 Hi everyone. Firstly welcome and we do really appreciate the opportunity today to present and we really are, Salsa really is a proud sponsor of Drupal South. We want to present today about building a simpler future with Drupal and in terms of the topics of today we want to give some basic introductions, provide a little bit of background on Salsa for those that know Salsa, those that don't, highlight some recent projects and also give a glimpse into the future of some product offerings and where we're heading. And finally we really encourage some open discussion and open dialogue at the end of the session so we've left some time for that so hopefully we go well there. In terms of the intro so three speakers today. Myself I'm Paul Morris, Director at Salsa Digital and I head up projects and operations. Danielle. I'm Danielle Shuffler. I am a Product Manager and also a Business Development Lead. Akil. My name is Akil. I'm an Engagement Manager with Salsa. So a little bit about Salsa Digital. We've been established for 15, 16 years now. In the last eight years we've had a very heavily heavy focus, pretty much an exclusive focus on government. We're an open source company delivering technology and innovation helping governments transform. And this manifests and we'll see some examples of this as we move through the presentation but just to hide out a couple now. GovCMS, our involvement in the GovCMS program for the Department of Finance at the federal level and also Victoria's Single Digital Presence for Victoria's Department of Primary and Cabinet. We're also involved in a number of other whole of government initiatives that we'll sort of talk about as we move through the presentation. To understand more about Salsa is to understand our real why. And our why is centric to some common problems that we're seeing across government. Three common themes that we're observing and I'm sure others in the audience have observed these too, but fragmentation. So we're seeing fragmentation across technology, across user experience and many other forms of fragmentation are out there. Separate silos, so different folk trying to solve the same problems or similar problems using disparate approaches. So siloing of information approaches is a big deal in what we're seeing as well. And proprietary technologies, we're obviously speaking about Drupal here in open source but where the proprietary solutions are resulting in vendor lock-in and prohibiting innovation, it's obviously we want to sort of mop that up and address that. So with an understanding of the why and some common themes and patterns and problems that we see create Salsa's vision or our mission statement if you like. And our mantra is to help make more open, more connected and more consolidated government. But what does this really mean? More open, we get involved in building more open platforms. Open APIs and open source technologies and their application in general. More connected, this one's multifaceted. There's sort of a technology angle, governance angles and other angles. From the technology side it's about building better technical solutions for engagement. Connecting citizens more effectively and when we see some of the project examples we'll see, you know, examples of that sort of connection and effective engagement. Governance wise is about sharing approaches and lessons on program to program. So I did mention the GovCMS program, the single digital presence program. We're also involved in the New South Wales 1CX or customer service program. Also wa.gov.au. So a real value that Salsa can add is sharing approaches and facilitating knowledge share between these programs. So that's what we really like to do. More consolidated, so we spoke about the GovCMS program. We spoke about the single digital presence program. So in GovCMS there's over 300 sites that have been consolidated on that platform for over 100 agencies. And in terms of Victoria's single digital presence, we're really consolidated in the user experience across Victorian agency sites. So, you know, getting involved in that and driving that is really what Salsa is trying to do. What I wanted to do is really make this real, show some manifestations of these things. So just to highlight a couple of or three key projects. Geoscience Australia is the first one I wanted to highlight, the first project there, and the Digital Earth Australia website. Stuart Rollins from Salsa provided a great presentation earlier in the day and had a lot of detail around the architecture and the why of that project. But just to mention a few things about the project. It's a decoupled architecture. It employs static web technology. It's built on the GovCMS PAZ platform. And there's many other things to that project that make it a sort of a next generation platform and approach. And Stuart's presentation's got a lot of details there. Ultimately the purpose statement of the site, making it easier for scientists, academia, industry, and citizens to discover Australian Earth data. So that again is about connection of citizen to content and data. So a great example. Health.vic is a site we've very recently launched. It was a site called Migration to Drupal to SDP in fact. And there was a very large amount of content that needed to be migrated. So given that we used our open source content migration framework Merlin. We'll speak a little bit about Merlin in the product slide next. We used Merlin on health.vic but we've used it for sort of 30, 40 other projects. And in terms of automation and validation of content migration, you know, it was really great, great thing to use. I mentioned the site launched just weeks ago. So that was great. And I think it's significant in this project to mention Salsa and the project made, you know, quite significant contributions back to the single digital platform. So artifacts built out of that project were contributed back to SDP. So we do that. We like to do that for all projects in particular. This project contributed quite a number of artifacts back to SDP. E-safety is another one to mention. This is a pretty, this is a nice site we had to build. Unique to this site or a good part about this site was the netting to support like multiple personas. Parents, kids, educators, there was a number of personas that had to be considered, considered in the design, considered in the information architecture, the way the site was architected. So that was a great project and a good thing to sort of come make come alive. And again around that sort of engagement with citizen and providing a safer and more positive experience for citizens online. So what I wanted to do here was present a little bit about, you know, recent projects and what we've done in the past. Next slide speaks about, you know, some things that are in our future and some exciting things to talk about. So I'll hand over to Akilah and Danielle for these. Thank you. Excellent. Thank you, Paul. Thanks for that kind of roundup of what Salsa does and where we are now. So looking a little bit into the future, we're trying to make it a simpler future. We're trying to connect, trying to produce or at least put together some products and systems and processes in place to make things better for both the government and the users of Drupal. And so some of those, we have two particular products we're going to cover just right now. And one of them is Merlin, the other one is Civic Theme. I'll just cover Merlin right now. So we're looking at kind of products that'll kind of work in concert together to help with migration specifically and onboarding onto Drupal and making it less code-based. So Merlin in particular, we found that the problem space was that in the context of government, many government agencies are trying to significantly consolidate the amount of systems they have content and other web presences, especially when they have 15 different websites or only need four or five. They're now working towards consolidating these. There's plenty of current examples such as moving onto Drupal 9, for instance, and End of Life has kind of forced a lot of this shift to consolidate these platforms that they have online. And at the same time, they're also doing their own uplift of designs and upgrades through this. So Merlin, Merlin Core is basically a content migration tool that lowers the barrier to industry-wide foresight migrations from any source of CMS to a target CMS. In this case, mostly we're using it to Drupal. The content migrations then become repeatable, they're predictable, and then largely automated, which then reduces the errors and makes it easier to actually do it in progress and sync the content as you go through the process of the project. This in turn reduces the risk of manual errors, creates smoother, faster, and cheaper migration option. Now Merlin works with the Drupal Migrate module. Merlin creates structured data ready for import, and the Migrate module then uses that to import the content into menus, taxonomies, and nodes into Drupal itself. Now with Merlin, we launched Merlin about earlier this year, actually late last year, and we've been using it for almost a year now, and it's a fairly mature product. And as Paul mentioned, we've kind of tested it with that 35 Drupal migrations since it was launched late last year. So that's Merlin there, and I'll pass it on to Danielle to talk about Civic Theme. All right. Thanks, Akil. So Civic Theme is not something we've launched, it is in progress, but what it will be is an open-source design system really geared towards federal government agencies as well as organizations, at least for the first part, because a lot of times, right, those government agencies and organizations are responsible for implementing and creating their digital experiences. But we also know for all of us that are part of digital agencies that instead of having to use different themes all the time and really having to repeat a lot of the same work, then it would be great for us to be able to adopt and adapt an already existing design system for our clients and of course, for any internal projects that we have that might need a design system. So it's not just about building a new product, of course. We want to make sure that there are really important business reasons and that everyone's getting a lot of value out of it. And I touched on it a little bit, but really the core reasons why we're doing this especially is that there is a lot of duplication of work around theming and design and design systems and really just trying to eliminate that in general. Of course, there are going to be customizations. Every agency and organization is different, but really just trying to make sure that we have a core group of components and themes and, I'm sorry, components and templates in order to make sure that we are reducing that duplication. In addition, of course, we're always going to have to do user testing and accessibility testing. I'm very passionate about both of those myself. It's just the fact of even if you do want to do user testing on the out-of-the-box theme for your client, hopefully it will reduce that cost a little bit because it's already coming out of the box. Same thing with accessibility testing. And so the hope is that you'll be able to reduce the time, the project complexity, the risk, of course, total cost of ownership in general, if those are repeatable, and also just making sure that there is knowledge sharing. So as I stated in terms of this is upcoming, but it will be user tested. It will be accessible. There will be the components and templates I talked about. There will be storybook and a storybook will be available for you to create for clients. It will align to the former of showing government digital design system. There will be sample content. So there's a lot here that we're looking to do and excited to engage with the community and just really want to make sure that everybody's able to better engage with their clients or agencies and government can engage better with their customers and just really make sure that we're taking the focus out of solely more design, but focusing on information and services and content and some of the other pieces of the project in general. Yeah, and just to reiterate some of what Daniel was saying, so Civic Team is in the works right now, but it is we're aiming to launch this as an open source project in about January coming, hoping for December, but again with Christmas break it'll probably be January. It'll be an open source project for the community. So the intent will be at least to have them available for GovCMS to begin with and then that'll become available to be used as a theme with GovCMS kind of SAS at the very least and PAS as well. So that's one of the motivations for getting it out. Okay, I'm going to just jump to the next slide. So we have any we'll have time for questions and discussion. Now just covering a quick look at the Q&A here we've got. Feel free to ask questions either in discussion or the live Q&A. There's a question coming through. So do we have a link for Merlin Civic Team? So Merlin we can definitely provide you a link any second. I can actually provide you that. We have information about Merlin right now. Civic Theme is nothing published right now. We're working on it very furiously. They get some information out and we're having some web content actually pages added very shortly. At the moment it's kind of pre-release so we're just finalizing the MVP build and then we will be able to provide something on Civic Theme. If there we have got designs we have got a roadmap so we can make those available. Talking about what we're going to work on what we have achieved so far as well. Obviously in Transparency for Open Community we're trying to make everything available. So designs in Figma are available. You can take the designs as part of Open Source. You can work with those to kind of build out the first part of Civic Theme at least the designs. We've already had some clients work with those designs which were then fed back into the core Civic Theme MVP build as well. So stay tuned for those but we can. I will quickly do that in a second. I'll provide some information about what we do have available to both of those. We have another question here. Paul could Merlin assist with agencies bringing content into WAGov? Example where there are more specific templates to move content to. A generic page to an announcement or a specific page to a publication etc. How do uploading files work? So thanks for that question Robert. The answer to that is we probably have to see if and how it fits in. Merlin usually is to do with migration at the start of a project. However ongoing migration is likely possible. I'll just probably have to get the likes of Stu and others that are the brainchild of this to provide their own opinion on that use case but I definitely think it's worth considering and a valuable discussion because you and I have talked about that challenge. Another question from Carl. How has the Merlin's DX improved in the last in the past year? Don't want specific just generalizations. It was very involved when I was using it last. DX design experience? So we are implementing the Merlin UI. It's another future thing to think about. I believe that's probably what Carl's referring to in terms of lowering the barrier to configure Merlin. Merlin used to be well you have to configure a whole lot of techies and YAML files and the like. That's being uplifted to build a UI on top which is a watch this space. Dev experience? Yes. We're building a UI. That should be much easier to actually manage the process. There's another thing which we're not going to mention right now but that's on the works as well. That will definitely connect or join the dots once we launch that to help with the migration process from end to end. That covers both Merlin and Civic Seam. Stay tuned for that one as well. Thanks Carl. Another one from the comment will be a decoupled version of Civic Seam at some point. Decoupled Civic Seam. I believe at the moment it is Drupal based and we are looking at it's going to be platform agnostic so the aim will be that it can be used across different platforms if that's what you're referring to and therefore you can use a different front-end and platform together. I hope that answers that. Okay don't know if there's that many more questions we might wrap it up. Just checking the board. Excellent. Okay well thank you everyone. I think we have a couple of interesting fun slides. So there's some of the Salsa team. This particular team prefers Harkos and the rest of the team prefer Brutus as an FYI. Alrighty. Excellent. Thank you very much for your time. Thank you everyone. Thanks everyone. Thank you. Thank you very much to Paul, Danielle and Akil. It's always great hearing what the Salsa team has been up to. They've done some really good work over the few years. So yeah welcome. My name's Toby. I'm product lead here at Amazio. I'm based in Canberra. And I'm Sean, technical account manager at Amazio based in Wellington New Zealand and have just recovered from the power cut so hopefully that doesn't happen again. It's my turn this term Sean. I'm going dark on you halfway through. So yeah we figured we'd take this opportunity. I think we nominally titled our session Know Your Enemy because one of the things that we think is really important in Drupal, in hosting, in web is being prepared for whatever's coming at you. But that preparation comes with an awful lot of knowledge. So one of the things that Sean and the rest of the team of Tams do is sort of keep a constant eye on sites on what's happening to our sites, what's happening to other sites, what's happening around the world. And we thought we'd run you through some of our experiences in hosting large high volume sites for multiple markets across the world. We could do a super quick Who Is Amazing IO session, but looking down the list of attendees, I think there's probably pretty good knowledge. We're an open source web ops hosting company. We have worked very closely with Salsa on a couple of the large Salsa projects here in Australia. But we work with a number of customers across the world hosting out of, I think we've got 30, something like 30 clusters under management now across the world, pharmaceuticals, finance, media, government. And we have some pretty good experience in a number of these scenarios. So I figured we'd just run through some of the things that we've seen, some of the things that we work with, and some of the tools and some of the knowledge that we can try and impart on people and show why knowing your enemy is as important as protecting against enemies you don't know. Yeah. And there's a few things that we can show off during this, like just disclaimer, this is all like going to be winged. And I also have a five-year-old in the background. So it's got about to get messy. So I'll just share the right screen. And hopefully you can put Toby and I on the left in the, hey, not yet. Can you put the share screen in the middle? No. Yeah, let's bring it on you. Yeah. So I'm hoping this is even remotely legible. I'll just try to zoom in a little bit. So the first thing that we do at Amazio is we run literally every single domain that we possibly can through our CDN, which is Fastly. And the very first thing that that does is protects us against all the boring attacks. So by boring, I mean like level three and level four, these are like ICMP floods, UDP floods and stuff like that, which is it's just nice not having to worry about all that stuff. And what you're looking at here is a live view on who's actually visiting the caching score side globally. So yeah, that's pretty neat. The next thing is it's all well and good to kind of see like traffic as it kind of comes in, but it's really nice to introspect that and work out whether that traffic is desirable, because ultimately you don't want to send it at your origin if you don't need to, because that's just a win for everybody. So what we do is log every request that hits Fastly into a log file that goes into S3 and Elasticsearch. And it's all logged in friendly JSON. So you can do things like JQ analysis, if you just want to get something quick and dirty, like how many requests from this IP address during these day periods. Or if you want something more detailed, you might switch over to Elasticsearch to do trends or visualizations or stuff like that. So, but I mean, like, to do this is all kind of reactive. And so some of the cool stuff that we've been playing with recently has been on the more proactive side of things. And one of our larger customers that just has a single site with us in a single cluster is Smartsheet. So and what we've done recently with them is they wanted to like, they had a lot of attacks hitting them, like typically bot related, they had a lot of bots filling in their forms or enumerating pagination, like if you've ever seen someone get to page 1036, they've clearly not done that legitimately. No human being has the power to do that. So, yeah, for them, they needed something a little bit more proactive than playing whack-a-mole with the traffic there. So a new technology we have the ability to do, and I'll see if I can make it bigger, is we can deploy something called signal sciences. And how we deploy, it's quite unique as well. So it's deployed on the ingress on the Kubernetes cluster. So anything that hits origin, irrespective of the domain name, the host header, whether they even have a host header, will flow through signal sciences. And SigSci has, I will abbreviate them too because it's incredibly hard to say, is kind of that more proactive layer where it's analyzing the traffic, not just for your site, but globally. So one of its neat features is it has something called a SigSci IP. So if IP addresses have been known to do really dumb stuff across the network of SigSci, then they'll get flagged, and other sites will benefit from that, like a network effect. So in this case, 103,000 requests were instantly just black hole because they were silly buggers, somewhere else globally, and we didn't have to manually tag them or do anything to do that really. On top of that, there's the standard OWASP, are they doing SQL injection, God bless them, cross-site scripting, command execution, all that kind of stuff. And then, if you do see someone doing something silly, you can find out what they've been doing. So this is an IP address from the country of Germany. And you can see that they're just doing stuff that people just do on the internet. So the requesting index.php, but with a query parameter and null bytes and a whole bunch of other things. But the cool thing is that you see that SigSci is returning 406, which basically means don't do that. I don't want it. And it does this decision most of the time, less than one millisecond. So it's extremely quick. And, you know, it went up three, that went up three. So yeah, that one's two. So it's extremely quick. It doesn't rely on a third party to make that decision. It just every now and then just checks in with the SigSci network to update its rule sets and make sure it's running the latest sort of blocking behavior. And what's really cool is we can take these, we're seeing like a bunch of like dot dot slash dot dot slash sort of path traversal things and we're like, oh, what about the customers who don't have signal sciences, you know, because it's not free? What do they do? And how do they benefit from this? And that's where, and this is going to get extremely techy very quickly. So ignore this screen if you don't want to read code. But we can translate this into rules that effectively run at our edge layer inside fastly. So without, I don't want to explain that, Reggie, because I don't truly understand it. It took a little while to get right. Yeah. And basically what this means is it's going to look for dot dot slash in the URL or the query string. And if it finds it, it's going to block it effectively. So this way other customers of Amazio will get the benefits of these rules without having to have the kind of more proactive kind of blocking. And there's even a dedicated one for what we just saw, which is if you have Etsy password in a URL, just go away. I don't want to see you. And yeah, and you can actually see that. I just type in Etsy password, which I haven't done, and hopefully this works. There you go. That's what the WAF looks like. That's the band hammer. So yeah, I think that's, I guess, what I spend a bit of my time doing, and I'm sorry, I've just stopped screen sharing, keeping your day interesting. So that's what I spend a lot of my kind of day doing. Just looking after the emerging threats that we're seeing. And often it's for technologies that you won't be running. Like there's some firewall that's just had a CV announced with the remote code execution. And someone's just wrote some crawler to scan every IP address that they can find. And, you know, it's often, you know, there'll be like JSP or ASPX or a whole bunch of other things that you don't really see in FrupleLand, but I'll still hit your Drupal site with it. This is one of the things that came up in the session this morning. Someone asked the question, why do you need a CDN? And a CDN does some of this work for you. It relieves some of the pressure. It takes some of the load. Good CDNs may have some capabilities. But there's so many levels and so many layers that these malicious actors or inadvertently malicious actors, because we've all seen spiders that get stuck in infinite loops in search pages and stuff like that, that can wreak havoc with a site. So having the WAF capabilities, having those sort of bot detection capabilities is really important for us as the first sign of defense. But as part of an organization that learns, being able to see what's happening in one place and utilize that information in more places is absolutely critical. And it's not just at the Fastly or the Signal Sciences layer because of the way that containerized hosting works. We've got nginx configuration per site. So we've got a standard nginx configuration for Drupal. As we learn things from the edge, we can pass that all the way back down to the individual Drupal containers, so that sites who elect to host their sites or organizations that elect to host their sites without CDNs and without WAFs get some of that knowledge too. So really make sure it passes all the way through the organization. I mean, that's right. And that's where a lot of the goodies in nginx.conf, everything that's in there is in there for a reason. One of the best goodies in there is it blocks anything from executing unless it's index.php, which if you run a Drupal site is really cool. It also blocks the statistics module, which I also think is quite cool because that module is also terrible. And yeah, that's that trickle down kind of effect that you can sort of block it at the layer that makes the most sense. And yeah, pushing it towards the edge does mean it just happens a bit faster and you can survive a bit more of a volumetric attack. But so you go off and use your own CDN, then you're going to need to push it down the layer as you can't push it up. Another thing we do is a lot of sort of traffic scale and shape monitoring. So for the larger customers, for the larger sites, we have a fairly intimate knowledge of what their traffic patterns look like. So we could tell what is a good day? What is a bad day? And we collect a lot of this stuff. We run like vast amounts of elastic search logging. We do an awful lot of Prometheus and Grafana monitoring of sort of scale up events and being able to quickly and easily identify outliers there is something that the team is really keen on because we might not see it come through ordinary channels. But trying to work out why a site suddenly goes up to 12 pods or why something's slow to scale up or why, what are the knock on effects? We may see the leading edge of it before we actually see a site outage, before we actually see database issues. So it's really, there's an awful lot of monitoring that goes into seeing what a site is, how it lives and breathes, what normal looks like. Yeah, as a frantically incentive, I can bring up a Grafana dashboard. Let's show something useful. You can tell Sean and I did a lot of preparation for this. We were going to but his power was out. Oh yeah, it just ruined everything. Has anybody got any questions that they desperately want to find out from us? Or contributions, comments, etc. More than happy to take those. For those that weren't in the talk this morning, Sean did a talk about caching gamification and launched his new cachingscore.com site to the world where you can find out how good or bad your site is. And this comes back to the optimizing performance, really pushing for reliability. All of these things count. It's not just making a site and putting it on the internet and letting the world consume it. It's making a site, putting it on the internet, making sure it's as good as it could be, making sure it's responsive, making sure it's stable, making sure that it's adequately protected. They're all part of that wraparound service. It doesn't finish on go live day. Yeah, and actually it's not really kind of talked about too much, but like having a super high cash hit rate is the best form of defense you can possibly have. The ones worked on the site, it was I think the Commonwealth Games 2018 Gold Coast site. I don't think it's around anymore, but for that we had a sitting in place there and I think we got the cash hit rate up to 99.925. So like that means like 75 out of every 100,000 requests we're able to trickle through and I think we went a little bit overboard on that because we did everything we possibly could to prevent having a miss, but you know there's nothing stopping any other equally as busy site having something which is also as impressive. It just may mean that you might need to get a bit tricky by putting through like allow lists for query string parameters stuff like that becomes more useful to get that last few little bits of hit rate, but I mean as a result like I mean how can you attack a site that's perfectly cashable like because you can just turn your origin off and the site still could still function. So yeah. Oh yeah I worked on a project I just frantically checked the attendees list to see if I'm embarrassing anybody here that was had a really high cash off load and the request from the business area was to test it until it breaks and I pointed out that there's much greater resources than me at play here and testing one of these large global CDN providers until it breaks would be a very expensive, very expensive error and you'd have to spin up an awful lot of floods to be able to take one of them down. So yeah we're good at some aspects of business but the CDNs they're incredible at handling immense volumes of traffic that's their day job so let's make them do the work and not our creaky old database servers and back end PHP. Yep sorry just juggling kids. The third aspect is that the kind of work we do with agencies on sort of optimizing their sites behind the scenes like Sean in his years has seen an awful lot of things and some of the clients we work most closely with will sort of help try and guide them down the the path most traveled because anytime you go out in your own if you're searching in stack overflow and no one's seemed to have had your problem before it means one of two things really a genius or an idiot. I like to think that I'm a genius when I find no answers but it also likely means that you're the first person to have thought about doing this and that's never a great place to be so a lot of the experience comes with helping steer people towards solutions that do drive high-capability they drive stability and they drive scalability that's really important that sites are looking at this and just because the solution works it doesn't mean it's the best solution for you. Yeah and the biggest proponent of like just sometimes the best answer isn't like the shiniest answer. If you pick on J's frameworks then there's always going to be a new JavaScript framework of choice but yeah something about Drupal is it has like cash tags kind of built in if you want to do something with JavaScript now you've got a yeah somehow come up with a similar way to execute the same built-in kind of thing so yeah I mean I'd be interested to see what those other talks are today around decoupling and how they deal with cash sniping so to speak rather than doing full cash purges because ideally you do exactly what the cash tags are doing which is just getting rid of the smallest amount possible from cash. I'm more than happy to wrap up now unless anyone else has got questions or comments or anything they want us to handle I do have to run off and retrieve my children from their educational establishment. We've got nothing to cover then thank you so much for listening to us. Check us out mazzi.io or google for us we're pretty much everywhere these days but more than happy to take any of these kind of questions you'll find us Sean and I both around the Drupal Slack regularly ask us questions seek our advice sometimes we're kind and generous with it other times we're time poor. Time poor is a good answer yes but yeah also if you want to know more about the advanced WAF capabilities then yeah always up for a private demo if you want to you know do something a bit more yeah exact to the your customers requirements or your own requirements yeah happy to go through there on a more of a one-on-one basis as well if that makes more sense for you. Perfect well we'll let you get on with your day you've got two minutes back that you didn't have before so go make it I probably can't make a cup of tea in two hours two minutes but um thank you so much have a good rest of the session. See ya. See ya.