►
From YouTube: State of DevSecOps: The Seventh Deadly Disease -featuring John Willis (Red Hat) aka @botchagalupe
Description
State of DevSecOps: The Seventh Deadly Disease
Speaker: John Willis (Red Hat) aka @botchagalupe
https://commons.openshift.org/sig/DevSecOps.html
The OpenShift Commons Gathering was held on Jan 29th, 2020 in London, UK, and featured guest speakers from local customers and users. The OpenShift Commons Gatherings brought together 300+ experts from all over the world to discuss container technologies, best practices for cloud native application developers and the open source software projects that underpin the OpenShift/Kubernetes ecosystem.
https://commons.openshift.org/gatherings/London_2020.html
A
Hey
good
morning,
all
yeah,
so
this
is
a
little
bit
of
a
departure,
but
I'll
explain
that
I
called
the
seventh
deadly
disease
in
something
I've
been
to
in
the
last
couple
years
called
the
seven
deadly
diseases
of
DevOps,
and
my
name
is
John
Willis
I'm
new
to
Red
Hat
I'm
part
of
what
we
call
a
global
transition
office
with
Andrew
Shaffer,
one
of
the
founders
of
puppet
labs,
Andrew
and
I,
with
another
person
created
the
first
DevOps
day
in
the
US
I
was
the
only
American
at
first
DevOps
day.
Again
he
was
puppet
labs.
A
I'll,
give
my
background
a
minute
and
then
Kevin
bear
who
is
the
co-author
of
the
Phoenix
project
and
J
bloom
is
working
with
Kevin
four
years
of
PhD
and
a
gazillion
things
anyway,
so
just
very
quickly.
Who
I
am
just
so
they
sorta.
You
know
why
am
I
up
here,
but
we
won't
over
rotate
it
40
years,
I'm,
pretty
old
I've
done
started,
I've
done
11
startups
and
with
section
the
first
private
cloud,
this
is
pre
open,
stack,
her
skivvies,
open
stack.
A
My
brain
says:
open
stack
when
I
used
to
say
open
shift
and
just
terrible
no
network.
It
read
at
the
butt
worked
on
the
first.
It
was
a
eucalyptus.
If
you
about
to
enterprise
cloud,
it
was
terrible.
I
was
a
seven-person
chef,
helped
build
that
sort
of
technical
system.
I
sold
the
company
to
dal
that
you've
never
heard
of
I
saw
the
company.
It's
a
docker
that
you'd
never
heard
of
I'm,
really
good
at
building
companies
of
that
people
never
heard
of,
but
it
was
a
software-defined
networking
tool.
A
So
I
spent
like
two
and
a
half
year,
two
years
uni
what
Solomon
called
the
ire
of
the
hurricane
and
docker
and
then
for
three
years.
I
was
doing
this.
Seven
deadly
disease
and
stuff
October
I
came
on
board
of
Red
Hat,
ten
eleven
startups,
again
I'm
old
four
decades
of
Technology.
As
we
start
my
career
as
an
IBM
mainframe
developer
I,
whether
twelve
books
and
I
am
considered
one
of
sort
of
progenitors
of
the
DevOps
movement
anyway,
they're
good,
oh
yeah,
a
couple
of
shameless
plugs
I
did
a
out
of
all
the
books.
A
This
is
an
audio-only
if
you
into
like
lean
and
resilience
and
those
things
and
how
in
fact,
oops
me
and
Jean
did
an
audio-only
book,
1,
audible,
credit
y'all,
just
one
audible,
credit
I
got
two
kids
in
college,
so
the
I'm
gonna
come
back
to
this,
so
Jean
Kim.
If
you
don't
know
the
author
of
the
Phoenix
project,
I've
been
fortunate
to
know
him
as
a
good
friend
and
a
collaborator
now
almost
10
years,
and
he
wrote
the
Phoenix
project
the
every
year.
A
He
invites
about
40
of
us
up
to
Portland
to
work
on
this
sort
of
study
group
things
and
we
we
produce
usually
ebooks.
You
know
50
70
pages,
there's
about
30
of
them
out
there
for
the
last
seven
years.
It's
a
great
IT
revolution,
foreign
papers
like
brilliant
papers,
from
lots
of
really
big
company.
So
this
year,
I
decided
to
sort
of
do
one
on
something:
I've
been
thinking
about.
What's
automatic
covenants
and
like
I
said,
I'll
come
back
to
it,
but
there's
a
Creative
Commons
book
in
the
end.
A
I'll
talk
about
like
what
this
is.
So
that's.
If
your
IT
revolution
and
again
you
find
me
J
Willis
at
Red,
Hat,
like
I'll,
give
you
any
two
resources
indeed,
but
so
one
of
the
things
I
talk
about
the
deadly
diseases
too.
So
what
happened
was
I
left
docker
I'd
been
sort
of
I
spent.
A
good
part
of
my
career
operations,
transitions
back
edge
where
the
technology
was
so
terrible
that
you
could
never
really
transition
anybody
and
then
for
about
getting.
You
know
a
little
short
of
15
years.
A
I
went
into
vendor
land,
you
know
the
sort
of
chef
and
canonical
and,
and
then
I
was
leaving.
Docker
I
noticed
that
ship
was
sort
of
sinking
a
little
earlier
than
most
people
anyway.
I
trust
me,
like
I,
lost
a
lot
of
money
on
that
deal,
but
anyway,
so
like
if
you're
like
hey,
why
are
you
making
for
the
docker
I
like
talk
to
me
on
the
break?
The
so
I
thought?
A
Okay,
like
I've,
been
hanging
out
with
all
these
people
who
had
been
doing
sort
of
DevOps
and
part
of
gene
Kim's
DevOps
Enterprise
Summit,
which
is
only
enterprises.
You
know
in
working
with
a
minute
all
the
toolkits
and
I
wrote
the
DevOps
handbook
and
I'm
like
okay
I'm,
going
to
go
out
out
of
the
bend
the
world
be
completely
independent
and
really
sort
of
change.
The
world
and
I
had
all
these
notions
of
these
tools
that
we
use
for
them
up
saline
value
stream
mapping.
A
All
these
things
right,
I've
got
lots
of
presentations
on
this
stuff
and
I
found
the
first
bank
X.
It
was
a
capital
market,
company,
I,
went
to
and
I
kept
finding
that
all
these
sort
of
prescriptive
notions
of
how
to
get
all
I
really
wanted
was
truth,
like
I
just
wanted
to
find
out
exactly
how
you
were
operating
and
in
the
minute
I
did
a
value
stream.
Mapping
thing:
I
lost
the
whole
layer
of
truth
right,
so
I
literally
I
didn't
have
a
name
for
it
and
it
was
a
terrible
business
moniker.
A
They
couldn't
sell
it
any,
but
only
about
three
banks
bought
into
it,
but
they
were
the
biggest
banks
in
the
world
right.
So
you
know
I
I
didn't
have
you
four
hundred
five
hundred
people
or
a
month
period
just
finding
out
to
these
incredible
sort
of
cracks
in
the
armor
of
like
how
do
you
really
operate
and
I
came
up
with
this
and
I
have
full
presentations?
A
I
only
have
probably
20
minutes
total,
which
is
really
impossible
for
me
to
do,
but
these
sort
of
seven
models
and
I
call
the
seven
deadly
disease,
because
it's
clever,
it
gets
you
selected
for
keynotes,
because
it's
a
cool
title,
7s
a
cool
number,
but
they
were.
They
were
patterns
that
just
absolutely
repeated
over
and
over
and
over
now
the
for
the
purposes
in
this
presentation.
I
really
wanted
to
focus
in
on
sort
of
the
last
deadly
disease
which
really
sorts
a
compliant
certifies
theater.
A
In
other
words,
you're,
hey
CIO,
your
audits
are
fill
in
the
blank
right,
they're
terrible
they
don't
match
reality.
They
don't
like
I,
haven't
been
to
a
bank
capital
market
or
insurance
company
where,
when
I
talk
to
people
and
how
they're
doing
things
and
in
how
their
audits
are,
it's
like
clearly
disconnected
right,
and
it
was
interesting
because
all
this
funneled
into
it
again,
there
are
longer
versions
of
this.
A
But
the
le
carré
I
had
this
great
audio
series
about
twenty
years
after
he
wrote
the
goal,
which
again
is
sort
of
if
you've
done
industrial
engineering
degree,
you
probably
were
forced
to
read
this
book
and
if
you
read
the
Phoenix
rise,
you're
like
oh,
my
god,
it's
the
same
story,
but
only
a
stack
and
assistant
programmer,
but
he
had
this
thing
that
he's
got
a
complexity
and
how
certain
scientists,
like
particularly
physics,
think
about
complexity
and
enduring
anything.
He
asked
this
question
like
here
and
he
has
a
slide
deck
that
goes
with.
A
He
says
which
system
is
more
complex,
a
or
B
and
sort
of
a
social
science,
or
a
novice
that
I'm,
not
a
physicist
and
not
even
going
to
even
to
try
to
behave
like
I
act
like
one
on
TV,
but
the
most
people
would
probably
fall
into
its
system
B
and-
and
he
would
say
that
a
physicist
or
somebody
who
looks
at
complex
systems
would
say
its
system,
a
big.
It
has
more
degrees
of
freedom.
A
Right
like
this,
one
is
already
starting
to
try
to
tell
you
a
story
right
that
one
there's
no
story
yeah,
and
this
is
why
oh
and
never
run
it
I
always
run
out
of
time.
My
dad
used
to
my
dad
was
like
this.
Like
you
know
like
he
didn't
really
do
anything.
Would
he'd
say
you
know
what
son
veterinarians
are
the
smartest
people?
The
stars
can't
tell
them
what's
wrong
with
them.
You
know
you
know.
I
had
to
get
that.
A
One
in
was
that
hot,
too
I'm
here
every
Tuesday
night
tip
your
waiters,
but
here's
the
thing
right.
So
when
I
go
into
a
company
and
I'm
trying
to
look
for
these
patterns
right,
most
people
want
to
tell
me
the
positive
somebody
wants
a
you're
positive.
It
goes.
Oh,
my
goodness,
this
guy's
going
to
get
me
fired,
but
but
also
it's
like
you
know
it's
like
it's
fine
John.
Yes,
you
know
they're
trying
to
describe
the
already
abstraction
layer.
That's
taking
me
to
a
place
where
it's
not
fine,
sir.
A
You
know
that,
like
it
really
is
on
fire.
How
do
I
get
there?
Alright?
So
let's
go
into
security
like
so
you
know,
I
wouldn't
be
I,
wouldn't
torch.
You
say
how
many
you
couldn't
tell
me
what
this
is.
Is
it's
hard
to
read,
even
if
I
said
that
it's
the
vulnerability
it
took
Equifax
down
right,
it's
the
struts
to
Jakarta
that
you
could
literally
send
in
depending
on
whether
the
the
Tomcat
server
was
hosted.
Literally,
that
command
was
running
and
you
could
do
you
know.
That's
just
an
example.
A
Echo
bin,
but
I've
been
echo,
but
it
could
have
been
like
whatever
right,
and
so
it
was
funny,
though,
is
as
this
came
out.
You
know
after
they
realize
you
know
eight
months
later,
that
they
had
the
vulnerability
and
it
lost
tons
of
money
and
and
again
I'm,
not
sure
Equifax,
like
most
people
know
that
compacts
will
was
the
most
costly
breach
in
the
history
of
all
systems
I.
A
A
This
is
what
we
do
right.
We
we
tend
to
sort
of
abstract
of
everything,
and
you
know-
and
the
thing
was
that
you
know-
and
you
hear
this
a
lot
right
like
I'll-
give
you
another
example
of
one
more
recently,
but
so
there's
this
brilliant
paper,
and
normally
this
group
doesn't
do
a
lot
of
brilliant
work,
but
but
this
is
a
really
good,
the
end
of
2018
right,
yes,
2018
yeah,
they
Congress
the
US
Congress
did
sort
of
a
retrospective
of
that
breach,
and
it's
brilliant
I
mean
it
really
is
brilliant
I
mean
they?
A
A
A
She
said
well,
I
didn't
think
of
it
and
and
like
again,
like
you
say,
well,
I
got
fire,
but
the
the
real
answer
was
they
sort
of
created
in
our
organizational
structure.
They
gave
that
answer
before
they,
even
starting
in
her
head
was,
and
it
could've
been
anybody
that
it
was
I
need
to
think
about
what
my
boss,
the
legal
and
the
legal
implications
of
this
she
wasn't
thinking
about
IT.
So
there
was
a
number
of
people
who
do
forensic
airplane
crashes,
like
they
don't
look
for
pilot
error.
A
They
look
for
all
the
things
that
possibly
went
wrong
right
so
again,
threading
on.
How
do
you
get
to
this
truth,
but
sort
of
just
digging
and
digging
and
digging
and
don't
accept
first
order?
Second
order.
Third
order
answers
from
people.
Again,
most
people
are
in
the
capital
in
breech
right
it
was
it
was.
You
know,
I,
think,
summer,
last
year
or
and
again
here,
the
answer
was:
it
was
basically
an
inside
attack
from
an
X
Amazon
person
who,
like
this,
you
know
we
got
it.
A
It's
good,
we'll
just
make
sure
this
doesn't
happen
again,
but
the
truth
of
the
matter
is
anybody
could,
in
the
room,
could
have
done
this
with
to
connect
and
I'm
oversimplifying.
But
basically
what
happened
was
somebody
who's
in
like
hurry
up
mode
had
to
get
something
in
had
the
basically
break
process.
A
They
didn't
have
extra
seats,
they
put
up
by
your
own
laughs,
an
open-source
laugh
and
they
took
the
defaults
and
the
default
had
bypass
on,
and
so,
if
you
know
what
that
is,
it's
basically
a
bypass
to
guess
what
the
Amazon
metadata
server
and
they
happen
to
pick
of
EPC
group.
That
was
all
well
use,
the
one
we
used
last
time.
It
happened
to
be
authorized
and
for
a
couple
of
weeks,
anybody's
room
could
have
basically
dumped
all
the
VPC
and
waffles
with
that's
one
command
from
outside
in
right.
A
So,
like
there's
a
contrast
between
the
difference
and
then
there's
a
whole
lot
of
things
that
led
up
to
why
that
happened
right
and
so
really
what
this
was,
whether
they
call
server
side
request
forgery.
The
point
being,
you
have
to
sort
of
dig
a
little
deeper
in
sort
of
the
forensic
or
whatever
to
sort
of
get
to
the
bottom.
A
I
talked
about
that
beyond
the
fee
is
probably
one
of
the
things
we
cover
pretty
heavily
in
that
audio
book,
which
we
look
at
some
of
the
people
who
who
actually
go
out
and
do
forensics
on
airplane
crashes
or
catastrophes
in
hospitals
where
they
use
systems.
Thinking
that
figure
out
how
to
rely.
Do
you
really
get
to
the
bottom
of
how
things
really
work
or
don't
work
and,
and
so
I've
got
a
longer
version.
It
is
because
I
do
want
to
get
to
Saudi
and
part
when
we
get
back
to
this
automated
governance.
A
But
what
I
find
when
I
do
these
interviews
with
all
these
companies
and
just
get
to
talk
to
everybody
right
I
would
say
like.
Let
me
talk
to
the
edge
the
people
who
put
their
fingers
on
the
keyboard
and
really
sort
of
listen
to
the
executives,
but
really
find
out
what
people
like
they're
out
of
their
mind.
A
They
have
no
idea
that
we
have
to
do
this
and
this
and
this
right
because
of
their
credibly,
terrible
decisions,
but
you
know
so
toriel,
especially
the
enterprise
right
like
this
is
the
thing
I
don't
like,
like
god,
bless
anybody
who's
doing
a
greenfield
startup
and
like
I've,
done
plenty
of
those
and
lost
ton
of
money.
A
I
made
some
money
like
I'm,
really
interested
in
the
ugliest
of
the
ugliest
of
the
ugliest
enterprises,
the
ones
that
basically
have
spreadsheets
of
policy
that
are
basically
hold
on
to
your
seat,
for
Harnett
columns,
long
right
that
somehow
have
and
by
the
way
90%
were
written
in
the
90s
right,
like
you
know,
like
I
love,
this
one
I
mean
I
have
to
steal
a
lot
of
times.
I
am
the
one
I
like
favorite
all-time.
One
right
is
having
to
write
a
business
continuity
description
for
storing
data
on
s3.
A
Alright.
So
if
you
know
sort
of
data
at
rest
in
s,
3
is
like
30
something
nines.
That
means
that
every
molecule
in
the
universe,
except
one,
would
be
destroyed
and
then
the
data
is
lost,
but
every
time
because
of
some
NFR
it
is
sitting
in
stone.
It's
in
a
policy
that
nobody
can
have
a
minimal
discussion
about
like.
Why
can't
we
get
rid
of
this?
How
many
people
copy
and
paste
like
monster
clips
into
forms
to
get
application?
Raise
your
hand
if
you've
ever
done
that
come
on
everybody
else
is
lying
lying.
A
You
know,
I
told
right.
Look
it's
a
thing
right
like
how
do
we
sort
of
look
at
cloud
native
and
Idol
right,
they're,
like
they're,
like
ships
going
this
pulling
apart,
I
mean
they
are
I
mean
you
know,
I
mean
again
I'm,
not
an
anti
Idol
thing
right,
like
it's
a
brick-and-mortar
but
like
like
it's
not
even
talking
about
service
Mash
and
you
know
no
discovery,
and
you
know
I
mean
you
know,
API
extensibility.
A
Could
be
a
these
operators
like
like,
let's
talk
about
Surrealists
I
mean
like
there's
like
no
glue
between
what
most
institutions
have
in
their
sort
of
four
hundred
column
spreadsheet,
and
what
actually
is
is
a
there's.
There's
like
the
the
I
told
people
aren't
a
sixth-floor.
The
cognitive
people
are
on
the
seventh
floor
right
and
you
know
so
in
your
DevOps
are
in
the
eighth
floor
and
they
all
use
different
elevators
and
they
don't
talk
to
each
other
and
they
all
use
overloaded
terms
and
that's
the
reality
of
most
large
banks.
A
You
know
the
risk
right.
We
still
a
myopic
about
perimeter
based,
even
if
our
search
are
expired.
For
eighteen
months,
the
I'll
talk
about
subjective
governance
models.
You
know
low
attestation,
you
know
I
think
like
I,
always
I
dig
like
sort
of
twistlock
acquis.
I
know
quiz
over
source.
Those
are
like
will
wake.
You
up,
go
look
at
their
reference
description
and
your
lies.
Oh
my
god.
A
I
got
a
lot
of
new
problems,
because
configuration
in
this
world
is
a
new
attack
vector
there
are
so
many
ways
you
can
get
yourself
in
trouble
by
missing
a
comma
or
taking
a
default
configuration
and
we
go
on
and
on
about
sort
of
docker
kubernetes
and
oh
yeah.
There's
another
whole
thing
running
at
you,
which
is
like
your
your
sasses
ServiceNow
configuration
those
things
well
source,
but
their
tax
vectors
that
are
new
misconfigurations
and
things
like
ServiceNow
or
some
sorta
comm.
A
Our
new
scary
attack
vectors
configuration
blind
spots
and
inconsistency
like
it
is
unfathomably
to
be
walking
a
larger
operation
and
not
have
a
consistent
definition
for
some
form
of
infrastructures.
Coach
chef,
puppet
ansible,
whatever
like
that
not
be
sort
of
DNA
based
in
today's
world.
It's
just
you
know
we're
organizations
in
some
cases
are
still
waiting
like
six
weeks
to
get
a
server
and
that's
a
VM.
A
Ok,
don't
we
solve
that
problem?
Yeah
I
swear,
I
will
retire
when
somebody
says
I
need
like
a
I
need
sort
of
a
compute
instance
in
a
cluster
for
our
kubernetes,
and
it
takes
four
weeks.
I'm
done
I'm
out
of
here.
Like
I
have
to
find
a
new
line
of
work,
so
the
opportunities
again
I'm
going
to
assert
a
zero
trust
for
risk
beyond
I
mean
shift
left
security
day
tops
I'm
gonna,
be
talking
a
lot
about
day,
tops
later
this
year,
like.
How
do
you
do
at
the
station
models
for
data?
Those
data?
A
Ops
is
sort
of
adding
supply
chain
and
movement
of
data
very
interesting
subject.
We
could
such
as
move
data
anywhere,
but
by
the
way,
all
the
major
breaches
that
I've
studied.
It
wasn't
like
you
know,
struts
to
or
some
vulnerability
in
node
I
mean
it
was.
But
what
was
it
was
the
data
and
it
dated
to
have
any
province
in
half
the
time.
It's
developers
who
are
copying
data
at
will
to
different
places
and
forgetting
to
clean
them
up
or
half
anonymizing
it
or
no,
no
attestation
for
how
the
data
got
there.
A
You
know
consistency.
I
talked
about
this
again.
I
go
on
on
about
sort
of
date,
driven
versus
velocity
and
the
high
jinks
that
come
out
of
people's
mouths
when
they
try
to
tell
me
their
velocity
based
and
I'm,
like
no,
no,
your
date
based
the
starting
point.
So,
like
your
face,
like
don't
like,
please
don't
go
there,
so
the
deadliest
is
easily
finish.
They
talk
about
security,
compliance,
theater,
there's
a
boiled
plate.
A
There's
you
know
one
reason
on
volved
with
this
with
Diane,
which
she
does
wonderful
work,
is
I've,
got
a
sake
called
their
sec.
Ops
I'll
put
this
on
the
left
side.
Let's
so
join
the
party.
If
you
will,
you
know
you
know,
review
boards,
I
just
say,
like
you're.
Suck
factor
of
your
company
is
a
multiple
of
how
many
review
boards
you
have
to
do.
Go
through
to
get
your
sort
of
project
appointed.
The
are
the
ex
ARB
the
perab
like,
and
one
company
an
XML
board
review.
A
They
they
had
literally
created
application,
was
so
agreeing
with
their
job.
Scheduler
like
they
literally
for
major
changes,
had
to
get
not
only
build
all
the
other
review
boards
and
for
some
use
it.
On
the
eighth
day.
God
said,
like
all
review
boards
will
be
on
Wednesday
right,
so
if
one
really
fear
policy,
theater
I
get
back
to
this.
So
one
of
the
things
that
I
started
thinking
about
2
years
ago,
I
was
in
two
steps:
egg
ops,
I'm
like
yet
there's
a
lot
of
pieces
here.
What
about
identity?
A
I,
don't
know
somebody
else's
job
like
I,
have
to
say
like
what
like
could
I
get
my
teeth
around
and
sort
of
dev
seg
opps
solve
all
the
problems.
What
was
one
that
would
really
sort
of
I
think
have
some
teeth
and
I
I
started.
I
actually
started
out
with
a
large
bank
that
was
sort
of
doing
this
as
a
gating
system.
A
They
were
defining
these
sort
of
gates
if
you
will-
or
we
call
control
points
that
said
that,
like
in
order
to
get
Auto
approve,
you
had
to
evidence
these
twelve
or
fifteen
or
twenty
control
points
and
the
ones
that
you
would
obviously
think
about
it.
In
a
DevOps
discussion
like
it
had
to
come
a
source
control
that
was
appearing
on
a
PO
request.
A
It
had
to
have
a
green
bill
that
had
that
have
a
green
vulnerability
scale
right
on
and
on
and
on
right,
like
and
so
I
thought
about,
like
what
auditors
do
right,
auditors
sort
of
come
in
and
look
at
the
change
record
and
they
follow
this
subjective
discussion
of
like
people,
sign-off
bob
says
yeah
when
I
make
this
change
on
this
like
two
and
a
half
billion
dollar
budget
IT
system.
Let's
think
about
that.
A
Bob
is
gonna,
make
a
change
on
a
two
and
a
half
billion
dollar
a
year,
but
IT
infrastructure
and
he's
gonna
describe
it
in
a
change
record
and
then
the
sue
is
gonna.
Look
at
on
the
board
know
about
G.
Give
me
like
two
more
sentences
on
that
s3
thing
and
then
Joe
is
gonna.
Go
not
on
my
system
tell
Bob!
He
needs
to
put
another
paragraph
in
about
this.
Then
the
order
comes
in
and
says
sue
bomb.
A
Okay,
yeah
give
me
screen
prints
without
trust,
any
of
you
right
and
like
2020
screen
prints
for
it.
It's
right.
Look
at
people
laughing
are
the
ones
like
no.
This
is
true
right
and
so
then
so
I
said
okay
like
if
these
banks
are
building
these
sort
of
models
for
sort
of
gating
shouldn't
those
be
at
two
stations,
so
change
the
model
from
a
subjective
discussion
to
an
objective
model.
Could
we
actually
build
evidence
in
the
pipeline
that
meets
our
sort
of
what
argue
sore,
GRC
governance,
risk
compliance,
a
risk
policy
and
so
I?
A
Back
to
this
book,
I
invited
to
last
year's
Jean
Kim
sort
of
pajama
party,
we
call
it
the
yeah
Nike
Capital
One
Marriott
Sam
go
co-ed
at
Microsoft,
PNC
and
Mike
Nygaard
over
at
Sabre,
and
for
two
half
days
we
said
three
things
we
try
to
look
at
one
was:
could
we
increase
the
efficacy
of
an
audit?
Actually,
the
first
thing
first,
which
was
could
return
a
30,
a
order
into
a
half-day
order.
Look.
Could
we
do
that?
A
Like
I
mean
not
like
solve
the
world,
but
could
we
write
a
reference
architecture
where
we
can
actually
create
a
reasonable
discussion
to
like
everybody
in
this
room
to
say,
okay,
I
think
that
makes
sense.
Second,
a
coup
increase
the
efficacy
of
an
order
from
nonsense.
You
know
20%
to
maybe
90%
effort.
Is
he
a
third
which
is
the
sort
of
dying
sort
of
you
know
kitten
if
you
will
of
DevOps,
which
is
going
to
see
I
always
say
get
rid
of
the
change
of
eyes.
A
Report
like
oh
I
gotta
know
how
to
eat
the
dummy
to
get
right
like
so.
Could
we
actually
between
those
companies
like
sit
down
and
write,
and
we
did
and
when
you
sort
of
created,
you
know
again,
it's
H,
you
know
if
you,
if
you
go
to
IT
revolution,
comm
you'll
be
a
second
call.
Foreign
papers
I'll
have
this
up
a
reference
to
it
on
the
sink
shortly
and
it's
a
it's
a
Creative
Commons.
It
shows
you
what
we
did.
A
A
We
had
to
come
up
with,
like
our
we
weren't
trying
to
do
another
PowerPoint
slide
to
show
you
how
the
pipeline
looks
like
the
480
with
version
we
were
sitting
back
and
thinking
like
we
don't
care
what
it
looks
like
everybody
else.
What
are
the
sort
of
boundaries
if
you
were
thinking
about
at
the
stations
and
as
long
as
the
discussion
here
we
described
why
we
did
this.
It
matches
most
of
what
you
say.
The
biggest
difference.
A
Probably
most
is
the
difference
tree
and
building
package,
because
in
today's
were
other
packages
you
know
either
sort
of
a
jar
file
or
your
file
or
a
container
image
right
like
you
know,
so,
there's
this
sort
of
new
world
that
deserves
its
own
sort
of
boundary
marker
for
at
the
stations,
and
then
we
had
sir
control
points.
Was
the
terminology
very
well
described?
We
did
our
disclaimers
all
that
stuff.
It
really.
My
only
credit
was
getting
written
to
really
really
smart
people
for
big
companies
in
her
room.
A
One
of
these
that
one
of
the
companies
was
fouled
on
left
and
has
actually
implemented
this
using
this
whole
term,
and
so
we
found
that,
like
once
you
get
this
thing
kind
of
running.
You
start
seeing
like
here's.
That
idea.
Like
you
look,
you
finally
can
see
over
one
fence
and
you
see
the
next
fence
down
the
road
you
didn't
see.
So
we
just
really
cool
things:
how
to
pop
it
up.
One
is
now
they're
able
to
create
these
sort
of
llaman
files
for
policy
people,
so
the
policy.
A
So
what
you
have
now
is
you
know
that
in
most
organizations
you
have
this
so
again,
another
subject
of
discussion
about
policy.
Somebody
understands
polity,
so
somebody
understands
IT
to
somebody
who
can
implement
it
to
this.
So
the
idea
is
what
if
we
could
create
sort
of
a
malleable
ramifies
for
policy
people
to
inject
that
automatically
in
the
pipeline.
None
of
this
is
seamless,
it's
all
embryonic,
but
like
that.
A
That
idea
that
we
could
cut
out
that
sort
of
that
multi
step
and
then
the
other
thing
is,
you
know
targeting
sort
of
big
five
auditors
like
like.
Could
there
be
a
template
that
a
big
five
auditor
says
a
PSI
DSS
template
yeah
use
this
one
again,
all
these
are
like
open
discussions
and
I
think
this
is
a
really
coolest
thing
and
which
is
one
of
the
things
we
found
with
implementing
this
at
a
large
bank
was
when
you
go
through
this.
A
A
There's
a
lot
of
things
like
I'll
have
an
argument
with
like
an
old
lean,
IT
or
you
know,
David
J
Anderson,
who,
if
any
Kanban
like
you're
like
like
lean
manufacturing,
does
not
mapped
IT
and
I'm
like
baloney
like
from
commit
deploy.
I
can
map
it
brilliant,
but
what
he
means
from
all
the
ways
from
ideation
and
their
right
to
the
point.
A
What
we
have
found
is
you
can
build
at
their
station
models
in
ideation
now
this
gets
really
brilliant,
and
if
you
want
to
talk
to
me
on
a
break,
how
if
this
is
a
subject,
you're
interested
it
solves
that
1990s
400
count
spreadsheet
problem
and
I'm
writing
dynamodb
apps
on
Amazon
today.
How
do
I
make
that
happen
without
having
committees
and
boards
I'll
leave
that
as
a
cliffhanger.
A
If
you
want
to
talk
to
me
on
a
break,
I
can
give
you
more
because
I
got
like
one
more
slide
so
today,
I
just
think
about
the
octopus.
We
don't
even
know
what's
out
there,
so
the
consulting
company
they've
been
working
on
the
implementation
of
that
reference
architecture
at
PNC,
Bank
or
literally
last
week.
One
of
these
we
tried
to
use
this
graph
is,
and
it
really
didn't
work
right.
I
talked
to
the
Google
people
to
see
if
they
can
like
change
the
model,
it
didn't
work
for
what
we
needed.
A
A
That
now
is
in
a
chain
of
events
and
by
the
way,
never
used
the
word
blockchain
just
make
it
look
like
blockchain,
just
don't
call
epoxy,
so
they
actually
wrote
a
sort
of
a
nice
abstraction
which
is
sort
of
a
forked
graph
is,
but
not
quite,
but
it
says
like
last
week,
right
so
I
mean
an
advantage
is
like
I
fed
I
was
advisory
for
them,
I
fed
on
this.
They
would
work
on
the
invitation.
Now
they
have
actually
a
malleable
model
for
at
the
station.
A
Some
open
source
I
also
mentioned
my
good
friend,
Nick
Olympus,
who
runs
on
our
give.
You
haven't
heard
it
it's
the
one
of
the
largest
regional
network
user
groups.
It's
mostly
large
banks,
out
of
New
York
they've
been
doing
this
for
years.
If
you
look
at
the
board
advisors,
it's
just
insane
CISOs
and
in
network
architecture.
A
But
what
I
found
is
we
started
this
working
group,
hopefully
in
May?
Will
this
will
all
be
open
in
Creative
Commons
as
well?
Is
we're
gonna,
sort
of
drive
a
whole
cloud
specific
discussion
and
even
though
I
was
sort
of
saying
I
don't
want
this
to
be
cloud?
What
I
found
was
so
this
is
not
open
yet,
but
like
once
I
found
like
these,
you
know
the
cloud
security,
the
VP
cloud,
security
from
a
really
large
Bank
was
like
yeah.
This
is
great
love
your
model
John,
but
like
what
about
trust
models?
A
What
about
yes
service?
So
it's
you
know,
secrets
management
as
a
part
of
this
or
regional
standards.
You
know
some
of
the
language
of
multi-cloud
providence
and
localization
anyway.
So
it's
been
fun
for
me,
just
sort
of
sitting
in
that
and
listening
this
sort
of
CISOs
talk
about
like
I
like
this
model.
But
can
we
add
these
kind
of
things,
so
this
will
all
be
public
and
anyway,
so
you
know
follow
me
at
the
sort
of
the
dev
sec,
op
cig,
the
Google
Group
and
I'm
J
Willis
at
red
eye.
Thank
you.
So
much
for.