. I think I’ve found the limitations. The main one is the limit in the text you can feed it. If I could build up my own training data, that’d be something! The Link Reader plugin solves the summarizing web pages problem that I was having. What needs to happen now is just to get it integrated into enterprise software, and all the data ownership privacy stuff that goes with that. That’ll take at least six month, if not a year, to get through the security, legal, etc. people. So, check back in in 2025?

• Scratch Pad: Fireworks, Bootlegs, Spock - “I remain convinced that most categories of online services are akin either to hair salons, to grocery stores, or to movie theaters.”

• Porter’s Five Forces and the social web - There’s something interesting to do here in applying Porter to contemporary tech.

Upcoming

Talks I’ll be giving, places I’ll be, things I’ll be doing, etc.

July 11th How Cloud Native Improves & Ensures Security, Governance, and Trust in Finance, online talk. July 19th Stop Tech Debt and Start Using Faster, More Secure Paths to Production. August 21st to 24th SpringOne & VMware Explore US, in Las Vegas. Sep 6th to 7th DevOpsDays Des Moines, speaking. Sep 13th, stackconf, Berlin. Sep 14th to 15th SREday, London, speaking Sep 18th to 19th SHIFT in Zadar, speaking. Oct 3rd Enterprise DevOps Techron, Utrecht, speaking

Logoff

See y’all next time!

Steve McQueen by, John Dominis - That guy made being cool look easy.

Steve McQueen by, John Dominis - That guy made being cool look easy.

Island Series: 6 Pack - These look like more amazing notebooks from a boutique shop.

Adopt Platform Engineering to Scale Application Security Practices - “Gartner Survey Data Reveals a Missed Opportunity - Platform teams focus on improving developer experience, developer productivity, software quality and delivery speed. According to Gartner’s 2022 Software Engineering Leaders Role Survey, only 25% of respondents cited “reduced security risks’’ as one of the top three goals for platform engineering and only 6% ranked it as the topmost goal.” // Here we are, about to finally have a moment that’s just focused on making appdev better, and of course security has to come in and try to grab all the attention. This already happened with Kubernetes in the past few years. And: maybe it was a good idea to keep all this stuff separated in its own team so that each team can focus.