Closed mcleo-d closed 4 years ago
As DevOps Mutualization continues to establish itself, it would be great for participants to read the following FINOS Meeting Procedure that includes running special interests groups. This will help with setting agendas and taking minutes moving forward.
One of the outstanding questions I had heard on the last call was for:
Iterate the list of the different type of evidence, what risk we think it's trying to address, and where the source fo that evidence typically comes from.
as a way to identify the first movements on this group. Would like to check to see if any of the banks made progress on that. This should map to our Topic 2 from above
From my side, George from Citi
asked about Tekton support with Actions. That is something we're looking into, but no immediate roadmap feedback (note, our roadmap is now public at https://github.com/github/roadmap ) on it, however we are embarking on many of these same themes (better k8s support, scaling, etc) later this year.
Here is the list we came up with in point 1's discussion:
All - Thank you for attending the second FINOS DevOps Mutualization formation meeting last Thursday. It was great having so many FINOS members join the call and input into the project.
Please find a list of the attendees below as I complete the meeting minutes and add them to the issue. Also, please let me know your GitHub ID in the comments if it's missing from the list.
Date and Time : Thursday 30th July @ 1pm ET / 6pm BST
Name | Firm | GitHub ID |
---|---|---|
Andrew Aitken | Wipro | |
Eric Tice | Wipro | |
Murali Kaundinya | Wells Fargo | |
Rajeev Agrawal | Wells Fargo | |
Karel Deman | Scott Logic | @kdeman |
Amol Shukla | Morgan Stanley | |
Dov Katz | Morgan Stanley | @DovOps |
Gus Paul | Morgan Stanley | |
Jamie Jones | GitHub | @jbjonesjr |
James McLeod | FINOS | @mcleo-d |
Maurizio Pillitu | FINOS | @maoo |
Rob Underwood | FINOS | @brooklynrob |
Tosha Ellison | FINOS | @toshaellison |
Peter Thomas | Deutsche Bank | @peterrhysthomas |
Shay Naeh | Cloudify | |
Anders Wallgren | CloudBees | |
Tim Johnson | CloudBees | @tcraigjohnson |
George Kichukov | Citi | |
Paul Groves | Citi | @grovesy |
Stefanos Piperoglou | Citi | @citistefanos |
Tyler Bell | Capital One | |
Lee Faus | Armory | @leefaus |
Please find below meeting minutes from the DevOps Mutualization Formation Meeting that took place on Thursday 30th July @ 1pm ET / 6pm BST.
Date and Time : Thursday 30th July @ 1pm ET / 6pm BST
The following are DevOps Mutualization group questions that are open to asynchronous feedback and discussion.
@tcraigjohnson asks here ... https://github.com/finos/community/issues/44#issuecomment-668159551
On last week's call, I believe it was Stefanos was talking about the burden of Change Management. They have an astounding number of manual approvals in their process that sound like they are little more than someone ticking a box because Change Management requires it. In a segment that has to move fast, that's a lot of administrative burden.
Here's my questions for the forum:
How do you change Change Management? What evidence and automation would the CMB need to actually improve and streamline the process? Are you changing people to change the process or do you show how to change the process to change the people?
@peterrhysthomas - I have added these points to the meeting minutes and have also added to #55 where the subject matter discussion should continue 👍
Here is the list we came up with in point 1's discussion:
- Record of code review/4-eyes check
- Record of test execution
- Record of test result acceptance/sign off
- Record of code/image/vulnerability scanning
- Environment deployment history/promotion
- Record of ITIL related control points
- Conformance to other control points – CSO or Architecture compliance
- Code/config changes - commit id/PR/etc
- Traceability to requirements/jira issues, etc
- Test plan
- Change classification - material/minor - impact and testing scope, risk, etc
- Change/risk assessment - maybe some automated risk assessment, blast radius assessment
@tcraigjohnson asks here ... #44 (comment)
How do you change Change Management? What evidence and automation would the CMB need to actually improve and streamline the process? Are you changing people to change the process or do you show how to change the process to change the people?
We are starting to go through this right now, and I am very keen to swap notes on what others are doing. We are not even using Service Now to capture change requests, which I think makes us an outlier, but even if we were, I feel like we would still have to cover other assessments to automate the approvals.
Things like
I think some of those can be yes/no answers, but others might be more graduated, which would lend itself to an assessment rather than fully automating the approvals. So you would automatically grade the release ( a bit like this site does for security of websites https://securityheaders.com/ ) which would let you better highlight the releases that need more oversight. You could then move the boundary up and down for which releases got auto approved depending on current context.
@DovOps and Group Members - On 10th September at 11am ET / 5pm BST we have the opportunity to present a 3 minute DevOps Mutualization update on the FINOS All Community Call as a FINOS Focus Project. See issue #53
Please use 👍 to register your interest to present and list your thoughts on the topics below ... 🚀
Can this be closed @mcleo-d ?
Description
The FINOS DevOps Mutualization Project is scheduled to meet on July 30th 2020 @ 6pm BST / 1pm ET.
DevOps Mutualization aims to solve common engineering problems by providing a continuous compliance and assurance approach to DevOps for financial services and fintech.
The group last met on 18th June with the meeting minutes found here https://github.com/finos/community/issues/44#issuecomment-648791809
Agenda
Discussion Topics
Please leave your feedback on the agenda above in the comments below #52
We look forward to your ideas and contribution.
The FINOS Team.