DevOps World Silicon Valley 2023: Cutting-Edge Tech, Security, and Developer Experience

I left my hotel in San Francisco this morning around sunrise to make my way over to DevOps World, Silicon Valley, taking place at a Hyatt. It seemed a fitting start to the day to drive past an impressive series of tech logos on the sides of office buildings through Silicon Valley.

I arrived, greeted by an efficient check-in process, a nice breakfast spread, and interesting sponsor booths arrayed around the communal area. Then, it was downstairs for the first talks. I wondered what themes I might take away from the day – a day dedicated to ideas for improving the developer experience, right in the heart of tech.

The theme was clear right from the jump. In his kickoff talk, Cloudbees CEO Anuj Kapur talked about the breathtaking sums of money spent on software development globally, but how software developers only spend about 30% of their time, well, writing software. And while there may be some complacency or a sense of inevitability about this, especially in the enterprise, he, and the other attendees and speakers think that 30% needs to get a lot closer to 100%.

Developer experience was the theme of the day.

To be precise with terminology, Microsoft has a pretty good, succinct definition for developer experience.

Developer experience refers to how easy or difficult it is for a developer to perform essential tasks needed to implement a change. A positive developer experience would mean these tasks are relatively easy for the team.

So there we were, in the heart of Silicon Valley, having a discussion about how to make life easier and more efficient for software developers. The Minotaur Project

The very first talk was from Andres Vega, one of the authors of Investments Unlimited. He compared the book to the Phoenix Project, a fictionalized account of an IT team implementing DevOps principles. I’m personally a sucker for business fables, so I’ll have to add it to my list.

In the talk, Andres drew lessons and inspiration from the book, which was a fictionalized account of implementing security and compliance in highly regulated industries. He talked about regulated organizations being pounded with hundreds of millions of non-compliance fines in recent years, and how the IT organization has done a great job automating everything… except compliance.

But the solution, he argued, lies not in generating toil and checklists for engineers, but rather through automation of taking compliance actions and proving you’ve taken those actions. Hence the Minotaur metaphor. It’s not enough to just comply – you need a trail of breadcrumbs to find your way back out of the maze.

The fact that this talk focused on preventing toil for developers, rather than adding to it, was a nod to the developer experience theme. Even in a talk about compliance, allowing developers to be faster and more efficient featured prominently.

Go Big, Say Yes

The keynote came next, and featured big product announcements from Cloudbees. These included high availability and horizontal scaling for Cloudbees CI, workspace caching, and a new pipeline explorer feature. All three of these team up to have a dramatic effect on the lives of developers using them, dramatically reducing time spent waiting on and troubleshooting builds.

Also coming soon is a new cloud-native DevSecOps platform, designed to be developer-centric, open and extensible, self-service, and with security and compliance built in. Available starting on November 1st, this will be a boon for developer productivity as well.

These announcements drew more than polite applause. The engineers in the audience seem genuinely thrilled at the prospect of saved work and downtime. It probably didn’t hurt that at one point, a man dressed as the Jenkins Butler came up to share some statistics about global Jenkins usage.

Managing Cloud-Native Applications

That rounded on the first round of sessions, at which point we filed out of the presentation room to have snacks and coffee and check out demo presentations. Making my way through the crowd, the excitement about the product announcement seems to have generated conversational buzz.

Once we returned to the room, there was a panel discussion about managing cloud-native applications. This included Mitch Ashley, CTO of Techstrong, Tara Hernandez, VP of Developer Productivity at MongoDB, Aja Hammerly, Sr. Staff Developer Advocate at Google, and Adam Robertson, Head of DevOps at EngageAI.

They had a lively discussion on what cloud-native really means, what the attraction is and how to get started and how to make it work.

Jenkins at Scale on Kubernetes @ Intuit: Strategies for High Availability and Maintainability

At that point, the track switched from a panel discussion back to a presentation, and Intuit employees Vijay Argawal, Reka Ajanthan, and Mike Nau presented their journey to using Jenkins at scale.

I found the scope of the software build operations to be staggering. They have more than six thousand developers and four hundred thousand Jenkins jobs, which results in roughly one hundred thousand builds per day.

In this talk, they spoke in detail about improvements to their build operations that dramatically improved KPIs across the organization, which I have to imagine was very well received by the software developers throughout Intuit. One of the coolest things about this presentation was they did a live demo of killing a couple of nodes and showing how quickly the system recovered.

Business Benefits of Open Source Contribution

At this point, we broke for lunch, and the excellent food in the networking room did its part to improve the developer experience of those developers present. When not charging my laptop, I wandered around, making notes, observing the booths, and catching snatches of shop talk from enthusiastic attendees.

The first talk after lunch was from Mark Waite, a manager at Cloudbees, who encouraged us to contribute to, and even adopt, open source projects. But interestingly, he argued for this from the perspective of business value – if your company is using open source components, it’s simply good business to make sure they’re patched, current, and fit for purpose.

Even in this line of discussion, I thought of the broader theme of developer experience. Throughout most of my career, the companies I worked for would likely have viewed me contributing to open source projects as a hobby I should undertake on my time, rather than as an important investment, even though I relied upon and needed those tools.

Scaling Developer Happiness Through Platform Engineering

Speaking of developer experience, Joyce Lin, Senior Director of Developer Relations at Postman, gave a talk that was about scaling developer happiness. I thought this was a really novel concept and framing.

She spent time walking through surveys of developers and what makes them happy and unhappy. Some things, like work-life balance, are universal to the human condition, but a lot of other things, she pointed out, are specific to developers and specifically addressable through a platform engineering organization.

Specifically, concerns like developer productivity, problem solving autonomy, project quality, tool quality, and exposure to cutting edge techs all scored as important concerns for developers. And a platform engineering organization can help on all fronts.

Shift-Left - Integrating Security into Today's Modern Software Engineering Mindset

After Jocye’s talk, David Suh, Director of Security Architecture at Sorenson Communications, presented about how to integrate security into software engineering. And it wasn’t a call to developers to be more diligent about checking compliance boxes. Instead, he talked about how historically security organizations have failed to support the software engineering function, and how he’s worked with security folks to change that.

I really enjoyed the pragmatic look at what does and doesn’t work. He talked about why security throwing things over the wall or making proclamations to the dev teams doesn’t work, and how security taking on a more supportive, enabling, and collaborative role is the key to success. A New Frontier: AI’s Influence on DevOps and the Marketplace After another networking and snack break (and a few cookies, if I’m being honest), we reconvened for the last series of sessions. The first was Daniel Ritchie, Founding Member of the Brain Wave Collective, talking about generative AI and its influence on DevOps.

He drew a really interesting parallel between today’s moment and the introduction of the personal computer in 1983, pointing out that a term, “computerphobia,” had actually been part of the popular lexicon at the time. Then, as now, people had a wide range of reactions to a bleeding-edge new technology, and they ran the gamut from enthusiasm to fear.

Daniel’s take was that fear would give way to understanding and an improved developer experience, as generative AI relates to the tech world. He encouraged the audience to think of artificial intelligence as “augmented intelligence” and to keep in mind that with this technology, “everyone levels up.” He then cited specific tangible examples, such as the idea of dynamically responsive software agents and automated business rollouts. Security and Risk Management - Security and Compliance in the SDLC - Panel Next up was another panel consisting of Gayatri Prakash, VP & General Manager of Compliance at CloudBees, Nicole Rosania, Manager of Platform Engineering at Point32Health, Kristie Baker, SRE Engineering Manager at NetFlix, and Ken Muse, Sr. DevOps Architect at GitHub. And they talked about the role of security and compliance in the SDLC.

One of my favorite turns of phrase from this session was when Gayatri said, “we need to ‘shift’ security to where it makes the most sense,” which she called “shift smart.” This seemed to thematically represent the panel discussion, which talked about more practical and more human ways for software engineers and app sec folks to collaborate.

And in line with the day’s broader theme, this resonated in terms of developer experience. As Nicole said at one point, “it’s all about collaboration,” and that collaboration talked about helping developers achieve application security more easily.

Enabling Secure, Scalable, Flexible, and Easy-to-Use Continuous Integration Solutions at Salesforce

The last talk of the day featured Andrey Falko, a Software Engineering Architect at Salesforce. And he talked about the continuous integration journey at Salesforce.

I found this really interesting because Salesforce is an OG web application. As in, Salesforce was a web application back in 1999, when the idea of a web application was truly in its infancy. So to hear how a web application and its deployment paradigm evolved over the course of nearly a quarter century was a pretty unique experience.

They survived the ride from monolithic web applications to services, with many acquisitions along the way, by deciding on some core principles. Specifically, CI systems needed to be self-service, they needed to let engineers bring their own tools, they needed to allow automated patching, and they needed to be fast.

By imposing those creative constraints, they were able to create deployment paradigms that kept up with the incredible scale of Salesforce’s growth, and to do so in a way that preserved the developer experience.

Optimism for the Future

After that last talk, I made my way upstairs to the happy hour and reflected on what I’d heard a little while I had snacks. I spent about 15 years of my life in software development, and for most of that, security, compliance, and operations were foisted on us in a fairly ad hoc fashion.

Nobody was reflecting, as Anuj did, that it seemed fundamentally flawed for software developers to spend less than 30% of their time developing software. If anything, we were writing too much code, and not filling out enough TPS reports. So all these years later, as I drove back to my hotel with the sun setting on Silicon Valley, it struck me that we’d come a long way, and the future seemed bright.