Inspire, develop, and guide a winning organization.
Create visible workflows to achieve well-architected software.
Understand and use meaningful data to measure success.
Integrate and automate quality, security, and compliance into daily work.
Understand the unique values and behaviors of a successful organization.
Explore our extensive library of experience reports.
An on-demand learning experience from the people who brought you The Phoenix Project, Team Topologies, Accelerate, and more.
Learn how making work visible, value stream management, and flow metrics can affect change in your organization.
Clarify team interactions for fast flow using simple sense-making approaches and tools.
Multiple award-winning CTO, researcher, and bestselling author Gene Kim hosts enterprise technology and business leaders.
In the first part of this two-part episode of The Idealcast, Gene Kim speaks with Dr. Ron Westrum, Emeritus Professor of Sociology at Eastern Michigan University.
In the first episode of Season 2 of The Idealcast, Gene Kim speaks with Admiral John Richardson, who served as Chief of Naval Operations for four years.
Weekly discussion around “Deming’s Journey to Profound Knowledge” with author John Willis.
VIRTUAL — Helping leaders succeed and organizations thrive (formerly DevOps Enterprise Summit).
Venue: Fontainebleau — Helping leaders succeed and organizations thrive (formerly DevOps Enterprise Summit).
DevOps best practices, case studies, organizational change, ways of working, and the latest thinking affecting business and technology leadership.
Is slowify a real word?
Could right fit help talent discover more meaning and satisfaction at work and help companies find lost productivity?
The values and philosophies that frame the processes, procedures, and practices of DevOps.
This post presents the four key metrics to measure software delivery performance.
December 8, 2022
December 10, 2021. For many, this date brings back nightmares, cold sweats, and panic. On this day, CVE-2021-44228 was issued. A novel security vulnerability was discovered in Log4J, a logging library used in Java development since 2001. It was discovered that Log4J could be provoked into loading code from an attacker’s host. And as Log4J was widely used in on-premises software, software as a service (SaaS), and internally developed applications, the vulnerability was sure to reach far and wide.
Over the next several days, Log4J (sometimes also referred to as Log4Shell) dominated technologists’ social media feeds, disrupted vacations and holiday joy, and was possibly the wake-up call many organizations needed.
As Randy Shoup et al, describe in their paper Responding to novel Security Vulnerabilities, “Vulnerable versions of Log4j were in organizations’ applications’ direct dependencies and in their transitive dependencies. It was embedded in vendor products, including monitoring, visualization, and security tools. Mitigating this vulnerability required companies to change application configurations in anything Java-based. Remediating it required dependency updates, testing and deployment cycles, and redeployment of vendor software.”
The size and scope of this vulnerability highlighted for many organizations that they were still ill-prepared to respond to attacks of this nature. Despite increasing investment in IT security for known vulnerabilities, companies still face the mounting challenge of how to address novel vulnerabilities. How do we prepare for the unknown?
In the aftermath of Log4J, some organizations responded quickly and with relative ease, while others lost days before even beginning their response. As the anniversary of Log4J looms, we wanted to pull together resources that show what this community has learned and how we can better prepare for a future of unknowns.
At the 2022 DevOps Enterprise Forum, a summit of thought leaders from technology and business, Log4J was still top of mind. Log4J made clear that organizations naturally create defenses against vulnerabilities they have experienced in the past (known vulnerabilities). But as the last several years have shown, and Log4J shined a particular spotlight on, new classes of vulnerabilities are continuing to be discovered, including
These “novel” security vulnerabilities challenge organizations in several ways. First, the full scope and impact of a novel vulnerability may not be clear and/or difficult to determine. Second, novel vulnerabilities can require large-scale redeployment of infrastructure and application software. And third, the scale of attacks from novel vulnerabilities can hugely impact customers, making the response from the organization critically urgent.
In the paper Responding to Novel Security Vulnerabilities, authors Randy Shoup, Tapabrata Pal, Michael Nygard, Chris Hill, and Dominica DeGrandis provide leaders with examples and patterns to help create the adaptive capacity needed to prepare for, respond to, and learn from novel security threats. It also provides three clear examples of good, okay, and worst responses to Log4J.
Read the full paper here.
In 2022, it’s more clear than ever that technology drives value and innovation in every organization, no matter the industry. And with that power and influence, there is more pressure from attackers. How can an organization position itself to respond effectively to these threats?
In this presentation from this week’s DevOps Enterprise Summit-Virtual, Nathen Harvey (Cloud Developer Advocate, Google) and Amanda Lewis (Developer Advocate, Google), used the Log4J experience to shed light on how to transform into a high-performing technology team.
In the first half of the presentation, Harvey and Lewis present a fictionalized story of one company’s response to Log4J. Then, they show how findings from the latest DevOps Research and Assessment (DORA) team can help organizations build high-performing teams that are equipped to adapt to and deal with novel vulnerabilities.
Watch their full presentation here.
One big step toward fortifying your organization against both known and unknown threats is to bake security and governance into your software development. We have all known for years that waiting until the end of production to review and test software for security vulnerabilities is fraught with issues. The call to “shift left” on security and audit compliance has been heard by many, but few have effectively achieved it.
In the latest novel from IT Revolution, Investments Unlimited, a team of practitioners and thought leaders show how organizations can use automated governance to effectively “shift left” on security, audit, and more. All the while making the lives of developers and operations happier.
Log4J was a huge influence on the authors, who were in the middle of writing the manuscript for the book when the vulnerability hit. Their shared experiences of dealing with this and many other security vulnerabilities are all present in the novel.
Learn more about the book and start reading an excerpt here.
Log4J and other novel security vulnerabilities have helped push to the forefront several topics like SBOM (software bill of materials), software supply chains, automated governance, etc. Below is a list of several blogs, articles, and papers that cover these topics and are a great resource on your organization’s journey to a more secure future.
Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.
In their upcoming book, Unbundling the Enterprise: APIs, Optionality, and the Science of Happy…
Welcome to the final installment of IT Revolution’s series based on the book Investments…
As a business leader, you know that artificial intelligence (AI) is no longer just…
Welcome to the twelfth installment of IT Revolution’s series based on the book Investments…