Friday Summary, August 1, 2014: Productivity Metrics editionBy Adrian Lane
I read Jim Bird’s blog consistently because he talks about stuff that interests me. He has a ton of experience and his posts are thought-provoking. And every couple months I totally disagree with him, which makes reading his stuff all the more fun. This week is one of those times, with Devops isn’t killing developers – but it is killing development and developer productivity. I think Jim flat-out misses the mark on this one.
- The metrics we use to measure productivity are broken. Always have been – stuff like number of lines of code and velocity. Software development metrics have always been crap. Do you really believe more code is better? Isn’t the goal to deliver quality products which include robustness, satisfaction of requirements, security, and so on? Measurements like velocity are made-up and irrelevant to our real needs. They don’t actually tell us what productivity is – all they do provide a trending indicator which sometimes tells us a change we made to the process is having an effect. If we had something better we would use it, but most development metrics are surrogates for real measures because we don’t have any good yardsticks for producing quality code.
- Which leads to the second point: DevOps spotlights just how broken these metrics are. It is specious to consider developer productivity as going down when the focus of developers and IT has changed to include test orchestration, deployment, and systems management. Developers scripting Chef, Puppet, Bamboo, or whatever are still working productively. Orchestration scripts are code – they are not wasting time handling operations. Writing tests scripts is still work (which developers typically don’t like) and part of the job. The goal is to automate tasks so you don’t need to manually repeat them over and over.
- DevOps is not the same thing Continuous Deployment. Continuous Deployment is part of it, but not the whole enchilada.
- DevOps allows developers to be more responsive to customer requests – not because they are chained to a pager answering support calls, but because automation and the infrastructure-first approach enables them to be. Sure, you can screw up priorities and clog the swim lanes with the wrong tasks, but that is a management issue – not a DevOps problem.
- I agree that not all developers like having to assume more programmatic orchestration of IT operations, and they aren’t necessarily good at it. But the key shift to take note of is that IT staff had better learn to program, or they will have a tough time finding work. The key to DevOps is automation, which means code and scripts… which is why IT needs more developer-centric skills.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian and Mort talk Big Data with George Hulme.
- Mort quoted in Communicating at the speed of DevOps.
- Dave Lewis: Digital Supply Chain (In)Security.
Favorite Securosis Posts
- Gunnar: The Identity Cheese Shop. Direct from the ivory tower of identity architecture.
- David Mortman: Big Brother’s Price Tag.
- Adrian Lane: The DevOps-y Future of Security Engineering.
- Mike Rothman: Recruiting Across the Spectrum. Yup, this is mine. But I wanted to highlight it again because I think it’s an important discussion to have. We will need to start thinking unconventionally if security is going to scale to meet demand.
Other Securosis Posts
- Incite 7/30/2014: Free Fall.
- All Good Things.
- The 2015 Endpoint and Mobile Security Buyer’s Guide [Updated Paper].
Favorite Outside Posts
- David Mortman: Multipath TCP speeds up the internet so much that security breaks. <– Ooops. Stateful firewalls break multi-homed BGP if you don’t architect correctly….
- Dave Lewis: Canadian intelligence sweeps often intercept private data, spy document reveals.
- Adrian Lane: Banks Gain Scale with Cloud Issuance & Host Card Emulation. Kaushik Roy clearly articulates some of the issues around HCE and secure elements that have slowed mobile payments and mobile identity for the last few years. And I agree with his thrust that HCE will win out as banks adopt it to reduce fraud and have a viable roadmap for coming EMV standards.
- Mike Rothman: Symantec Endpoint Protection 0day. The guys at Offensive Security found a little issue with SYMC’s endpoint agent, allowing for privilege escalation. Though we shouldn’t beat up on Symantec too badly – it could have been anyone’s agent. These tools are supposed to reduce attack surface, right?
Research Reports and Presentations
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
- Analysis of the 2014 Open Source Development and Application Security Survey.
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
Top News and Posts
- 0-days found in Symantec Endpoint Protection.
- Android “FakeID” security hole causes a pre-BlackHat stir.
- Google’s Android Has a Fake-ID Problem.
- CIA Admits Guilt, Apologizes for Accessing Senate Computers.
- Improving Malware Detection in Firefox.
- Vormetric And Rackspace Partner To Offer Encryption Services On Rackspace Cloud.
- Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System via Krebs.
- Digital Supply Chain Security: Partner Networks.
- Russia wants Apple and SAP’s source code over spying concerns.
- Incident Response Metrics.
- Breach index: Encryption used in 23 percent of Q2 incidents.