 Cool, you am I too loud or is this good? All right, so My standard spiel for every presentation I do I don't have a whole lot of slides I think maybe I have 10 like I'm not going to be offended if I go don't go through all of them Like my point is to have discussions and I want to make this interactive If you have questions just stop me throw something at me. You don't have to wait until the end So I want to talk I mean A lot of you have been very active in open source and you know DEI obviously is an important topic And I think the way we've been doing a lot of a lot of recognitions Haven't been necessarily helpful. So that's the discussion. I want to have and If you have any feedback on this or if you have any comments, I can feel free to stop me Oops My cursor is not in the right place. Sorry about that. I've lost it Okay, right Cool, I think I mean a lot of you know me already I started working on open source community management around 2014 2015 timeframe when I joined the Linux Foundation And I Was there for about four years involved in several networking related projects I mean when I joined the there was only one like large networking project in 2014 Which is open daylight and now they have I don't even know how many how many like it's probably close to a dozen projects under Like a left networking umbrella So after about four years there I went to get lab in middle of 2018 And get lab as you know, I mean from day one they started with and with a contributor in open source ethos and was happy to You know be play a part and continue to grow the contributor base for about two years while I was there and Almost two years ago. It's amazing how time flies. I was talking by old colleagues at get lab that are here Like almost two years ago. I joined cube. It's have you heard of cube or cube that okay Mary has but so we're the business intelligence data analytic space Which is a like a new space for me But a lot of the like the users and contributors in that space are It's the in the beginning a lot of them are like internal developers working in it. They want to Create a common definition of like a common metrics based on port for example Like a point of sales data and they want to be able to do a data modeling in consistent fashion So everybody has the same definition and tied to your whatever framework Front-end framework you using like react or or others But now recently like you're able to using our SQL API you can tie to what are our business intelligence tool that you use whether it's like meta base or Or Tableau and others, but yeah, this is not meant to be a sales pitch But if you want to learn more feel free to stop me and check out our website So we'll talk about why recognitions are important Seems like a rhetorical questions, but I'll you know share. I mean three main reasons why I think it's important in open source Talk about some of the typical recognitions you you've seen in a lot of communities and I'll present some of the Negative examples and those are all mine. These are the mistakes that I made and I'm not picking on other communities because They're they're not inclusive. These are the mistakes that I made So let me feel free to poke calls on holds on what I've done And I'll talk about what what challenges they present and how we go about addressing those So why are recognitions important? I think it's like a three things. I mean first thing is very obvious It's important to I mean in general in life like whether it's in open source or high-tech or wherever you need to thank people To really show them your appreciation for what they do is especially in remote communities. So whether somebody's done, you know Remove like a technical debt your community has been caring for like a couple of years. I mean somebody Takes initiative to fix that huge bug that you've been carrying I mean, that's obviously amazing and I don't recommend you doing this because I live through it like somebody in our old community Decided to migrate the wiki tool and you can just imagine how that how well that goes and you know I was recipient of a lot of the arrows too because I was on the foundation staff that sort of supported that person, but if somebody does that It's not for the faint of heart. You're just getting throw arrows thrown at you for four weeks But I mean at the end it worked out well. So they're still using that new wiki tool But a couple of community members who sort of took the lead on this I don't think they got a lot of good nights sleep for a few weeks But but if somebody does something amazing like that, it's important to thank them and the second reason is I mean every community has like your ethos or values that that you aspire to I mean, it could be written down as as community values I mean you have written community code of conduct when somebody exemplifies what you value like collaboration You know diversity and inclusion And teamwork and and other areas if somebody sort of role models those values It's important sort of highlight that like you know make it apparent that we mean what we say Especially for new community members that are joining So it's sort of you know highlighting the role model and then highlighting to the community members that you know Those values are indeed important and the third one is is sort of you know Celebration like even if you're taking like two minutes during like a technical steering committee call to say hey this person mark He you know fix these like five bugs in the last two weeks and it's important to sort of pause and sort of recognize that because What happens a lot in remote? Asynchronous environment is that the meetings are just very task-based so you go through gender items You you sort of try to knock discussion points out and get things done and you just very focus on that Whereas if you're in a traditional office environment You can it's easy to stop by somebody's cube and just give give somebody high five right which which doesn't which is very hard to Replicate in remote environment So I think it's important even if you have to carve out like you know Even if it's an only our meeting carve out two three minutes like every every few weeks to say I want to highlight these people for Great job. They done and thank them. So I think you know keeping the community fun and and celebratory. It's it's pretty important So what have we seen in the past and like I said for people who walked in lights These are some of the mistakes I made in as I'm managing different communities So I mean you go to different events and you'll see like charts like this I mean one on your left is like number of like a PRs are MRs merged by community members So I mean these are all like a made-up numbers But I think you'll get the point like one of the contributors he like he or she had 250 PRs merged in a year and the next person had about 200 so on and so forth So In the second chart on your right You see a lot of foundations do this not just the LF but other foundations sort of published reports like this and However, you define contributions in your community in your projects And you have all these member companies that are contributing and they sort of try to quantify how many people made contributions whether it's code whether it's even discussions on mailing lists or Or contributing to wiki etc etc and you sort of quantify them and sort of list You know company a had you know 15 people contributing to this project x etc. Etc. There are a couple of issues with this and And that you you probably you could probably point out others as well first problem is There's a tendency still today to focus on code contributions which You know when back in the day like you know, maybe 10 15 years ago when Open-source projects for mostly by and for developers that May that may have made sense because most of the collaboration are happening around code But that's really not the case anymore Like I mean I mean mentioned I got involved in a lot of networking projects around like a 2014 and 15 even then I noticed there are a lot of telco operators like AT&T's T-mobiles and China mobiles of the world They don't necessarily had a lot of developer resources like like vendors like Ericsson or Huawei But they have great insights on like use cases You know if somebody's working on the feature like you want like an actual user is the potential users to have feedback on This is the use case that you're not addressing or you know, you need to tweak tweak your work slightly So if you're just only focused on code you kind of miss out on those other members of the community that are contributing And the second is I mean you probably know like along with Don I've been Part of the chaos community for a long time. So obviously I'm a big fan of metrics and I use them But if you focus too much on metrics you a lot of times you you lose a context of Contribution or you just miss out on things. That's a very hard to quantify so those are the two Major problems that I've seen on approaches like this But if you can you think of other issues with with these approaches of like potentially recognizing people I Can I can just move on but I'll probably like come back to this in a bed So But what about like let's talk about other contributions I think a lot of communities these days in open source are moving away from things like IRC or mailing lists because I mean To be honest like nobody ever loved male male man Although they're still around A lot of communities are moving to like slack or discord or even like matter most And there are a lot of you know, this happens in every community There are certain people that are really good about making you people feel welcome Like providing them like answering their questions patiently answering their questions Although those questions have been asked like number of times And pointing them to on-boarding resources are really answering those questions And those things are really hard to tease out sometimes unless you're reading through all the channels and As a community manager, this hasn't happened for a while for a couple of years I felt like I was getting calls or or pinged on LinkedIn like every few months about another startup Trying to automate or streamline your like You that are developing a tool to sort of stream out streamline your management of slack conversations Like they'll have like dashboards or metrics about these are how many people are contributing These are how many like a threads that are happening, etc, etc So they may tell you the volume of conversation that somebody's contributing to but they don't really tell you like Was that individual asking a lot of questions or was that person like really helpful like answering like people like that are coming on board So that's it's you know, I don't you know, I fully understand it Those are extreme like extremely hard to quantify, right? So you can't really get a sense of that unless you like dig through the conversations in long threads The other thing I've had this from some of our community members at cube You know, there was a software company that's been using our Software for about a year and a half and they're looking for ways to contribute back to our community They didn't have developer resources to help make technical contributions And they noticed that we have what we call user stories These are similar to our case studies and they said can I help write up a user story based on our use case? And I said that's awesome. It's it's it was You know, I think by then we only had like a five or six user stories And this is the first one in the software industry and this is the first one that was using snowflake So this use case is worth its weight in gold because I just had a call with somebody the other day I said is anybody in your use like community using snowflakes that there you go. Here's the link, right? So if you think about, you know Lewis's like contribution from Simon data, it looks like one contribution But it's extremely valuable So you can't just say he just did one thing in 2021 and say that was the end of the contribution So that becomes You know Problematic like if you try to quantify everything it just doesn't give you the whole context of what this particular individual is done The other thing the third one I want to point out the bottom two diagrams sort of go hand in hand When somebody comes into a community for the first time and I've been involved in a lot of communities I still go through this like imposter syndrome like I don't quite know what to do I don't know everybody so people feel uncomfortable and then it's like, you know Sometimes I don't even feel like like submitting a PR opening an issue because I don't want to You know, I don't want to like lose my face to to some extent like somebody may have opened this issue before and Maybe there's this was discussed and I don't want to like rocked about this happens a lot and And this is also somewhat cultural too. Like especially like I mean I grew up in like I spent part of my youth in Korea like losing your face is a big deal Culturally like if you make I think I've been speaking for about 15 minutes I'm sure I'd made at least like a dozen grammar mistakes already I mean not that I don't care but you know, I I got over that right but people from Asian Asian cultures whose first language is in English that gets like a bit almost like a big source of embarrassed embarrassment That's one of the reasons why they don't want to like speak out for the fear of making a mistake So they don't always want to do stuff in public until they feel comfortable or confident that no one's going to make fun of my accent or grammar You know until they get gained their confidence You might just have like a one-on-one interaction like over like slack or zoom Right and that because that's what they're more comfortable with and Speaking of user story, I found the user in Indonesia They were collecting a lot of POS data because they were sort of in the retail industry, especially in food services And I noticed like he was starting a lot of threads and asking interesting questions And I said you should do a user story because that's pretty interesting isn't in new geography like the point of sales Industry and he said sure But he never wanted to get on the phone because he was very like Uncomfortable like speaking English like which you wouldn't know come conversing with that person on slack like his English was like more than adequate And we just collaborated over Google Docs in slack and in a week. We had a blog post like ready to go and but that's that was his comfort level Maybe like he was constantly using like a Google translate all the time while always typing those messages on Google Docs or slack But you want to give this person an opportunity like if they're comfortable like, you know Contributing like this in this space then give that person the space right don't force that person to You know do everything in the open when they're not ready yet So I mean and some of that is cultural right and then that was like a first time ever ever Collaborate it with somebody like without getting on the on the phone ever but it worked out pretty well And hopefully he thought it was worth his time too And this one this was my major learning And this is the sort of an inspiration for why I wanted to sort of give this talk I gave a similar talk at at Fossam earlier this year Not everyone is comfortable with public recognition They just rather have somebody, you know, I'm making a like a office Analogies, they just want somebody come to their queue give them a high five and be done with it They don't want to stay on stage. They don't want to be public public you recognize and that's completely fine, right and and the other Reason why I thought about this a lot last year was that we have like other communities like we did at GitLab we have a heroes program to sort of recognize top contributors I mean our ranks of heroes isn't that large we currently have only four people but you know even when I started I wanted to sort of you know find out who the regular contributors were and what kind of contributions they made and During the process of last year I reached out to a few people like I think you would make a great hero I'd like you to extend an invite and and become one of our heroes and Their responses were almost identical. They says I don't think I've done enough Like I don't think I really qualified to be be a hero and it turned and then turned out I don't know if it was a coincidence coincidence or not. They're both female and So that sort of had me worried because this reminded me of like when you have a job description you have ten bullet points and if typically like you know Typical male engineers in Silicon Valley if they've done like a seven of them. I done Python I know my sequel then they'll just apply whereas female well, I haven't done like a three of those things So I don't think I'm qualified. That's sort of the mindset from underwriters Representative community. So I was kind of worried about that is that is there a problem with my recruiting pitch? Or is this the way the program sort of been presented to them? So I reached out to two of my former managers who are both female and pretty active in DEI initiatives and Said, you know, here's our here's here's our webpage and here's sort of how I've been identifying approaching people like Can you see any issues with what we've been doing? and then both of them actually said what's your goal for this program like no matter what it's called and So what I told them was it's it's not just recognition, although I mean as community managers I think we all like recognizing people that's part of it But what I told both of them was that I wanted to have sort of a trusted advisor group that I can reach out to in the future Like we're whether we're making big product changes like we want to change a user interface I want to reach out to these core group of people or I want to make come up with a new policy for our community And I want to have a core group of people that I can ping for for advice and sort of guidance In both of them says then why don't you present it like that like they obviously like contributing and helping people Maybe that's what they're Motivated maybe that's their main motivation rather than because they thought I was just focusing way too much on like recognizing them so like sort of anointing them as as heroes and They weren't like overly concerned but the term heroes They didn't think was too like a friendly to all segments of the population I mean I think when I hear the word heroes I I think of like a marble heroes I guess and is that like necessarily inclusive That's another thing that we can think about so we even thought about like a changing the names But we obviously didn't go that far But we just made a tweak to how I approach people You know, I don't really mention recognition first and then we obviously change our wording and positioning on our web pages to Hopefully that's a little bit more friendly So that's one of the things that that I went through with a few individuals Last year and then while doing that. I sort of had to do more like unpacking. I guess a reflection so like am I doing this to Really thank them and and even recognize people or am I trying to show off how cool our community is? Right, and then if I was being completely honest, there was some element to that like I want to show off What kind of cool people we have and I mean, that's kind of fun thing to do But that shouldn't be my main motivation. It's why am I really recognizing people? That's my main That should be my main concern um See cool, so How do we go about making our? You know recognitions more inclusive? I mean, this is pretty obvious. I said few slides ago. We need to look beyond code And even if you look at the code Like let's say you look at get lab or get a repo and somebody added this amazing feature because they work for a long time And we have this like a new bells and whistle to our to our product that we didn't have before I Almost guarantee you like outside of activities on the repo. There are other people that help Like adding that feature or removing the technical dad because that's why I try to get on the phone or zoom call with the individual like Like I like to learn more about like your reason for contributing and what was sort of involved And they'll typically there'll be other people that help with like things like testing that would never show up on as In the in the commit records So if I just contribute if I just recognize that one person who showed up on github then I'm excluding like Potentially several people that have sort of helped out With that work. So I sort of make it a point like before I like reach out to people I I can't guarantee that it happens all the time to really understand like what kind of work was involved in who else sort of helped out So that I'm I'm more inclusive It talked about metrics One of the things I like to do I mean this sort of related to what I said about reaching out to people Before I recognize them publicly for their contributions is I mean one of the things like every community managers do is you have like a virtual coffee chest with them like it's become a norm since the pandemic and You know Try to get better understanding or context in terms of why they contributed and and what was sort of involved so And it's important to you so the So, you know, I we have a notion page of my conversations with community members I mean I thought about like we also use orbit for a dashboarding I mean, I try not to like instrument things too much like I'm not record those conversations to Give proper context to their work, but I think what I see very often In a lot of communities is that they spend way too much time like instrumenting stuff Or trying to make it and turn something into a metrics when it doesn't like necessarily make sense So, I mean there's a Don you may have heard me mention this book. There's a book called tyranny of metrics Like I said, I'm a big fan of metrics. I use them all the time But there's a point where there's like a point of diminishing return and that's what This professor Mueller talks about in his book He's a history professor and then he found a problem in academia like they're way too much time people are spending way too much time To get funding like instrumenting stuff like trying to quantify everything and rather than spending resources on like maybe teaching students at universities But there are just hiring staff to like instrument things so just just a word of caution and The other reason why I like to have these conversations is that Almost every time I talk to them. They want to find other ways that they can contribute to the community So, you know, you're thanking them for the work they've done But they're saying besides like, you know, helping you triage bugs. I use there's something else that I can do Or is there other like insight I can provide and So I definitely like those conversations and those things like you're not gonna get When you try to like instrument things like beyond what's even necessary Cool, so what other things should we be thinking about? For recognitions, I mean one is you know, I've done this like when I was at the LF We had like a six-month release cycle. So we do like a big recognitions like every time we do a release but That's nice like every six months. We have we have this big celebration either in person or or virtually to celebrate people's recognition, but What I sometimes neglected to do was like recognize somebody on the spot when somebody that did something great like, you know Streamline the wiki page for example, just thank them line on the spot even if it's just a DM, right? Rather than waiting until like when the release is done and six months later The person may have moved on to something different or just you just lose the context, right? So go ahead, sir Yeah, no, no So good question so I've been involved in several projects at the LF and so OPNFE was one of the projects they rebranded since then I think at their peak they probably had about two to three hundred active contributors and obviously get lab was my next journey and open source that had Typically about thousand people that are making contributions to our repel and right now at cube. I would probably say 50 to 100 so but anyhow Yeah, so and and then I think like I appreciate that question because if your community gets large like Then it becomes worse like if you wait Even a month to like thank somebody you've sort of lost the opportunity to a certain extent It's I mean I guess it's better late than never But you know if you see something just you just you know, thank them on the spot like whether it's a DM or or something else and to so For community managers swag or merchandise Sometimes can become like a vein You know, it just takes a lot of your time sometimes and you have to ask yourself Just like instrumentation. Am I overdoing this? Because if you think about it, it's really not about the merchandise like nobody's motivated to do something because they got a twenty five dollar T-shirt or even a fifty dollar backpack, right? I mean if that's their motivation, then I think you have a different problem So don't stress too much about like a merchandise and Because it's some it's difficult to pick the right ones that that meets like everyone's needs So you need to be like a very thoughtful about that and and that's not exclusive. I made this mistake at get lab I hand it out like different color baseball caps And then certain parts of Europe I think like certain parts of Europe there you see more people like wearing baseball caps I think UK's like one of them some I mean not as many as you do in the in the in the US But if you go to like Greece like it's almost like unheard of is what they told me So like I mean that was that was a learning for me I mean they weren't offended or anything But it wasn't as valuable as people in the US or like even Japan or Korea where it's more of a baseball playing country right so And This wasn't necessarily recognition We do a technical workshop at a cube and as a thank you for somebody filling out a post-event survey We used to send out like trinkets like, you know power cables I'm forgetting like like multi tools etc etc and somebody from Berlin sent me an email saying Please don't send me anything because I'm trying to reduce my carbon footprint and basically it was a nudge like why are you doing this? Like you're like, you know, I appreciate this But this is like a $15 20 item and you're spending another 15 20 item on shipping and I'm You know I'm not helping the environment right so I switched tack like last few months We've been making donations on their behalf to organizations like the last mile or girls who co rather than spending the money on Sending out trinkets. So that was I appreciated that nudge From from the community member in Germany to remind us. It's not just about swag The third one letting community members participate in in the recognition process So my favorite example again is with opn fe like we used to have annual summits and the highlight of that summit at the The last day the last item was sort of everybody gets together in a ballroom and we do recognitions And we also wore it like top contributors What was meaningful was that all the nominations and voting's were done by community members Like I didn't have a vote because I was I was a foundation staff member All I did was to administer the vote on condor said, you know, help with the nomination process Hand out the award that was it but I think for people I think we like selected like a three I mean, we had like a fun giveaways to for people like for example people who help with the wiki migration that year I gave him like a snow shovel like because they had to shovel stuff out of the way But the top contributors, I mean when you talk to them, they said it was more meaningful because this came from the community It wasn't the technical steering committee chair or board member like anointing somebody who came from Community members, so that was it just really made it a lot of fun and it was like very grassroots And something I did at GitLab. I had like a nomination form It's just a simple google form because the community like, you know, we had thousand people contributing like each year just on the repo It's hard to know what's all going on So I said if you see something somebody's done a great work So please send in a google form so I can reach out to them and To be honest, it wasn't as like active as as as I like it to be I probably should have done a better job of sort of advertising it But I kind of like that grassroots aspect too like we'll send we'll reach out to them and sort of highlight them but That's something else that that you can probably consider doing Final final Talking point here avoid ranking and Ranking contributions or organizations and that's goes back to this slide here Although your goal your intention was to wasn't to rank people It's hard not to look at it that way Without the context right So especially the chart on the right The larger the organization I mean you have a clear advantage right if you have 10 000 people versus like a 50 person startup I mean you're just not going to have the same amount of resources or bandwidth to contribute to an open source project so How does that Make you feel if you're coming from a 50 or 70 person startup company right and so And then same thing with like individual contributors This comes up Like especially at my current role or or even at git lab like We'll we'll talk about contributors like internally and then one of the questions that would inevitably come up Is that can we ask these people to do more? I said Okay, that's that's I mean so what I would How I would answer that question is I think we should be asking how can we make it easier for them to contribute more rather than You know burn more of your spare time because Unlike foundation-based projects. They're not like Paid from their companies to contribute to your projects, right? So like I don't want to ask people to spend less time with their family or their hobbies or even watching a soccer game Which is what they enjoy doing like that's Like I don't feel comfortable like asking like active contributors to do more because that's problematic like I'm not being sensitive to their needs and I mean one of the things we did I mean this was in the work I did our engineers did the second lab. They made like a what Git lab development kit more usable for for different audiences better user interface Easier to install on your laptop, etc So lowering the barrier to entry to making it easy that makes sense But you know, we should probably not be asking people Can you just do more like can you submit like a 10 more prs like this year that Just doesn't feel right So cool Some final thoughts Yeah, so, you know, obviously big realization for me last year was You know remember the reasons for recognizing your community members. It's not to show off. It's not just to Show off to the rest of the world what kind of cool people have in your community. Although that's that's that's nice, but you know Think of the real reasons why you're recognizing people And we tend to I mean at least I did in in my in my life Focus on how much somebody's contributing rather than what and how and where Right And especially outside of your code base, like, you know, how are people like, you know, how they're working together How they're collaborating. So I think where and how is more important than how much In in most cases And yeah, this is sort of repeating what I'm saying like, you know As you're recognizing people try to understand, you know, it's impossible to talk to everyone I understand that like I can't do that either but Try to get more context into, you know, what motivated them to contribute and, you know, what their experience was like Um, yeah, because I I don't think I mentioned this they'll you know during those conversations You'll you'll get a feedback on you know what you're like a your onboarding document wasn't very clear on how how Like xyz works So those feedbacks like very valuable and then you know, I think having those interactions like pretty important um, and and the final thing Uh, I've seen like I forget which community it was and I'm I'm trying not to pick on any community either They've had like a like a top contributor program. I don't know what the name was. I don't know if it was hero or somebody else They had like Three tiers Yeah, if you do this you're on bronze like I'm I'm just making that up and if you do this much Then you're a silver and if you do more then you're you're gold or It's almost like a like a open source foundation membership, right? and When I looked at that And this goes back to quantity issue, right? Like are you really? You know encouraging people to spend more time on like contributing to your You know project versus spending time with your family or their hobbies so I didn't find that too like inspiring when I saw that so And then that also felt like to me felt very transactional Like because I mean you should be all about relationship building what your comedian members was versus saying Oh, you did this much. So I'm going to give you this you did this much and I'm going to give you a different trinket That felt like it's somewhat transactional. So I would Think carefully before we doing this the only time When you're having having those different tiers make sense that based on my experiences When you're having a like a fun almost like a context-type activity in in a limited window, that's So let's say some community has like a buck triaging event over like a 24-hour period Right and if somebody, you know triage like this much you can have like a different tiers almost like a fun contest And you're not required to participate, but I think that's fine. Like I think that'll I think that could work, but But you don't want to be like overtaxing people either. So there's a there's a fan balance So if you sort of time-bound things and make it a sort of a fun activity versus You know assigning value to somebody's contribution. I think that could work, but Yeah, when I was like looking through Different like a recognition programs at different companies when I saw that at the company's website that kind of made me Think a bit about trying not to be transactional with your community members So as I said, I gave a this similar talk at FOSM and and I made a Block post an open source comm if you I mean that's summarized pretty much what I said If you have any comments, I can feel free to leave them there I forgot to ask like questions of you like I mean and feel free to like ask me questions as well Have you seen like good like a recognitions that you thought that was cool or or maybe your recipient of it? And you still remember it after like 10 years. I don't know if you have good examples but Go go ahead then So I'm biased, but I'm really uh fond of fedora's badges system Because it doesn't really cost us any money We don't have to send stuff to people And it's a way that we can you know provide pretty instant recognition across a variety of ways So some of them are tied to pushing Commits to repos, but there's also things like editing wiki pages Changing, you know changing your password adding your time zone Into the account system things like that So it's really, you know diverse across a broad array and then Um, you know you people can request new badges So you talk about like making it open to the community to participate So you say oh, I'm going to run this event. Can we have a badge for that or you know? Here's a thing that I think we should recognize. Let's make a badge And so it's just a way to you know Kind of gamify things and it encourages people when they look at what badges are available I know I've done it like oh, I could earn this badge by running the kernel regression test suite I'm going to go do that and I never would have done it had I not seen that there was a badge for it Okay, so this is this like a virtual badge thing that shows up on people's profiles Yes, okay. Yeah, that makes sense. I mean some level of gamification. I think it can make it fun And I think those are yeah, those are completely appropriate I think any other comments or questions I mean that kind of reminds me of like one of the tsc chairs that I work with He I mean I think he's still at nokia He gave an example. We were talking about like a recognition in general I think we're like nearing the end of release cycle or something and he said There was a project open source project. He worked on like 15 years ago when he was at nokia I mean he I think he's still there and then they gave out some trinket And he said he still has it on his desk at his office because it just brings a lot of good memories about people that he Worked with it just it's just a lot of emotional meaning. It doesn't like I don't know how much it costs But it's just like a nice little trinket That reminds him of the community that he joined working with and He said that just means a lot because it also came from community Um, and I think we we all have like examples of those like in our in our desk Like even if it's in the desk drawer that just you know You feel an instant connection with that community member all that you left like 15 years ago, right? So those are Yeah, so obviously it's not about You know creative swag or or chas keys. It's it's about, you know Emotional connection with the rest of the community and giving you a sense of belonging So go ahead Yeah No So, uh I run a nonprofit that it does open source hardware things, but it's very different than What you have like I don't have a community of 100 so I talk to every single person on my team And so it's a very very different situation. Um, my question for you is When Let's let's say someone shows up to a software project makes a pull request Right like how many pull requests do they make before they typically talk to a human being in the community? And is the sense of community All electronic like they code review someone else's pull request or or is it formed by like little events and In virtual meetings and things that you have right so Thanks for the question So, I mean and then feel free to just stop me if I'm not heading in the right direction. Uh, your spirit of your question Uh Somebody like responding to your pull request. I mean, although it's not like over the phone or zoom or anything Like I mean I set a goal of like within five business days somebody should at least acknowledge it Even if it's like adding labels or just you know, I if it's especially if it's a first contribution I like to put at least like an emoji like a thumbs up um, so You know, there should be a good hygiene like what it's it's not just me But somebody from the engineering team needs to constantly look at that Gets it labeled and then say acknowledge that we're we're gonna we see it No guarantee on when it's going to be merged or closed or any of that But at least like a first acknowledgement should happen pretty instantaneously um, I think for a lot of communities, uh, these happen Like virtually but if you have the budget for this like big projects like kubernetes or or or all the cncf projects Um, there's a reason why people get together. They're still meeting twice a year, right the cncf or Yeah, yeah, so I mean it builds like enormous like value Uh for your community members to get together and um, you know, you could have like a like a hackathon That'll go along with the summit so to speak. So people actually collaborate in person Uh, and really get to like thank people in person. That's important But even if that's not possible like what I try to do is if I see an interest in contribution And no guarantee that I'm gonna catch all of them I like to just reach out and say hey, I like to jump on a call with you Like no matter what time zone you're in so Within a reasonable time frame and I'm amazed that they feel like almost honored that they're approached by somebody from the company and then it's just Even before I send them something they're just feel appreciated and feel connection because they like the technology and they just Feel they feel very welcome and and then they feel comfortable like not only using the software by being actively involved so hopefully that answered most of your question, but Please let me know if I haven't Well Sorry, I was I've I've submitted pull requests and bug fixes to to small projects And I used to maintain an open source project, but I've never been a part of a large team Of hundreds that did this so I I don't understand how those social interaction on on such a large team Work so I think you did answer my question That someone who's a first time committer Has at least some chance of a human interaction even if it's a 2 chance But you know as they do more they're gonna have electronic email interaction with members of the team and that forges At least some sense of community, right? Yeah, I mean so I think to to a certain extent automation In either get over get lab really helps I mean we're doing this in my current role like cube and we did this at get lab too If the contribution comes in from the community It gets immediately labeled community contribution or you can pick whatever label you like and then I subscribe to those labels right so I so I see them and And you know what I what I would do today and even at get lab I would look at Which part of the product it is I would assign it to the lead engineer said Hey mark, can you look at this? And sort of so they know which team is sort of responsible for reviewing Their contribution so even if it's not completely like personal like automation I think helps. I don't think people would view it as being impersonal So they know at least they know like somebody saw it and somebody's gonna take a look at it. So go ahead Don. Yeah Sorry Sorry Just to add to that a little bit I think you know when you're thinking about these large open source projects You actually need to think about them as smaller sub projects. So if you look at kubernetes It's dozens of smaller sub projects And people tend to focus in on on very specific areas The other thing that's different about these very large projects is they often have Loads of project meetings that are that are over zoom that anyone can drop into So a lot of people can just drop into one of the weekly meetings for a particular area or for the whole project And you can get some personal interaction that way as well So so don't think of the large projects as being less personal than the smaller ones because I think in some ways they're actually Probably more personal because they've learned to do this at scale Yeah And don I think you're part of like I I think at least you were like part of the onboarding team in the kubernetes community, right? So I was I'm less involved in that now, but I I'm involved in the cncf contributor strategy Technical advisory group now, which is kind of the same thing. It's how do you I don't I know you're not going to be offended. Hey don like who do I reach out about this pr? I submit it and then don could Direct people to appropriate places and we also had a page at git lab And so we would have lists product managers and engineering managers for different areas of our product Um, I mean not everybody's able to find them because we have so many like handbook and web pages But having those pages like helpful like hey if you have any questions about who you need to ping on your Merge requests or pr like here's a list of people Um, and I've seen other communities do that too. They'll list like what they will call ptl like a project team leads so at least you know Who to sort of escalated to if you don't think you're getting the response that you need No, yeah, I mean so even if the project's big with thousands of contributors. I've seen Like a lot of communities do them really well Other questions Oh, go ahead Let me I'll bring the back. All right. Thank you So I wanted to get thoughts on Ways to and I missed some of the first part about just any of the chat groups or other Communication methods that might be part of these communities um, but thoughts on ways of encouraging maybe Participants within the community to do some type of like peer recognition and engagement rather than it just being like Kind of the leaders and owners of the community that have the responsibility for um Being engaged in recognizing but to have at least more of that scaling of as peers How do we recognize and support and encourage each other as well to keep building on that versus it just being like A lot more of that hierarchy It's great to get that from leadership But also it's there's a lot a lot more of the contributors versus the the leaders and owners of the community Now I completely agree. I I All about grassroots recognition. That's why like a nomination forms help and like we don't have that a cue I mean, maybe we're at a point where we need to institute something along those lines But sometimes people just ping me and say ray Have you like a seen this person like answering all these questions on slack and Sometimes because it's in a channel that I don't I normally don't subscribe to like I completely missed it right and then I don't think I was being lazy, but I really appreciate when those people sort of reach out to me And yeah, I mean like whether it's like a formalized like a google form or just you know, make it known to your community members If you need to tell like somebody In the community management team or elsewhere about Somebody's great work. I think that makes complete sense and I think I think it's more genuine genuine as well so Yeah, I mean one of the heroes that we added to our ranks recently was He still to this day like I mean he told me he's like addicted to slack which Okay, like I won't I won't go there, but he said he he's Things that he needs to like read all of them like almost like instantaneously That's why he's so good about like he said it's not just our slack like his company slack too He's like he's on top of things like I don't know how but And you know, he's been so helpful like onboarding like new community members and answering questions I thought he was very deserving and he's one of the active members today any other questions or Really appreciate you coming on a beautiful Sunday afternoon. You could be down in Manhattan Beach, but I mean Fosem is a different animal because first weekend of February in Brussels The weather is like iffy so you can understand people being in a room like in southern california not so much so Thank you, and I'll I'll be around if you have other questions I mean feel free to ping me on slack or on the blog post in open source.com and Have a safe trip home if you're traveling Thank you All of our Yeah You Oh Um I can try Oh dope dude, let me check out. Let me make sure this is your run right here Okay Yeah, we gonna learn today I'm gonna be like dude come to my conference. I'll pay you for this. Oh no, you're gonna be fine. Wouldn't you just get nervous or something? I'm nervous, but also I feel like if people don't come to your talk and there's like 10 people in your talk Then it almost is like more self-conscious because you feel like more of a loser like Not honestly like It's not like let's be real. I'm wearing a shirt that says run gcc. Oh, yeah, I forgot about that Yeah, no, like honestly that if anything like that If you only get a couple people the people are gonna be really able to whatever you're talking about. Yeah No problem. I would be here. Um, send me a check afterwards. I'll check for what? You send me a check Um, okay, it doesn't look like they have some people have like fancy little wi-fi connectors Why don't you open this guy up? Let's get you connected to the wi-fi Um, now especially with the less people I think you should be okay. It's just to use the wi-fi. Okay, it's h on it No, no, um, this will be scale Let's try the fast one first Okay, so this seems like and then say like Okay, cool. So this is working And then Yeah So it's taken so long also they rolled back their touch bar So like I like I wanted to like apple more but like when I went back to school later in life to Get my computer science degree because I was sick of working as a chef and an audio engineer. Okay. And like I bought That's six USB ports, it's got a um, oh my god, it's got an SD card reader and stuff Half the cost of the laptop You got like you gotta have a pretty solid mix of like you may examine Yeah Okay, okay, good Okay, so how do you So how do you sure just one tap so you can do like bigger notes? So it's actually commenting there so that like it's more interactive Okay. Oh, so you want to be able to how about you start Trying to present it like you would and let's see if you run into problems Okay, so how do I how do I so this is just playing screen and then how do you do like presenting on a Oh, have you not to run your presentation on this computer? I have but I mean like I run it on like zoom but not like on a We got 30 minutes. We can figure this out Okay, okay, okay Why don't you just like Yeah Okay, so this is not right now sharing the screen System preferences, maybe Or should we go to maybe maybe display actually going to system preferences to go displays maybe We were talking about how I'm like sending checks to anyone When you come to my talk Okay, okay, just because I was like going to the other talk and there's like 15 people there So I was like, I'm gonna personally recruit people to my top Don't even worry about It was actually it's really cute my grandfather is like sd is like the talking to be recorded because like I really want to watch it all He's like my level of cyber is like checking my emails, but like I want to listen to your whole talk Honestly, you'd be smart Yes, I was like, okay grandpa like you're the only one that's going to be listening for the whole hour. I like I'm looking at Go to So you ideally want to like share this and then you have like another new Screen that you want to use Well, I figured out And you weren't able to drag anything over there Here plug it plug it back in really quick. That's just like literally it's a second screen It thinks it's like right here on the other side of your screen That'll be cool. Okay, so like if I could go Okay, this is great. There you go. So now wait now full screen it You can do it. Oh, you're so close. Oh now you're gonna find it. Okay, you know what I'm gonna do? Well, wait Uh Okay, we're gonna unplug this. Okay. Now that we have this in the corner of our screen problem solving Uh, I do this and let's But we also don't want to see like totally full screen Wait, this could be fine, right? Oh wait, you can't see anything Yeah, probably And then like, okay Oh This is amazing And then okay, so So Okay, so almost so basically what we're gonna do We have to like Yeah, so like It's like trying, you know, probably when you're watching Netflix and you have to click outside We're so close. Hit present now. Okay now Present. Yeah, hit present. And then We're gonna go like this. Um Open 19 of it in the window. Okay. Now this we're gonna pull this way, right? Yeah. Yeah, okay So Yeah, this looks good, right? Okay now just making sure just like a check so We're Wait, oh, yeah, this is an instruction. Okay. Um Can you say like, okay, so just to make sure that this this platform is working because I've never used a platform before so Uh, like can you try to go to mendi.com and use that code and see some bow That's like the most of the right like software developers software management security Okay, I'm not I'm not like gonna be perfectionist, right? It was so funny. I was telling him like you feel like a loser when you're like Trying to do the talking It was like, see, we're all This is a winning conference I like walk up into the office and like What the fuck is GCC? You're like, you're like, wait, it's the c-compiler Be nerdy is to you possibly imagine and then it's even nerdyer than that, buddy Wait, I get what GCC is not like, what's the joke with the wrong GCC? I don't know if you're old enough What are you talking about? I'm a 30. How old are you? I'm 23 Okay, run DMC ring about Run DMC wasn't an either, or is it? Okay, run DMC isn't a ring So like, run DMC Dude, this is like the wrong audience ring Um, favorite A lot of your, um, maybe we did like an Aerosmith phone Oh, yeah, they did walk this way by Aerosmith Uh, that's a big hit Well, it's a Dr. Gray with the brand name Okay So like that's where, you know Dr. Gray Yeah, yeah, yeah That was when he was still actually getting started with the brand name So I don't know if this is super, so it's actually really funny because like one of my slides is talking about like, um, legacy companies and how faster innovation always wins the market And like, I'm talking about like my space and friends there and I was like giving the presentation to a group and they're like, um, do you even know what my, where you've been around? Do you even have a friend straight down? I'm like, uh, I was like, I have to like research this stuff Curated emo song list of here, now, and the world You put your song this way? Oh, yeah, so my space was, the other cool thing about my space is you can actually make your like HTML background for your websites And like a lot of us like, earning a like CSS and HTML editing our my space for a lot of us So I'm going to be the only person in this room who has not had a pet, who has never had a my space account, and has never Yes, I'm talking about H2 now, you were all fighting with the type that the whole was a page and file There were things you could do, so I listened to Darknet Diaries and it was like a security podcast, and like, there was a vulnerability where a guy realized he could put a block of code in a comment A comment on somebody's profile, and then it would take over their profile and send that same comment out to every single connected person And it would rock down my space with the network Oh my god Just from one, because the one, like 150 or so It's cross-site scripting, I think, or, see, cross-site, reflected Oh, there were some problems, there were a couple of them Shit, he did it, he did it, he did it But it was like, yeah, I can just go call a stopper, send some free drinks, two million dollars I think it was a replay, it was a replay, it was like, there's a table, put three on one But it was a video, one that was two-hand-friend, close to right-hand-friend Oh yeah, you can add a video You can add a video It's actually brilliant, and then you can like You had more friendship than you Who was the next one, Tom? But then Tom, yeah How do you spam everybody? Like, you can be like, you can be a predator Yes, you can Because that was your dark night diaries line Well, dark night diaries, like, it's an hour-long podcast of like, serious things And like, that one was just about the guy... It's so great Which is hilarious, it started with one message And he realized he could do it as a joke And he just like sent it out to all his friends He's like, okay, go and play with it Woke up, and it was all over my space Everyone had posted his comments, and he'd originally just sent out to his friends That is crazy Yeah, and then he hacked you And everybody had got hacked Well, the thing about my space is like, they weren't secure at all And they weren't agile at all And like, fixing a replay attack like that could have taken them like, a while Wait, is my space still like, a thing? I mean, in that, it technically exists And you can... Myspace.com? Oh my god, it's now modern Hello Oh my god, look, come here So, even just the basic loading It's not loading the image Like, it's a cool UI It's still loading, that means that Like, we're there, they're search So that's the cool thing That is the thing I do miss about Myspace It was like, you had your song playlist That played with people that visited your page Which now is like, fucking anonymous But like, at the time At the time, it was like cool Like, yeah, if I had a crush on a girl Like, put that song on her, she knows Like, how much do you know how I like that? You know what I mean? People have that, like, I'm listening Or I'm watching Yeah, listen to it, awesome No, I want you to have to hear it I don't want people knowing what I'm watching Or something Yeah, I have that, yeah But it's so funny, because I feel like It was just so cringy, just the way things were Like, with like, guy that crushes And those days, like, somebody who sang in the comments Like, yeah, so like, I want you to take a girl At the prom, so I put like, the Backstreet Boys And we made a music video With her, and I was just like That makes me cry and laugh at the same time I feel like the dating game had changed a little bit Oh, yeah, no, I mean, in the past I don't know what I'm talking about It's honestly, like, I mean, it's It's always cuter, it's like Well, the commodification, you know, like In their updating sucks a lot But like, there are a lot of things that You've been playing But there's so many things that are okay probably Now that we're not okay I mean, I'm more thinking they're updating Now that won't be okay I just want to stop and, like, interrupt To say, like, this talk is for you It's all about Bill K No, no, no, no, I mean, where's your equipment? Is that it? At one thing We're joking about it Because, like, they're from Bill K And I'm like, oh, like, you know I'm going to teach Bill K to my thoughts Like, yeah, the whole talk is going to be about us We're going to video this And, like, post this on Bill K For promotional content And you are pushing hard for this Like, respect You are making sure you're doing I mean, right now there's four So, like, it's being attended Dude, I have 15 minutes to recruit Ooh, guys Can we offer free beer? Can we offer free beer? Yeah, I know a couple guys that used to do that Seriously? Yeah I mean, that's how security They're like, yeah, I'm just one of three people I mean I'm, um... I think I'm, um... I mean, that's exactly how, like, Security Meetups works It's like they feed you And then you, like, sit, like... It's like, you know when you give, like, kids, like, snacks To, like, to play nicely? Security Meetups works, like? Why are they doing it? Okay, when I'm... We go for colorful socks Colorful? Yeah Oh, those are, those are bad I mean, there's probably some more Some terrible, ugly socks So, Lego sets there? Oh, come on, I... I grabbed, I grabbed, like, We need to grab some Lego sets Okay, guys, um... Okay Okay Can I hold the microphone to not be annoying? Okay, like this? Yeah Okay I feel like I'm gonna annoy everyone So, you guys, I'm, like... This is part of, like, your government, like... Oh, okay, I'm sending stuff afterwards in the mail Because, like, I don't like sitting in one hour talks out Um, but also, uh, like, can you guys ask questions? Just, like, it's just, like, for the rest of the fake audience that I'm recruiting Because, like, I'm not paying them to ask questions I'm only paying you guys to ask questions Okay Which we can, like, bottle it Because all of our... I'm gonna also go run... Also, yeah Legos, water Take a photo One, thank you so much Just, like, pretend to look professional Yeah, look, like, look at, like... You Point at someone, yeah Wait, wait, wait, do that, do that Okay Okay, okay, okay Okay, do I just, like, stand just in front of the podium? Yeah, yeah, yeah I mean, fast or slow? This is the medium portion We're practicing... We're practicing for questions Okay, fine, beautiful Okay Yeah, I'm just killing this conference You gotta work on... It's, like, a Chinese model It's just, like, shh, shh, shh, shh Like, every shot that she does in another pose Ooh, yeah I mean, I'm just... All that energy in that talk And all that energy about Linux, guys Dude Okay, I'm gonna go drink a cup of water before I talk And do some last requirements What? Yeah, definitely Good idea You You over there, good idea Oh, yeah I'm here for the talk Oh, I'm here for the talk I'm here for the talk I'm here for getting... No, no, no, no Oh, you're... I'm here for the talk You're, like, a... I'm here for the talk So, I... Like, I was just... I was just... I was just like... I was just... I was just... I was just... I was just like... Like, it was just... It was just like a complicated thing And I turned on the monitor It was definitely a funny moment Is it your word dress now? Festival security Yes Oh, it was like, are you doing like... There she is. I was like, where is she, dude? I did recruit one person successful. Okay, use your picture. Axel. Hi. Thanks for coming. Pack it in the mail. Okay, don't start without me. I'm going to go run to the restroom, okay? Okay. Maybe. Maybe. Yes, so we're just waiting on somebody in the restroom? Yeah. Thank you so much. What is it called? Jesus.com? Jesus.com. Jesus.com. Okay. It's got the good guys in this picture. Oh, that's awesome. Dude. That's pretty awesome. Yeah, like, you know when I build mine? Yeah, yeah. Dude, but come on. Like, you could have gotten more... If you know what I mean. Okay, what time is it? It is... I think it's time, presenting time. Okay. Hi, guys. Okay, it's still working. Just in case, like, the people in the back can't hear me. I'm just kidding. Hi, my name is Estie, and today the topic of the talk is Move Fast, Be Safe. What if I told you you could write... What if I told you you could write Code Fast without causing security vulnerabilities? No, no one's available, actually. Just super interested in the topic. So I'm from Boulder, Colorado, and fun fact about me, I like to travel a lot. I'm a digital nomad, so this year I've been living and traveling in over nine countries and four continents. I work at Invoka. I'm a security engineer at Invoka, and what I do is help provide tools for security, for security tools for development teams to write better code faster, and you can connect with me on LinkedIn. So giving security... Giving engineers feedback about the security vulnerabilities in their code as they write them is a really important, but oftentimes ignored part of the development process. So today we're going to talk about the development process, the DevOps culture, the project that I created in order to help give that feedback loops to the engineers, and we're going to finish it off with Q&A. We don't want to be those engineers who test code in production, and we don't want our security teams and our engineering teams to be those engineers who test their code in production, especially the security part of it. So I am going to ask you guys a favor to take out your phones and go to menti.com and enter that code. And you know, I myself have a little bit of ADHD and I have a really hard time concentrating for a long extended period of time, so I hope that we'll be able to collaborate together, even though, see who's around you in this room. So the first question is what's your current role? Are you in a software developer, software management, security related, any other field? Looks like we've got some software developers and one security related. Two? So from a raise of hands, how many software, just two software developers? And then management? No management? Just geeks. Okay, okay, okay, that's pretty, I'll give you a medal for that. This is how the software development lifecycle works. We're trying to create a new feature, we're going to write code, we're going to write some tests, run that code, commit that code, push that code to CI, code review, QA, and deployment. One study at IBM found that it costs six times more to fix a vulnerability found during implementation than during the design stage. And it costs 15 times more to fix that same bug during QA than fixing it during the design period. The point is, as we go further along the software development process, the cost to fix vulnerabilities raises. And this is because you find a bug in QA, you have to go back and restart the development process. You have to go back and write some more code, run those tests, commit those, that code, push to CI, and code review, QA. So when I started off at Invoka, I was a very junior developer, and sometimes during code review, a more senior developer would find a line of code that was vulnerable. And it could be one line that I had to change. And it could be even that that more senior developer told me exactly how to change that line of code. But that change might have taken two weeks or three weeks to implement and to merge to mainline. Because, again, I had to rewrite that code, rewrite those tests, re-run those code, re-run those tests, and finish the rest of the software development lifecycle process. Now, after deployment, the cost to fix those defects raises to the roof. At this point, we're affecting live customers. So let's do security here. Let's shift left and do security all the way as much as possible on the left. Now, let's talk a little bit about how this played out for us at Invoka. We, for 10 months of the year, we were writing code. We were in a very agile company, and we were just pushing out features constantly. But then security audits came along. And when the security auditors came, they ran scans against production, and they found a whole host of vulnerabilities. Now, we're a conversational intelligence platform. Our clients include companies like AT&T, banks like Bank of America, hospitals. We are under a lot of compliance regulations. And if we don't pass our PCI, HIPAA, GDPR compliance standards, then we're messed up as a company. And what would happen is the security team would go over to the engineers and tell them, here are some important fixes that you have to do in order for our company to stay compliant. But this would push off all this plan work that we had in store, and it was really costly for the company. Now, just a quick question if you guys can go to the link and use the code again. When does your team generally fix vulnerabilities? Are you guys finding out about these vulnerabilities at audit time? Are you guys finding out about these vulnerabilities after being hacked? Are you guys finding out about these vulnerabilities through bug bounty or security code reviews? Obviously, the worst way to find out about vulnerabilities is after being hacked. It seems like we have some really proactive teams here that are more doing security code reviews. It's a little bit less proactive audit time and a few people or nobody that's brave enough to admit that they've gotten hacked before. It's okay. Yeah, yeah. It's okay. What happens in this room stays in this room. Safe space, exactly. So, you know, this was a sample developer story. As a developer, I'm creating a new service. I'm going to write some code. I'm going to run some tests, push that code to CI, open a PR against mainline branch, peer reviews and improves the PR, and I finally merged the code. But then, when give or take five, six, seven, eight months, and the security auditors come around and they run those scans against production, and I'm back repeating those steps one through five. That sucks. So, in some companies, they have code reviews. Now, the problem is, in a company with 150 engineers like we have in our company and a security team of six, out of the security team of six, there's only two that are focused on app sec development. Either, if we were doing manual code reviews, either the developers would look like this, or I would look like this. Or both, probably both. It's really, really hard to effectively do security reviews without impacting the agile development process. How long does it take for your security team to review code? If in your companies, you guys have code reviews, does it take minutes, hours, days, or is it nonexistent? I know at the first company that we worked, at the first startup that I worked, security, we just didn't know it was a thing. And so, we just, it was like the fingers crossed anthem. We would just push code and pray. Push code and pray. Okay. And when I say days, I mean, are we talking about weeks or weeks? Okay. Weeks? Okay. Anybody, any last? So, let me talk a little bit about my security trajectory and why this was an important problem for me to solve. I am from a Hasidic background, ultra orthodox Jewish background, and I first got into tech when I was in 12th grade. Our school didn't have the resources for an advanced math class, and we, my friend and I were able to choose a topic and self-study it. Now, computer science seemed much more interesting than self-studying calculus, so I chose the easier option. In surprise, I liked it. At the end of the year, I was trying to figure out what to do for the summer, and one of my friends mentioned that her friend was getting a software internship. I didn't really know about internships or software internships, and I didn't really know that as a 12th grader you can't get a software internship. I didn't really come from that world where I had that lexicon. So, I did some Google searching, and I found this program, this Google CSSI program for kids from diverse backgrounds, a four-week crash course at the Google headquarters learning more about computer science. And I knew it was a really competitive program, so I thought I'm going to apply, but I'm for sure not going to get accepted. And surprise, I did get accepted, and I did spend that month after 12th grade at Google. And that was my first indication that this is something that I could do and this is something that I might want to do in the future. Security was always super, super interesting, and after working in a small startup and making really shitty apps, if I may say so myself, there was only a team of like three on the security team. I decided to look into the CISSP, and I decided that I was going to self-study the CISSP, and if I passed the CISSP, then I would have enough information about security if I wanted to be a security engineer or not. I think a little bit of a backward way of thinking, but it worked. And having that background as a CISSP helps me understand how important compliance is. As I mentioned before, compliance is super integral to our company. Our clients include hospitals, banks, insurance companies, and if we're not up to compliance standard, they're leaving and they're going with our competitors. Now, after I passed the CISSP, I decided to go to a Flatiron bootcamp. Again, a little bit backward, but it worked. Unfortunately, the other two women in my class dropped out, and I know that I may have the soul of a nerdy 40-year-old male, but I certainly don't look like that, and it just left me the youngest and the only female in a group of middle-aged white males, which, again, it's my soul type, so it works. For the past few months, I've been studying for the OSCP, and I originally scheduled my OSCP for right before the talk, but I pushed it off, so I hope that when I take the OSCP, I will pass. Being a hacker, I know how important it is to write secure code. Just one dependency or one misconfiguration can be a way in for attackers. Fixing these vulnerabilities were really important to me, and I was the youngest engineer in Evoca, and I had a lot of imposter syndrome, and part of my job was now running after these developers who had 15 years of experience and asking them to kindly fix their code. I didn't want to be an asshole. And another problem, I'm kind of lazy. I felt like this was an inefficient problem that was so bad for me in so many ways, and I felt there must be an easier way to do all this. So before we get on to how we solve this, I first want to talk about the core principles that we have on our engineering team, which led us to solve the problem in the way that we did. At Evoca, we buy into the benefits of a DevOps culture. What we believe is that a loosely-coupled, highly-cohesive and autonomous teams bring on faster innovation. So let's talk about loosely-coupled. Each team is not dependent on other teams in order to do their job. It's highly-cohesive. Each team has a very specific and defined service that they're working on. Autonomous. Each team has expertise and the knowledge to finish and drive their personal service to completion. And all of those three things drive faster innovation. Now, let me give you a real-life example to explain this better. My little sisters have a little sister that's 10 years old and a little sister that's 12 years old. They both woke up one day and they decided to make a coffee stand. They were going to sell coffee and cake, but they looked in the refrigerator and they realized that they didn't have the ingredients to make their cake that they wanted to sell with their coffee. Now, so they first had to go to my mom and asked my mom for permission to take them to the store and to buy the necessary ingredients. They come back with the ingredients and now it's time to bake the cake or the cookies that they wanted to bake. But they had to ask my dad. They had to ask my dad permission to turn on the oven. Now, my dad was busy and it took him a few hours to turn on the oven and watch them make sure they didn't burn the house or down or something like that. And then after that, it was time to sell their cookies. So my parents allowed them to sell their cookies and their coffee right outside the front door of the house. We have a very, very quiet block and not a lot of people were passing through. So they didn't really have a good market. So they called me, their older sister, and they asked, hey, do you mind coming and watching us, taking us to the park where there's a better market so we can advance our prospects and we can make money? They were working their whole day on getting this $10 from their stand. And me, I'm a nice sister 60% of the time, but I also have a job. And it's kind of hard to justify skipping all my meetings to watch my little sisters do their coffee stand. So I wasn't really feeling it that day and I told them no. Now, I mean, just to give myself a little bit of credit, I did buy their bottles of water, which I feel like I do get some awards there. But I was thinking about it a little bit and I said, what if they were autonomous? What if they were loosely coupled? What if they didn't have to ask permission from my parents? What if they didn't have to ask me to watch them in the park? How much more money would they have made? How much faster would they be able to pivot and to innovate and make more money? And, you know, all ends well, they made $30, which is pretty impressive. But the idea is that this is the DevOps culture in just a story. Let's take a little bit of a closer look at other case studies. Studies show that teams that use agile, lean DevOps culture are much more likely to win out the competition. Here's a few examples of different companies that are disrupting markets. So, who here has tried to buy a car in the past two years? Okay, well, selling a car would be on the other end. You'd be on the benefit of the end of the stick. Whoever has not tried to buy a car in the past two years probably has friends who have been complaining to them about the bother and the pain of buying a car and overpaying for a car that just a mere few months ago was $5,000 less. And I'm sorry for all the pain in this room. So, GM and Ford closed their factories one after another sometimes for months on end because they didn't have the right computer chips. And this left the dealer lots bear and it sent the price of the car is zooming up. Now Tesla on the other hand, Tesla also faced the same shortage that all the other companies faced. But they were able to take the existing computer chips and rewrite their existing software to fit those computer chips. And at the end of it, Tesla sold nearly twice as many vehicles as it did in 2020. It was totally unhindered by this computer chip shortage. They were able to quickly innovate and win the market. Netflix, okay? I'm giving some of these examples and I know that you guys can relate to these examples more than I can myself, right? So what do you guys think of when you think of Google? When you think of searching, what company do you guys Google? When you guys think of Sticky Notes, what company do you guys think of? VM? Yeah, yeah, yeah, exactly. Okay, good. What do you think of binge-watching? Netflix. Dude, seriously. So an interesting thing about Netflix and Disney was when Netflix first started, so when Netflix first started, they were disrupting blockbuster kiosk movie rentals and they decided to do male rentals. And again, I feel like this crowd has lived this. So feel free to interrupt, right? Now, fast forward to Netflix putting blockbuster out of the market and they said, we don't want somebody to do the same thing that we did to blockbuster. We need to think where's the next innovation going to come from and they thought, okay, in five years or the next innovation in the market is going to come on through online streaming and they essentially created internal competition. They created their mail service, their mail movie service, alongside with an online streaming service and kind of pitted those two companies together as competition. And yeah, they won the market. Facebook crushed my space and I'm just curious, who here has had a MySpace account? Okay. Exactly, MySpace, right, right. So who had a Friendster? Well, this crowd is so millennial. Yeah. So here's a quote by Scene Perceival of MySpace. This site was such a massive spaghetti ball mass. You could do those tree flow charts of your website and it was like the frickin' seven scrolls that you could see. It just went on forever and ever and ever. It was clearly not nimble or agile in any way. The last example is our company. Our company is now currently worth over a billion dollars and we've dethroned the previous competition, Martax, who was failing to deliver and this is why continuous improvement is such a strong value to us. It has enabled others to win in the market and it has enabled us to win in the market and we believe that's the key to our future success. In order for agile environment, in order to have autonomous teams, in order to have faster innovation, we have to shift left. Shift left does not mean that we can't afford a dev-off person because sometimes it means that, right? We have to embed the knowledge with the people doing the work. The goal being that they were driving up the ability for somebody to take a risk that's too large unknowingly. So the idea is the people closest to the work have the context and the knowledge to make the best decision possible. And the important point here is that it's done through safety and automation, right? So if my company told me, I want you to find a sim now. I'm giving you two million dollars to find a possible solution and we want to make you totally autonomous so we're not going to do any checks. You just tell us the name of the company and we're going to go with it. There's going to be one of two things that happen. Either I may make a mistake, choose the wrong company, waste two million dollars. Another possible problem is it could take me ten months to make that decision because if I'm spending two million dollars of my company's money, I do not want to make the wrong decision. In order for us to shift left, we need to have safety. Now, the thing, as you all know, is shift left can become lip service to security. There's a saying, shift left becomes shit left if nobody... If nobody cares, right? There's a little bit more of an explicit version of this. You can't increase speed or autonomy without safety and it's not just about speeding down the highway at 100 miles an hour, it's about speeding down that highway and wearing a seatbelt. There's two types of safety. One type of safety is safety that the failures are low impact and they're easy to detect. I don't want to be wasting three million dollars of the company's money and finding out about it three years later. The second kind of safety is psychological safety. Safety that people won't be blamed or reprimanded for making the decisions that they're making. So, now that we have those principles in mind, what if I told you we can write code fast without causing security vulnerabilities? Okay, so, let's take a moment and go back to the beginning where we talked about how we fix security defects through manual audits by audit time. So, step two was automated CVE audits using Breakman, CVE audit and BuildKite. Just a shout out to the BuildKite guys over there. So, these are a bunch of buzzwords that are very specific to the technology that we use. But let me just explain the basic point. So, BuildKite is a partially hosted CI automation system that lets you build and manage multiple pipelines for your projects. If you have any questions about BuildKite, feel free to go up to the guys in the BuildKite shirts. Bundle Audit is a CVE dependency checker. What it really essentially does is checks the dependencies in your application and checks database with all vulnerabilities and database which says exactly which packages are vulnerable. And then it lets you know if you're using a vulnerable version of a gem or not. Breakman. Breakman is a static analysis security tool. It basically scans the code at any time of development and it can find vulnerabilities early on because it doesn't require the entire application stack. So, we added these two steps, Breakman and Bundle Audit to our pipeline so that whenever anybody pushed code to GitHub, Breakman and Bundle Audit will be run. So, essentially, we're just automating security scans. Now, for those of you who are in security, part of the security team, there's a little bit of an issue when it comes to resolving legacy vulnerabilities and putting a system like this in place. What happens is, so, imagine our main repository. We've been coding for eight years and we don't run Breakman on a regular cadence. So, when we run Breakman, this security tool, the first time, we have over 200 critical vulnerabilities. And if you give that to a developer and you say, dude, you have 200 critical vulnerabilities in your code, that's a lot of noise that people don't want to deal with. So, for a lot of teams, just resolving those legacy vulnerabilities is a big stop for creating a system like this, for having a system that automates and scanning of your vulnerabilities. So, there's a few things that helped us and enabled us to implement a CVE Audit and Breakman with all this legacy noise. The first thing was legacy vulnerabilities comparison. So, instead of doing annotation that's told the developers, you have 500 vulnerabilities in your code. There's two annotations. There's one annotation that said, you have three new vulnerabilities in your code, here's how to fix those vulnerabilities, and you have 200 legacy vulnerabilities. And the legacy vulnerabilities was not the developer's problem to solve, it was a company problem. The second thing that we did was a Breakman open source contribution. When our developers were first writing Breakman, was first developing our application seven, eight years ago on Ruby and Rails, there was no custom sanitization. Custom sanitization was not a built-in part of Ruby. Now it is. And what Breakman was doing was Breakman was picking up on these SQL injection vulnerabilities, and they said, you're not sanitizing your functions, your SQL queries properly. So, we had this great open source tool, Breakman, and I'm a huge fan of open source. It's the incubator of open innovation. It allows individual contributors to work together and to build something that much greater. And Breakman specifically is a work of art, but I hit this blockage when I had 150 SQL critical SQL warnings that really were warnings of a special custom sanitization function that we wrote ourselves, and it really was safe. So, I overcame this figurative wall by giving back to the Breakman project and adding a new feature that allowed you to specify which SQL queries are safe. And then the last thing was a lot of, after we whittled down the noise through those two points, the last thing that we did was service owning teams were responsible for investigating their vulnerabilities. So, there's a lot of, like, Dear John, just wondering if you have had a chance to please look at those vulnerabilities that I sent you five months ago and if you have any context on when you're going to be fixing them. And funny enough, I didn't even realize how many people I bothered until company conference. And there it was. It was my first time meeting everyone. And I don't work with most, I'm working security, right? I'm not working. These engineers are not on my team. But I keep on getting these, hey, Estee, how are you? Hey, Estee. And I'm like, do I know you? And then I realize, oh, I've been bothering these people for the past couple of months. So, for anybody here that is software engineers or any of the people here who are the bothers, who are security engineers who are hunting down the developers and asking them and begging them to please fix these security vulnerabilities, we appreciate your service. Now, here's a very important point. We added this built kite pipeline for our most critical and widely used project and repository. But the question is, how do we build security by default into our services, right? We are a company with over 600 repositories. And we, great. We checked one repository out. Yes, it was the most critical repository. It was our master repository. But we have these 600 repositories that are floating around. And if you wanted to do the same thing that we did with our critical repository, that means that we'd have to copy and paste in those steps. We'd have to duplicate those steps into every single pipeline in GitHub, which is 600 pipelines. Again, I'm lazy. I don't like doing that kind of work. We wanted to build security into our services by default. And we wanted to keep up with a fast pace of innovation. So when I say innovation, I mean internal and external innovation. If part of the organization decides tomorrow that we want to use a new coding language, we as a security team need to support that organization's direction. We need a scalable solution that will support any decision that the organization decides to make. And the solution with Security Scanner as a Service that automates all things. Now, the name is a bad name. Security Scanner as a Service. It's a bad name because it's very hard to read and it's very confusing. What is SAS? Is it SAS? Did somebody put an extra S in the letter? But the problem is I don't get paid to make creative names. I get paid to code. And that's why we have a shitty, shitty name. And if anybody has an idea and a better name, please come up. Please come up and tell me what it is. Because any name by this point will be better than Security Scanner as a Service. Anything. Exactly. So, we created this project to give tighter feedback loops to developers as they are writing their code. It identifies what coding languages are used and then based off of that, it will run the correct checks and outputs the results to developers in the GitHub portal. I've seen a lot of other solutions for Security Scanning like the solution that we've created. One, because I created it and I'm a little bit biased. But another reason is because this solution has the results right there for the developer. A lot of solutions that I've seen takes the Security Scans and takes the results of that and puts it in a new portal for the security team to make them look like they have a job. I think that's the purpose of it. The security team needs their own special portal and they can look at their vulnerabilities and they can hunt down all the developers and say, this is your fault and fix this because we're going to get hacked. But over here, it's giving instantaneous feedback to the developer themselves. So, now they can see the vulnerability as soon as they push any code and write any code and have that feedback immediately. Now, if you see the green checks, Security Scanner as a service check has to be green before it's merged to mainline. We have that restriction in our company. So, developers must either remediate snooze or ignore the vulnerability before they push their code. And it makes the developer more interested in security because right now, they're banking on the fact that this check is green before they can actually push. This is the high-level architecture. So, developer writes some code, pushes that code to GitHub. GitHub checks we just created and a webhook is sent to the Ruby web server. The remote repo is cloned. The coding languages are identified. The checks are created. Security scans are run on the repos. And finally, the results are outputted to GitHub portal. So, yeah, we're going to talk about that a little bit. We're switching actually to Kafka. Okay, so, our tech stack looks a little bit like this. We use GitHub checks, the octokit library to create the initial webhook and display the results. A Ruby web server to receive the GitHub check webhooks. Our background server is currently delayed jobs but we're moving to Kafka. We're using Kubernetes to deploy the application and horizontal auto-scaling to keep the costs down by having an elastic delayed job processor. So, before we talked about this developer story that was really inefficient because the teams had all these vulnerability fixes pushed on to the road maps. And they had this urgent interrupt work which caused this rash and displacement of previously planned work. And now, let's talk about the new developer story. So, as a developer, I'm creating a new service. I'm writing the code. I'm pushing the code to CI. Security scanner as a service or any other name that you may graciously think of is identifying the coding language and running applicable security scans. Are there any vulnerabilities? If there are, fix them now. The PR is blocked until those vulnerabilities are fixed. Then, open a PR against mainline branch and the peer reviews and approves the PR. And congratulations, you can merge it now. We've created these tighter feedback loops for developers to find security vulnerabilities earlier on. Let's talk a little bit about the results of this project. Now, security team is not a blocker to development. Yes, security is technically a blocker because you have to wait for the check to become green, but the security team is not a blocker to development. The security team is not running after the engineering team, throwing urgent fixes on the road map. There are tighter feedback loops and engineers are participating in this project. They are able to identify the different security vulnerabilities in their code. Because of that, there's barely any findings in our audit pentesting. What the auditors and the pentesters are essentially doing, the pentesters are also a little bit lazy sometimes. They basically end up just running scans against production. What we've been doing this whole time is running scans against every single build. The best part for me is that it's automated part of my job away and it's allowed me to visit and see the roles a little bit more. I used to run after developers and politely ask and beg and threaten them, please fix those damn vulnerabilities and now they see the vulnerabilities right away and if they need more context, they ask me about how to fix the vulnerabilities, but we've turned the tables. It's not me running after them anymore, it's them running after me and asking me for context essentially. Here's what's to come. We're working on support for more coding languages, specifically Golang, Python and Docker, image scanning. We are working on continuous monitoring so if there's ever a drop it will auto heal and the Kubernetes auto healing self healing. We are upgrading the project from a bootstrap like MBC to production ready service which takes more time than any of the features that are actually created and then here's a little bit of a shameless plug for open source, right? We're at an open source conference and open source is so important because that's how we build culture of continuous improvement, innovation and reiteration and that's how we build our originality. On our roadmap is to make security scanning as a service open source but it's going to be prioritized based on feedback if this is something that others want to see open source. The last thing that we're working on is dynamic security suggestions in the code editor. The first step is this automated these manual audits and this annoying security team that's giving this security fixes, right? The second stage of it is automating those security audits every time you push the github you get that feedback but even better what if when the developer was writing the code they're writing the dependency and including package sql 1.05 and all of a sudden right there they get that alert and pop up from the editor sql 1.05 is vulnerable. Use sql package 1.06 How much easier would it make our lives? How much easier would it make the lives of security the security teams and the developers and have us cultivate a more harmonious relationship and that's again something that we're working on so you know we're almost over and I am curious to see the feedback from this audience is this something that people like to see open source and if it was open source can you see your company using it? Is it helpful? Is this something that people like to see as a hosted solution? Is this something that people like to see the dynamic security suggestions feature? Is this something that people see as something helpful? Just something curious for me it's kind of interesting to watch with the scale it's just kind of interesting to watch the numbers go up and down the way that the numbers work out together give it one more second for anyone who wants to just like skew the numbers in the wrong direction or something like that okay and I think we have then yeah I think that gave us just enough time for Q&A no unfortunately we're not SNCC right and we're not well we're not better than SNCC because I feel like SNCC is like the best in the market there are a few things that we do in our company to bring that level down which is like there's a lot of false positives that are like very specific to the code to like the application so again for us like we had a lot of different like ignore functions of sanitization functions or patterns that were really okay and we were able to ignore that with all this like added configuration that's one way that we're dealing with all the false positives and then you know there's always gonna be false positives there's always gonna be false positives but then there's certain patterns that are just more secure in general so yeah like if a developer is writing code at that moment I would prefer them to use the more secure pattern even if using the less secure pattern is not going to actually be a security vulnerability do you know what I mean like if you're not if it's not fixing it but it's just like in the moment I'd rather them use the more secure pattern yeah and that's exactly like one of the things that I really found out about as a result of this project is you know people so what I was getting asked to do is to give lightning talks on different security topics versus beforehand nobody really cared about security nobody knew what the security team was there for they assumed we have a security team because we need one but nobody really knew about security and like nowadays again I'm getting request ST can you give us a lightning talk to tell us how bundler audit works and how to fix a vulnerability if you find one can you give us a lightning talk about how SQL injections work and why it's so bad and it's just again the culture aspect of inspiring the developers to really think about security a little bit deeper thanks yeah so so firstly like we started off with when we started off with this a lot of it was like about prioritization so we're not going to focus on the lower vulnerabilities we're not going to focus on the medium vulnerabilities we're not even alerting the developers on the lower the medium vulnerabilities yeah and it's still a lot but the problem sometimes with the problem sometimes with just doing automated like depend about fixing fixed button in fact I was thinking about using that pattern for the security scanner as a service application where like you just press fix this and it will like automatically create a PR for that the only problem is that a lot of times those changing one package can like literally break the entire application and we want to kind of err more on the side of caution the talk that I talked with you know when we were first rolling the sound we had all this legacy vulnerabilities the way that I kind of pitched this to the managers and you know like the VP of development is like you know we really want to start off on like we really want this to be in our culture that we're like clean and that we're solving our vulnerabilities earlier on instead of by audit time and yeah this is going to maybe clearing this mess might take a month of development time but it's important, it's tech debt but critical tech debt and that seems to work in our case so currently what happens is on every single build it will run the scans on the entire application so what happens sometimes is exactly that so on top of pre-existing code and actually was like a little bit of a culture issue for us and it was something that we taught developers so what would happen is a new let's say sequel a package of sequel that we were originally using started to become insecure and it was a critical like it was a critical vulnerability now the thing is is that what happens when one person pushes insecure code into the pipeline what will happen is it's going to break it's going to break it for everyone else right because essentially we're running again the security scans on the entire application stack so if somebody is at fault the entire company is going to suffer for it right now what we do is we have the two scans so one scan breakman we do that's the scan that we do like forced like it has to be green in order to go but bundler audit which is dependencies and dependencies it's a lot more fluid we let developers push code with bundler audit vulnerabilities because it's again so fluid and we have a really easy way of snoozing it and you can only snooze it for one month but we're trying to create this culture that it's like if you see something say something so the first person who sees the vulnerability is tasked with trying to solve it and upgrade the dependency now if it's a dependency it's too big for that person on their own then they can find either the service owning team or they go to the security team and the security team hands the new vulnerability out to whoever they think should be fixing it so again it's a lot of it is like culture like we want that culture where people see a vulnerability and they do something about it and they're proactive about it in order to have that kind of culture there's a lot of training that goes into that what is it say it again yes yes yes yes and it's a problem when you have like an application that's like the core application is running on that gem and you know what sometimes a lot of it as a security team we're running after developers and we want them to fix vulnerabilities but a big part about it is giving the context to the developers to know when it's the right choice to fix the vulnerability and when it's not the right choice to fix the vulnerability because you know sometimes it's not the best business choice to fix the vulnerability sometimes it's the best business choice to build another newer fancier feature that's going to make the company a lot of money and fix the vulnerability later on and a lot of that is like having the developers understand like how critical and how severe the vulnerability is and what that means what the vulnerability means and that will help them make a better decision a more informed decision yeah actually so there's something in our pipeline that we're trying to do we're going to call it I think like iBugs where our standups that like our engineering standups we have like one day a month where we go over all like the alerts and we're like okay this team had 500 alerts and this is the amount of alerts that they resolved and we want to have a security like an iBugs alert where it's like okay this month we took here of 50 vulnerabilities we had 25 new vulnerabilities and like we ignored 100 new vulnerabilities and we want the entire c-suite and like the entire department to look over that together and it's a really great way of like having accountability and calling people out in a nice way anything else we have like time for one more question right that's true also like you know like I'm a little bit of a perfectionist by nature and so like it's like okay we need to first have this as a production ready resource we need to have like we need to have the uptime for this like to be like 100% and we need to use cough guns that have delayed jobs because delayed jobs is sometimes a little bit off and like there's definitely that perfectionist aspect that goes into it yeah that's actually a really good idea like please do all my work and if anyone in this room wants to change the delayed job server to Kafka signing off yeah that's true like you said well a lot of what we talked about is like innovation and like innovation and open source that idea also very much applies to open source yeah yeah it was really cool like you know my first open source contribution which was again back to breakman it was the first time I ever contributed to an open source project and it was for me was really cool because I was like okay this is not fitting my needs and I can just literally build upon it I can change the classes like I can get dirty in the code and like I can just change it to fit my needs and I benefit other people as well which is kind of cool thank you so much for coming and we're awesome on this there's my thank you slide what did it I did a survey of about 10 different static code analyzers and none of them none of them found more than half of their books than the books I wrote really? what did you do? not only were there lots of false positives but not more than half the books that I could really put in code so I really have very little confidence in static code analyzers who would be better than the plain which would probably 10 times harder is there anything that you did to make that percentage higher? no so I wrote the very very simplest code in C I had the buffer workflow I had double free I had an array going down I had to divide by zero I had all kinds of things like that and a lot of the different things did find that but I found these false positives I would stare at the code for hours and say there's nothing wrong with this code there's a reason we got it out and it wasn't so I have very little confidence in static code analyzers and it's good to have a culture and it's good to have people viewing that what? something that I really want to implement is that where you can basically like write your own matches and that might help spot some specific pattern companies sorry, specific patterns that people in the company are possibly using and of course we're not going to solve everything through automated scanning but if we can solve 30% of it through automated scanning that's awesome that's great but if people think my code must be bug-free we have to remember the Dijkstra quote exactly so are you familiar with the first Aston Wesley book on Ruby? so it came out I think in the 90s I was one of the reviewers my name's in the credits I love to get in touch with you I would love to also get like I'm sure you have like I'm sure that yeah you have like interesting you don't know I have a very old fashioned thing about a business card so unfortunately can I give you a copy of my analysis thanks for coming unreleasable great thank you no you don't no you don't no you don't I don't think anybody except you knows me doesn't yeah I don't know what that means dude you have a lot of points I know I still have it there I just didn't feel like taking it off are you judging me? I just want to say fantastic thank you so much so thank you very much it was my first speech so ok thank you well done I was just going to say you did a lot with your person but I really appreciate your personal and you made it share your background during and as what did the DevOps team I would love that when's the next DevOps day? March next scale how do I it's normally March but I was wondering if they do multiple of them I'll show you like I'll show you a message oh there's cities here yeah I try to I look at it and it's like oh you have like thousands of followers ok I could wear like 3 degrees apart ok I'll I'll find your message that's a cool landing thank you so much oh and I know you mentioned your I'm not sure I was worried about high school they didn't have fun so I'm actually a college dropout I started first I went to the college that my parents also needed to go to because it was like a long way but I was kind of bored and in order to be friendly I'm like a zero family kind of family so I was like working a full-time job and then going to college at the same time like the classes at NYU they expect you to do like for a four credit class they expect you to do 16 hours a week at home so it's managing that was a nightmare yeah like you're trying to work and you're trying to be amazing in your job and also you're trying to get really good grades at the same time so when COVID happened it was like a perfect day for me I quit college and like I took that time and learned about security so I decided to be in my land in like a big camp and that was like my journey to security yeah I'm pulling in on that because as a someone that you know when I hear like these diversity talks and I'm like yeah I'm coming from a non-traditional background I got my masters in liberal arts I'm like you went to college and you're not in debt it is kind of amazing for me it's just like I've never had like any college debt because I'm just terrified of college like I came from a family with absolutely no money and we don't, my parents don't really believe in college and like my community didn't really believe in college I didn't want to take out college debt for college so I'm like I'm going to work these for like $55,000 earlier so it's I don't, you know it's actually funny because in class at NYU I have these girls that were like sitting next to me we do our work again and choose like super smart but it came time to exam and like I don't know why people would compare grades but she was getting like 60s in class and the guys behind us, behind me were failing they were getting 40s in class and I don't know about the guys behind me but I know that the girls sitting next to me was very, very smart we used to do our programs together and I asked her like why are you getting 60s like you can do much better than this and she's like oh I was hurting yesterday and I was like no and it really I was just like I'm talking idiot like you're spending 55,000 dollars for tuition and you're using that money to party there's so many cheaper parties that exist right I thought you were like you didn't even have time for that well she's probably not paying to go to those parties she's probably just going to them yeah someone's paying I'm like you're like a better party than the other just go to public school for that is she doing okay these days I haven't kept in touch with her I just was like it was so shocking to me that somebody would go to a college that they're spending 55,000 they're taking 55,000 dollars of debt out is that what she was doing I think so either her parents are paying for it or she must have been taking a college debt but for the future that you're not in traditional background you're looking at things differently and just attacking things differently even how you just attack like you like you even recognize like you're just traditional and you hold them and you're like just to see if I was into it yeah because I don't want to change my whole career but you're finding different angles what's the meaning that's a rush here it is a rush here differently I don't have to like come out faces for me today so far there's no meaning in it but the whole thing's open would you get that what is that it's an open source conference that's run out of North Carolina Raleigh to Romaria where are you from I currently live in camping Florida so you're not in LA you go to a lot of conferences you're not in a local yeah I used to do a lot of conferences and I still do some out of all the conferences you could be at you decided to try to get some coffee first time you came up with it's the best one though I hope to get more this is like a big for me so like all things open is an open source conference so I would say it's the other best open source conference maybe it's the best open source conference is it the best one conference but those are the two that are like on my radar all the time and then I go to press conference run to that you're not do you think there's not a lot of them the press conference ones no there's there's a lot I mean there used to be more many things weird there's actually one in New York in September oddly I was actually just coming to work with you to go speak at conferences as well which conferences are you working I'm looking for Australia Australia I can talk to some people so I work in the press community a lot so I'm kind of curious your company's relationship and like they allow you to speak wherever and how that works they love having you speak and they will pay for me to speak anywhere in fact my idea for next year I want to live in New York and then have my company pay for my travel and speak at conferences outside of the U.S that's a very wet mood I'm kind of sad because there's a few CFPs that closed like a month ago that I would totally there's a press conference in New York that would have been super easy for me to go through it's in September and I'm like that would be we need what I would call more developer oriented talks but that also touch on topics that relate to database so like this seems like it fit the bill and this will sound very weird but I've been doing conferences for a very long time so to go in and just see what the speakers what they're all about and I'm like dude she's got it I really know your background or whatever I'm like very professional I don't know how old you are but I'm like she seems very young and way more professional than I still am at this point so anyway so I was just curious and I think the CFP for the European conference also just was so there's there's a PG conf EU that they do every year it's like in a different city in Europe so like this year is Berlin but yeah and I mean I don't know like I know there's like open source summit there's a crap ton of conferences around and I think this would fit into a lot of there like and if you I also I don't really know like which conference is like the best or like this kind of talk I'm not that the conference door but like yeah I would I would be thrilled if you had any so yeah it was beautiful on this talk in my mind like you're hitting so like it speaks to developers it talks about databases it has security it touches on open source like so those are like like if you could put it on the blockchain like you'd hit like every category which don't really put it on the blockchain don't do that don't be like it's going to be blockchain and the website we do static analysis here static analysis stands on blockchain yeah exactly you could probably do something like that for Solidity if they don't already I don't know how mature Solidity is as a linker like actually so I think he had asked like there's this conference all things open which is in North Carolina there's the appeal also just close they're announcing their speakers so but it's an open source one so if you ask me would this fit in that conference I'm not aware of the B-Sides Conferences it's a conference group very much like DevOps days and I think this could fit in DevOps days because you've got automation and automating security is a big thing so B-Sides and DevOps days are groups of like local community groups like there's a parent organization and they do conferences all around the world and they will usually cover you know some levels like speaker travel and whatnot so if you want to travel like I would suggest okay awesome and you just pick the city and see when the CFPs are open okay perfect if you have like also like any I'd love to get in touch with you if you have any suggestions for me I accidentally sent you a LinkedIn request about 10 minutes ago so you will see it if I said accidentally yes well I was like I pushed like the more button and then I was like does it I forget how LinkedIn works I guess I feel like also with like speakers you know what I mean like when you talk and then there's also like people who are like deciding on who's speaking deciding how much experience you've got like all these other small factors that you need but now you have so there was a thing on your LinkedIn page it was like an interview you did with Chris Rotherall no I don't know it was the like I was sitting true and a Muslim like they got there so I have stopped your LinkedIn I had not watched that like I was just sitting back here and like I'll tell you like the super weird story this maybe is borderline creepy so my wife and I I guess we have a nickname for each other and it's actually Estie so for no particular reason and so I was like trying to figure out which talk to go through and I'm like well I don't know her name is Estie and I've never met anyone with that name so I'm just gonna go to that and see if it's good or not so that was really the reason I came in here it's also short for something I assume it's like Jewish yeah it is Jewish it's Esther nice biblical name so we ended up looking that's not like neither of us are Jewish totally it was a weird coincidence that we ended up with that and then we met a few people we've seen online they had that name so that was the real reason why I actually came in here but I was really glad that I did because I had no idea I'm like well automated security this sounds like a poor man's nightclub but I'm like uh but her name's Estie so it'll be great I'm so happy you came does that mean you need like a better name for the talk for the talk I think you could change the name and highlights so when I walked in I got stuck in the hallway track when I got here so you were talking about sequel injection so I was like oh so this is automatically now so they are more interested because I do a lot of database stuff but I think you could it depends on what you want to highlight in the talk name and in the talk description wait is she also going to change it yeah so you can change it so like there's a talk that I've done at a few different conferences the talk is basically the same 90% of the same so I think the best version is you did like AV testing yeah essentially it's like that so it's like monitoring I don't know monitoring in production like trade-offs I did it at devil stays LA here like just like whatever was the last one before the pandemic 2020 I was there okay so if you remember I wasn't at that talk but I was yeah cause there was a slide I had where I talk about in one of these role-playing games where they introduce a contagion in the game and it wipes out everyone in the game cause they didn't realize how bad it was going to be and so that was like great when the pandemic was just being talked about and I'm like this is a little bit weird that I'm going to like go into this little bit but I already have a slide here so like it's going to happen but I've done that talk like slight different versions of that with variously different names around that topic of testing versus monitoring that was the it's about trade-off so then you can kind of just you know if this is more about testing in your conference then I'll talk about it if you're about production stuff like I can talk on that slide if you do enough so that was right so I used to be like every year I make you know four new talks or whatever like that that's a grind so it really is about figuring out like come up with a subject figure out how it can expand and attract and then you know kind of shape it for which place you want to go to I'll definitely hit you up and ask you for suggestions referral suggestions I'm not an employee so I may be latent on responses no I'm not an employee I shouldn't say that I'm on a what do you call it not a sabbatical really I'm on a hiatus that's the word that I call people so I may be a little higher latency than normal in response but I also have a lot of spare time so I'm happy to thank you so much I really appreciate talking it's really good thanks I'm not looking for a job I just say that well because you said you're an employee so like that was the first thing I came to mind yeah I shouldn't phrase it that way because then people think I'm looking at my money no I'm not I spend my time messing with press credit I'm not you were also called to post that crap talk yeah Thursday I actually pretty thought you were a bus to me I'm not a I'm not a what do you you know a little bit but not really like if you want to get that money where like 90 of my value is okay I have a little bit more I have friends but if you I'm also not a job so I I think this the short again like we definitely can talk about living living like I was going with reality but then I think yeah part-time there's some things that some additional things that will kind of give you that extra valuable together with that and that's why I was like okay doing this for a while I don't have my main job I want to get my main job like being able to bring it back so those books that's definitely going to be looking for something and then there's also it depends also depending on like if you want to do your own job or if you want to go to another company or if you want to do your own job you can start a factory or you can do your own or you can go to another company if it's kind of active I would recommend that there's a few in the future so that would be a good thing that's great yeah I did send you a personal address yeah I'm good