State of DevOps | A Look Ahead at 2023 [On-demand Session]

Join us as we continue our December conversation and discuss our predictions for DevOps and Software Supply Chain Security for the year ahead with community leaders. We will delve into some common and not-so-common opinions and topics you are likely to hear more and more about as the year progresses

State of DevOps | A Look Ahead at 2023 [On-demand Session]

Can't see the embedded video above? You can watch on our YouTube Channel here.

“DevOps” has never been more popular than it is today; it seems to be on the top of everyone’s minds and constantly evolving. So what can we expect to see in terms of trends for 2023?

Join us as we continue our December conversation and discuss our predictions for DevOps and Software Supply Chain Security for the year ahead with community leaders. We will delve into some common and not-so-common opinions and topics you are likely to hear more and more about as the year progresses, including:

  • What it looks like to do more with less in 2023
  • How can we make SBOMs useful in 2023?
  • Reducing toolchain complexity
  • Prioritizing developer experience and productivity
  • Rises in distributed engineering teams - what that means for tooling
  • Platform Engineering VS DevOps

Featuring:
Chris Hughes, CISO and Co-Founder at Aquia
Sam Cochran, Princple Engineer, Buildkite
Alison Sickelka, VP Product, Cloudsmith
Moderated by Dan McKinney, Technical Account Manager, Cloudsmith

Transcript:
(00:01) Hello everyone welcome to Cloudsmith's first monthly webinar of 2023 thanks for taking the time to join us today for what is sure to be an interesting and hopefully a thought-provoking discussion around predictions for devops in 2023 so I'm Dan McKinney I'm a technical account manager at Cloudsmith I'm based in Belfast in the UK and I will be your host for this webinar I'll do my very best to keep things moving along and at a piece that suits us all we've assembled a great panel for this

(00:57) discussion but before we get started let's go through a few housekeeping notes so we will be randomly drawing a price a prize pack actually at the end of the webinar so be sure to watch right to the end for a chance to win I will let people know who the winners are when we close things up we're also streaming live on Twitter Youtube and Linkedin and we really really want to hear from you so please do tweet or post your questions in wherever you're streaming or right here in the chat and Hillary is

(01:30) working very hard behind the scenes checking all those platforms for questions so please post in participation is it's what we want it's really great so again our topic today is predictions for devops in 2023 now the caveat here is that predictions are exactly that if we had a magic crystal ball with all the answers we we probably wouldn't be here however that's also what makes them fun and interesting things to discuss and debate so some of the topics that we will discuss include what it looks like to do more with less

(02:08) in 2023 so reducing tool chain complexity and how can we make sbombs more useful and actionable in 2023 we'll also talk a bit about how we should prioritize developer experience and and improve productivity with that and also the the rises in distributed engineering teams how does that impact and what does that mean for tooling and toolchains and uh a favorite one of mine platform engineering versus devops so I'll also add that this list is not exhaustive and this is meant to be an open discussion so we may Veer off the

(02:54) path a little as we get into some things and as I said earlier please do post your questions or talking points and we'll try to address those also if we can so I'm very excited to be joined today by representatives from ourselves at Cloud Smith and also from two other organizations build kite and aqua so this is the perfect time for me to bring our guests onto the stage so hi everybody hello so yes joining us today we have Alison our VP of product at Cloudsmith, Sam Cochran principal engineer at Buildkite

(03:35) and Chris Hughes co-founder at Aqua so I'm glad to see everybody has joined I just wanted to say originally Mel from Buildkite was scheduled to join us but unfortunately she's she's sick so we wish her a very very speedy recovery indeed and hopefully she can join us for another webinar in the future however Sam was graciously agreed to step in so thank you very much indeed Sam we really appreciate that so if I could just ask everybody just to give a quick introduction about yourselves and your

(04:05) organizations that would be great I'll randomly choose somebody to kick things off so let's start with uh Chris yeah I'll jump in first Chris Hughes here sizzling co-founder at a company named Aquia where cyber security services company working in the U.S with uh public sector and Department of Defense agencies as well as commercial companies uh but before that I've been in the sector uh in cyber I should say for about 15 plus years started off in the military have been a federal employee with a couple different

(04:34) agencies doing cloud and devsecops and uh cyber security and uh yeah just happy to be here and chat with you all awesome thank you very much Chris um Alison I'll throw it over to you yeah hi I'm Alison I work at Cloudsmith you got to watch a wonderful introductory video of my uh that organization before the webinar started but Cloudsmith uh Universal artifact management solution so one place to centralize all your software artifacts that you use throughout your software supply chain you said that so much better than I

(05:07) could have Alison to be honest so thanks very much and finally you know last but not least Sam please hi um good morning from Melbourne Australia um I'm Sam I'm a principal engineer at Buildkite I've been here nearly the whole journey and uh in various bits and pieces we started off as a CI CD provider we have a tool for creating CI CD pipelines um and uh we're working on some new products including things like test analytics visibility into your test Suite the application of uh of what you're building

(05:37) awesome thank you very much Sam I'm I'm a big fan actually I I wrote a lot of the documentation at Cloudsmith for using Cloudsmith and Buildkite so I found it great so yes thank you I've read some of that documentation it's fantastic oh brilliant awesome I I'll meet up with you and thank you in person for that at some point but yes well look thank you everyone that those introductions are very helpful uh so look I know time is short so let's just jump in with the first topic I'll just

(06:03) throw this one out there for the floor to sort of um whoever wants to pick it up first can go I'll probably pick these at random as well but uh let's let's start with the one I mentioned earlier so coming into 2023 I think that we are finding and certainly the discussions that I have with with some of our users at Cloudsmith is that there is a drive to reduce um touching complexity so there's multiple reasons for this but I just wanted to sort of take the temperature of the room and get feelings on that so

(06:32) yes reducing toolchain complexity in 2023 I'd like start with that who wants to go first on that one yeah I'll jump in there I'll say I definitely agree with that you know leading and working with various you know teams and devsecops environments you know we're looking to shift security left and bring all these you know great capabilities around SAS to das and SCA and secret scanning and s-bomb and so on uh but it becomes quite a bit to manage especially if you have disparate tooling in that tool chain and everything is

(06:59) producing uh you know findings in different formats and schemas and so on uh so bringing all that together in terms of tooling and output and artifacts is really important and it's causing a lot of cognitive overload on on security teams so I definitely think it's gonna be a key area hmm yeah I would I would uh second that um you know for cosmiths when we talk to our customers they're really interested in being able to centralize how they're how they're managing the software artifacts and not to jump ahead to some

(07:26) of the other topics that we have but you know part of that's trying to figure out how to do more with less in 2023 and really streamline your operations and so I think there's a cost pressure and a bandwidth pressure to also streamline that uh that tool chain and reduce complexity and that cognitive overload for your devops teams mm-hmm yeah the um uh prolific number of products on the market uh I think are embody a lot of this it's um I went to uh kubecon uh last year um and it was interesting seeing a

(07:58) physical expression of the cncf landscape in all of the booths around me like it gets a bit overwhelming the the idea of the number of products the number of things you have to care about um there was this this Cambrian explosion of of tools and capabilities and things to to worry about during software development and how can we uh help teams not have to worry about so many of those things like uh to pull the abstraction layer of where you're providing value up higher yeah actually Sam I too was at kubecon last

(08:24) year uh kubecon in Detroit was that yeah yeah I was yeah I I was amazed at the number of booths just and I think some of that is uh being away from in-person conferences for quite a while um but I was stunned uh and certainly in my role as a technical account manager I spend a lot of time talking to users uh customers of cloudsmith and there is definitely an overwhelming drive to streamline things to work more efficiently and also of course I mean to reduce total cost of ownership it's a big concern and the landscape's always shifting but it

(09:02) is it's definitely a thread that I find increasingly across more and more conversations that I have now is uh it's things have got a little bit unwieldy and people want to work more efficiently and and look even internally we've done the same in Cloud Smith so we have slimmed down tool chains and tried to work smarter with with better tools rather than a larger amount I think some of that's very interesting like the way um you know everyone runs applications and containers or some sort of uh nobody cares about hosts anymore like

(09:38) that that abstraction layer has been dragged up right and and I feel like the same is going to come through in devops and devtool Chains It's people are going to care less about where things are run or how they're run or they don't want to understand the interoperation of each of the tools within a tool chain or a pipeline they're more interested in seeing the the value out of that thing at the layer above uh and so I think uh this idea of of simplifying uh the offerings that we have and capabilities

(10:01) that we have uh yeah it's got to be the thing this year I reckon absolutely well actually Chris this is probably a good thing to flow to you so I mean I just before that I started this webinar I came off a call with another user and their big Focus you know is is getting away from managing their their sort of on-prem instances getting away from hosts getting away from applications that they are running in-house and managing themselves so they're very much looking sort of cloud native transformations for

(10:35) for lots of of the turtle chain and and I think that very much plays into this topic you know they're looking to consolidate but also do not have to well own isn't the right word it's it's still their tool but you just not not have that management and cognitive and operational overhead and I know Chris Cloud native application development is sort of uh so one of your Fortes so you must hear similar to this quite a bit yeah when we've seen quite a push where I am in the United States with both

(11:07) federal agents Department of Defense and the you know commercial sectors in terms of cloud adoption it's for the reasons you're talking about is you know organizations are increasingly realizing that you know managing underlying compute and networking and hosting and so on is not the core competency they want to focus on their core competency which is delivering value to their stakeholders in business uh customers for example that's kind of the Allure of you know the cloud native Paradigm and the shared responsibility model for

(11:29) example and they can lean into those cloud service providers whether you're talking is paths or SAS and you kind of offload some of that responsibility that administrative overhead and so on to the CSP which is a major a major uh Improvement in terms of burden and overhead that they have to manage on their end yeah that's absolutely true Allison any final thoughts on that topic just before I I because I never go I know we're going to revisit this when we talk about retrieving technology and complexity we

(11:59) may be bold but anyway yeah no I think it's interesting the point Chris made there about organizations wanting to focus on their core competencies you know it's we're just reaching the end of January and I've heard that from several customers already this year that as they're looking at reducing that tool chain complexity um a big part of that is they want to make sure that everything that their developers are doing is value add to what their company is trying to accomplish and they don't want those

(12:24) Engineers being system admins or spending time maintaining systems or processes that don't ultimately benefit those organizations or contribute to their core competency and I actually think that is sort of interesting as you lead into the platform engineering side of the side of the conversation too you know some of that's um in that same space of saying you know we want to make sure that our developers that their time and energy is focused on advancing our business and our our core competencies yeah absolutely I noticed an interesting

(12:52) comment in the chat just from Neil that cloud hosting takes a lot of us admins plates and quicker to change instances with les steinheim and I I totally agree with that as someone who in a former role was an old-school system with on-premise servers and racks and things like that to watch The Evolution to where we are now it's fascinating actually I know it's not a role that I do anymore but I actually agree with Needler that it frees up um you know phrase people up to focus on core competencies I think I set a line

(13:26) in a Aquino talk a year or so ago that said um you know if it isn't if if the the application that you're looking at isn't core to your you know your own sort of product if it's not something that you're going to sort of acquire and build in then just buy it as a service you know don't try and build it yourself don't try and run it yourself in-house but but just buy it as a service and and that that was advice that I think is is still standing today so okay awesome well in that case then

(13:56) let's just change it up a bit because Allison you mentioned something there that I would love to touch upon so it's a little bit of a a sort of side path here but this is something that that people say actually people said to me at kubecon in Detroit so I was I was saying everywhere platform engineering platform engineering was everywhere I even got refused uh a ticket to a platform engineering party on one of the nights which I was incredibly upset about um but so uh but basically platform engineering versus devops it's 2023

(14:27) we're moving forward so is is platform engineering just an evolution of devops right is it or is it a rebranding of devops what do people think of that so uh that's an interesting one um because I've read a little bit about this the last couple of days and there seems to be all kinds of opinions on this so uh suppose I'll throw that one to I'll throw it to Sam just just just to kick us off for a bit of fun um um all right I was thinking about this over the past couple of days as well uh because it's turned around a lot but

(14:59) forming an actual opinion because you can call it any way you want to call about it right um but to me it's I think you still sort of practice devops on uh a platform right like it feels to me like it's about shifting that bar up shifting up that abstraction layer um so you see tools like uh uh Spotify introducing stuff like backstage and and providing centralized places for developers to go and and uh use standard patterns uh means that there's less complexity in the tool chain because it's already chosen for you and and uh

(15:30) right because the security can be prevented like you can have a set of tools that is known to be up to date and and to not have to have the right uh vulnerability checking in place and all those sorts of things so like if you can engineer a platform that is safe for developers to then go and build your core business value on top of and share as much of it as possible like that feels like the inflection is it's dragging that abstraction layer up letting your developers focus on the things that's actually valuable being

(15:52) sure that you've got good security store story and all the right pieces in place below as a centralized effort yeah and then like how much of that can can you get away with not having to do yourself like how much exactly imaginary can you find great tools um hopefully like the ones that we're talking about here um yeah to to plug in there and provide that value and know that it's secure and by default and all those things absolutely to be honest I think it was a bit of an unfair question to just throw

(16:19) at you like that I do now and I'll put my hand up and admit that um it was a little bit of an unfair question uh because it's it is it isn't it is well it is like you said it is like you said um I wonder yeah uh Chris any thoughts on that before I pose my My Little Twist on that question I suppose no actually I can take on it a lot I think I think you open your Canon worms I've seen like a lot of heat is the beta you know is uh is this the new age of devops or is it you know different than devops I think

(16:47) they're complimentary you know in the sense that it's uh a new form of engineering and it leverages a lot of devops methodologies and practices for example and we talked about you know how Cloud can abstract things for customers we're seeing the same thing with platform engineering they're trying to do that internally for the development team to subtract a lot of that administrative overhead and nuanced away bacon security guard rails compliance requirements things like that so it's very complementary in my opinion

(17:08) okay I really actually really like that um yeah I really like that I see comments in the chat and Jonathan says that platform engineering seems more encompassing that's an interesting take on it um yeah and I'd like to think about that one before I comment on that um I suppose here's something just just for the wider group and Alison and I know you didn't get to comment on that maybe comment on this uh it sort of ties into what you said Sam do you think that platform engineering um kind of has some ties to like you

(17:40) know um like platform as a service you know you mentioned about giving a common tool stack for developers where you can bake in security you can bake in sort of best practices and things like that maybe not in the terms of the platform as a service that we know and and love like we've all used it I suppose at some point but maybe sort of almost on almost like an internal take on that does that sound like does that resonate you know what do you think about that Allison does that sound reason yeah I think I

(18:08) think it resonates and you know I'd build on what Sam and Chris were saying You Know It ultimately feels like an evolution of devops I also think it's really easy to blanket say what devops is or isn't but really yeah each organization it's a little different and each organization's on their own journey to embracing devops platform engineering seems like an evolution for folks who are a little more further on that devops journey and whose you know software architecture might be getting more

(18:33) complex and and harder for the development teams to be able to manage or want to manage some of that infrastructure side of the side of the house too and so you know platform engineering is really just an evolution of devops and also basically saying how can we make sure that our developers are um you know doing the thing that is within their wheelhouse and and matches their expertise and they don't have to become an expert on the full stack and all the tools that's that's being used there I think that's absolutely true so I was

(19:03) going to just say but you said it already that um and one of the comments in the chat actually is that devops just keeps improving and that's completely true I mean as far as I remember I remember the first time I saw devops being sort of thrown around as a phrase it was it was really just developers automating their their build and deployment pipelines at the very start basically and then it expanded out and it started encompassing these bigger more complex two chains and there's so much more going on that it needs to

(19:31) become bigger and all more all-encompassing as we said earlier in the chat as well so I I don't know everybody has an opinion I suppose we're all entitled to them but that was that was it seems to me that that is is kind of what platform engineering ages towards I have no doubt that when I get off this webinar I will be in inundated with people to tell me that I'm absolutely wrong and that it isn't that and it's something else entirely but that's what makes it that's what makes it interesting right and it sort of

(19:57) happened at the same with devops at the start as well so um I suppose to to spin this in another Direction and maybe this is relevant to both tool chain complexity and that platform engineering Evolution versus whatever way you want to phrase that um the rise of distributed engineering teams maybe not just engineering teams right maybe just the rise of distributed devsecops teams are you know development teams in general um what does that mean when we think of the tool chains that we're used to the way that we build sort of applications and

(20:38) and internal pipelines and things like that obviously and we've spoke about this at length now for for um over a year more than that because distributed working really obviously accelerated and we're all very well used to that now but I think we've all had the time to evaluate um the changes that we've had to make the accommodate that maybe some of those changes were by choice maybe some of them were sort of enforced and but what do we think that rise in distributed engineering teams has what kind of

(21:07) impact has that had on on tool chains and complexity and experience um who wants to volunteer to start that one I'll jump in there for a second I guess uh you know from my perspective I always think of it from the security perspective very often so you know I think that the distributed working uh situation in terms of tool chains uh has the biggest impact when you think about access Access Control uh how people are navigating into the environment accessing those tool chains and you know the permissions associated with it

(21:36) whether the device they're using is you know a corporate owned device or a BYOD for example and I understand the prices are coming from where they're located at the vice posture in terms of the posture device they're connecting from I think those are all key considerations especially when you think about software supply chain security and you realize that uh you know malicious actors are increasingly targeting those build environments those tool chains to compromise Downstream consumers of software uh it's definitely a key a key

(22:00) area that organizations need to pay a lot of attention to yeah that's that's I would agree with all of that Chris I would Alison yeah I guess uh building on that a little bit for us we see a lot of folks emphasizing the value of cloud native tools when they start to talk about those distributed teams too so that ability to ensure availability reliability scalability of the platforms that your internal teams are using is really important as you're talking about having those Engineers distributed across the globe

(22:36) um and it can really be a differentiator for customers um who are able to leverage those Cloud native Solutions and some are taking taking Bill Kite as an example you know um what's what's the sort of challenges that you've seen both both internally yourself accommodating other distributed members of Bill Kite and also obviously you your user base is distributed you know globally anyway um so you know what do you think there yes interesting one so Bill card is a company uh internally we've been around

(23:12) first forever and and have um always been a distributed engineering team um it's been interesting to be on the on the uh front of that um yeah I think um just just communicating coordinating seems like the biggest challenge like being really effective as an organization uh they're like we use talk or base camp but but that's uh probably Beyond scope here um I'm very interested in the like the securing the um the actual endpoint devices how you access your production infrastructure the how you access all of

(23:40) the the tools that we're talking about yeah like how do you access the platform securely um if you are constructing your own platform and Engineering it um uh so so Bill cut is um we have an interesting stance on this I guess because we are a hosted platform that we're only a hosted platform um but we uh we don't run it in compute for for actual CI CD workloads we leave that entirely to you and your own infrastructure um but what it means is that we secure the endpoint that most users are coming to interact with the system uh we have a

(24:09) hosted uh platform um which has benefits here like if you're using hosted platforms like a presume Cloud Smith might have an offering that's the same um then you're offloading a lot of that security story and and like all of that stuff you've got a trusted third party that has a hosted platform that's been through rigorous compliance requirements and all that stuff up front uh and you don't have to worry about it you can focus on your core competency um yeah but for us like then letting you

(24:35) run the compute also means that for example book I can't see source code it doesn't have to interact with those tools that might be on your side of the boundary on within your friends um and so you can have the the strong security story where it's there where it's valuable uh around your IP and around what whatever you might be doing within that platform itself um so it's just interesting I think different people explore this in different ways um uh but yeah it's uh as we mentioned like the complexity around this stuff

(25:04) seems to be ever increasing uh and I think people are wanting to own less of the story uh if possible um and so having uh having done this hybrid model for a long time sort of starting to see more people try it out and and do it in different ways um because it means yeah you can trust someone else to uh do it securely and and well as long as security is built first into the product uh like like it always has been with Bill Kate um it can be a good option yeah absolutely uh you you are you're not wrong um Sam so Cloudsmith also is

(25:38) um hosted only so we are hosted only as well and we obviously are very very focused on security one thing that you mentioned though which I thought was was really interesting is it also matters uh compliance and Regulatory reasons so you know a lot of our users uh they they need to have a vendor that has you know ISO 27001 certification stock 2 certifications um and that goes a long way you know towards that point of securing uh the platform and that that carries a lot of weight with those with those users so we

(26:13) put a lot of a lot of stock into security obviously we do we have to um but I think that that's what people that's what people want that's what people want the their vendors to do um and with distributed teams as Cloudsmith as well were remote first same as same as Buildkite that's where we all are and we have uh both cloudsmith team members all over the globe Alison is in the states and and I'm in in Belfast in Northern Ireland and so we do have to we do have to meet that challenge and interestingly enough

(26:41) one thing that you brought up which I thought was interesting because we had a talk about this ourselves lately is not just the tool chain but Communications is a bridge you know something that needs to be to be bridged properly with fully distributed engineering teams fully distributed teams for that matter okay so we are sort of chock full of communication tools and we actually slim those down so we we now have less places where we collaborate and we communicate in Cloud Smith because it was you know reducing

(27:12) the noise um it tends to do that so of course we did a lot of calls and we do a lot of chat but um it's very much in the same vein of just reducing complexity in in the total chain I know it's not a devops too Lino chat is not like that but um it was it was a really uh really core part of of getting us to work together better um I thought so yeah that's mine that's probably more in that thread because so um uh our SEO uh Keith is one founders of Bill captain and built a lot of the early product

(27:44) um uh gave a great talk recently about storytelling and devops uh which is about communicating right like uh we sort of created as a thing that happens externally like outside our tools and then the tools are full of information sometimes too much information that we can't you know find the actual signal amongst the noise um but what if those tools helped us uh navigate them better and communicate with our colleagues about what we're seeing and actually tell the stories about what's in that data I think there might

(28:12) be something there that we start seeing in 2023 as well where um the the tools can help us like the tools are where our work lives and so if we can talk about our work in the place where it lives tell better stories uh in the place where it lives uh visualize it in new ways collaborate in new ways um that might be helpful too Allison I think this is one of your one probably one of your more favorite topics and uh well I mean I've been working remote since 2019 so pre pre-pandemic I was opting into this lifestyle

(28:48) um and I do think you know it's interesting a lot of devops is practice and philosophy and culture and that's really what we're saying is that when your remote first organization you have to Define what those practices and culture is that and and how you can leverage that to get the best work and the best outcomes for your organization and your team and so a little outside of devops but I do think there's some overlap and you know what Sam's saying there for us internally I can speak a little less towards our engineering team

(29:15) but within the product organization you know making sure we're really intentional about leveraging tools like notion or things like that and saying this is where you go to find the information for what you're working on um and just helping build up that that clear practice and standards for our organization really helps with that collaboration yeah absolutely it's something that we're all trying to get better at I think so it's not it's not exactly a prediction for devops in 2023 but it does impact devops in 2023

(29:44) there's no doubt about that um I think anyway so awesome okay well just just to move things along time always flies on these webinars time moves quicker than you think so um this is this is probably a big one and I'm going to throw this one straight away to Chris because I know that this is um in his wheelhouse so to speak but I think we'll all have something to say so software bill of materials this is not a new phrase it's not something that we're just talking about for the first time now but this may be the year that

(30:14) it really Rises the prominence and takes on more importance for a lot of organizations and a lot of teams and so hike what can we do how can we make air spawns more actionable and useful in 2023 Chris yeah I mean I definitely agree with you this is going to be the year or coming years I should say for s-bam you know we saw a lot of traction having obviously United States around cyber security executive order efforts with agencies like ntia and now cisa around us bomb adoption and evangelism and tooling and things like that and then of course you

(30:47) know even in the EU in the Cyber resiliency act if you take a look at that it requires s-bombs for product manufacturers to you know kind of extrapolate those components that are in those products uh in terms of making them actionable I think that's where things like vulnerability exploitability exchange for folks that are familiar with that is you're essentially going to bring kind of some signal to the noise of the s-bomb it's one thing to tell a developer hey you have you know 700 vulnerable components it's another time

(31:11) of those 700 you know 36 are exploitable for example so we talked about you know bringing signal to the noise and trying to drive down some of that uh complexity we talked about with infrastructure we need to do the same thing when it comes to vulnerability management for developers we don't want to you know add a lot of friction uh impede their velocity and let them focus on what's actually exploitable what brings the most risk of organization and have them take action on that mm-hmm yeah you know I would say a year ago we

(31:40) were asking customers about s-bombs without a lot of response or engagement and we're finally starting to see customers come to us and ask us about s-bombs and how they can leverage that tool to be more effective I think it's we were talking about where us bombs in the hype cycle feels like we're coming out of the trough of disillusionment and and moving into the slope of Enlightenment um you know I think a big piece of that is that it's not just about requiring these companies to have s-bombs but it's

(32:08) actually helping them to get value from it so like Chris was saying sex and other tools that actually make those s-bombs useful so it's not just a requirement but it actually solves a problem for those customers and actually becomes um a value add for what they're trying to do within their organization mm-hmm Sam any thoughts hmm uh yeah it's an interesting one because everyone's tackling it uh in slightly different yeah directions as well um yeah so like we've had a lot of a lot of customers uh displaying interest in uh

(32:43) provenance and attestations as well as the actual s-bombs themselves like being able to prove and do the compliance dance um making sure the policies are being enforced consistently so uh how do you uh it still feels like s-bombs there's no one standard there's like a couple um and then how are people navigating those how do you make it actionable um we've seen some some great like I've seen lots of people creating different types of pipelines with different tools and different ways of making them actionable you know raising

(33:12) those vulnerability alerts pulling them into the place where the code is being written like um uh raising them as GitHub issues that can then be actioned with buttons and like building those sorts of workflows themselves um which it's interesting to see people building that stuff themselves uh to kind of mimic uh some of like github's depend about stuff but in a more formal and policy enforceable way um so like seeing the evolution of that and the standardization of that like how are we going to see the standard ways of

(33:39) uh creating s-bombs and then signing and shipping those as part of the container manifests and like watching these actually consolidate around a best practice way of doing things and then turning them into something that develops don't have to implement themselves but can just drop in like uh for example in Bill card looking at like what is the plugin that people are going to reach for and like drop into their Pipeline and it provides uh s-bomb generation and make sure that things are in packages and then of course the

(34:06) policy like those sorts of things seeing the practices emerge and consolidate and then not having to be thought about um will be interesting yeah I've gone ahead Alison please I think it's really interesting to see the open source solutions that are developing in this space and and you know basically we're saying how can you secure your open source dependencies and we're seeing Solutions come out of that open source Community to help answer that question I think that's really interesting and fun to watch

(34:33) um I also think that to some of what Sam's saying there you know it gets really interesting at how you manage this at scale so really when you start to talk about trying to manage your software supply chain across your entire organization how do you develop a developer experience and user experience around that that makes it easy for teams to be able to implement and manage that as well we're back at pushing that devops problem into the platform engineering problem right like you want to continue that component that people can can

(35:00) develop and operate on but don't have to like build the pieces and Plumbing yeah I think so I mean well the first step to adoption is to make things accessible and you know frictionless and easy you know that's that's the way to win people over um but there's no doubt from from my perspective sort of in the front line um yes I agree with you Alison a year ago when I was talking to users of Cloudsmith and customers of Cloudsmith the landscape especially around what they wanted from s-bombs and what they needed

(35:31) was still quite foggy to them they weren't very clear nigh going into 2023 I'm hearing increasingly from those same users and customers that yes this is something that we know we need to get on top of like like Chris said I mean there are standards coming down the line and there are requirements coming down the line they are aware of that they're maybe not quite there yet but they're certainly very interested and look sound the same applies for you know uh signing containers in total attestations it's

(36:02) all in there and they're thinking about it all they but what they really want and I think you said this Chris is they don't want you know a wall of data about um packages and dependencies and cves what what they want is is actionable data you know that they want the path forward there that's easily identifiable for them that they can take direct concrete actions upon so I think some people still feel a little bit overwhelmed by it at the moment um but it definitely feels like uh maybe you know maybe by 2023 we won't

(36:42) have you know a like a perfect sort of uh solution at the end of this year but it definitely feels like there'll be a lot of progress this year towards that solution so um watch this space when we do our December webinar none of these predictions will be true and I'll look like a film but um but it's still fun to think about that but no I definitely feel from from talking on the front line with users of Cloudsmith as a product and of course we're in package management so artifacts and signatures

(37:11) and attestations it's core to what where we think the landscape is moving and I definitely hear that a lot more now than I did before hmm there's an analogy with uh um we made a change uh last year to uh when you come to a build um firstly in cicd most people don't care for build a screen if it's green everything's fine you move along uh you probably don't even come and look at it um if it's failing you don't care about anything that passed in the build you only care about things that actually

(37:42) fail like you want to make it actionable right it's the same principle um so so we made some changes to really pull failures to the Forefront and show them earlier and a few of these things um but I could see the same patterns with their spots right like if if everything's okay um you just want your policy to be green you don't even want to look at it like your deploy just keeps going but if it's if it's red like if there's a critical vulnerability in one of your dependencies you just want to know about

(38:04) that bit and like make it actionable and give me a button or something like make it as easy as possible um that's it seeing those patterns emerge um like we're already seeing some people do it I think um karaoke did a uh from cloud Smith did a lovely presentation about uh using sift and gripe I think um and then a highlight the critical vulnerabilities and not care so much about the rest of it um so those open source tools as uh as Allison was mentioning like they are already providing some of these insights

(38:34) and those those actionable things uh seeing those those become common patterns and becoming pieces that you can just drop in and use uh without thinking too hard about it um yeah that's that's the interesting thing I think yeah I really like the statement of give me a button so sort of um you mentioned you mentioned earlier sort of you know almost uh make it as actionable as Dependable you know so nice and clear um yeah I think that's a very good a very good point indeed so Chris any final thoughts on that just before we we

(39:03) sort of move on to the next one no I think it's spot on in terms of make it easy give me a button kind of thing as we're seeing a lot of innovation around tooling to help you know show developers what is the problem what dependency of is of concern and you know where some Alternatives even in some cases that they can explore to quickly remediate the situation and move on with the building deployment process so I think Sam was spot on awesome awesome excellent well I I know we only have a couple of minutes left

(39:27) and I do need to announce the winners of our Cloud Smith prize packs of course I think that's probably the highlight of the webinar for a lot of people and certainly is for me even though I don't actually get one so I just liked Airlines to the winners but just very finely then a couple of quick minutes before I do that um a nice a nice topic for everybody so 2023 what does prioritizing developer experience look like so we've all heard user experience I'm very familiar with that and I spend all my time with users

(39:56) what are the the top things we should be thinking about for prioritizing developer experience and and we're not allowed to use the same answer just give me a button that's too easy so any other anything else that people think developers really want you know just to make their lives easier just the the the highlighting topics things that we talked about here helping them understand what's the tool set that I'm supposed to use to be effective in my job how can I easily find the right information I need

(40:29) um you know that's where some things like backstage are interesting how can you make onboarding and ramping up as a developer at an organization really easy and seamless and help them understand um you know where they can go to find information and documentation and solve their own problems excellent uh I'll jump in real quick and also say you know Freeman not watching the chat check the chat there's some amazing uh and some funny comments in there uh so nonetheless I think another thing we'll

(40:59) see a lot of attention for is uh you know trying to bring governance risk and compliance and policy into codified formats uh you know so instead of you know asking for mounds of uh digital based paper documentation starting to bring some policies code compliances code and things like that into the pipeline uh into our processes of how we deploy uh software for example I think it'll be another area that's going to see a lot of attention awesome suppose I'm just just very quickly for myself then um developer experience

(41:28) um just even internally in Cloudsmith a shout out to the cloudsmith engineering team who did a great job in improving that onboarding experience Alison for new engineers at Cloudsmith so we have a much better um development environment now it's it's uh it's not exactly click a button but it's it's a lot more easy to spin up and than previously and easier to debug in and I think the guys are all very proud of themselves and rightly so even though I don't develop for cloudsmith I was very impressed when

(41:56) I saw it I thought that has got to make things easier for people onboarding and just getting started so yes and you're absolutely right about the chat as well Chris.

(43:01) Thanks again just before I close um you can find us all in our respective places of work and please come along and try out all our products we would appreciate that a lot and but it was a pleasure and I look forward to talking to you all again


Liked this article? Don\'t be selfish (:-), share with others:  



The source of truth for software everywhere.

Cloudsmith optimizes your software supply chain from source to delivery — with complete trust, control, and security.

Start Free Trial