Takeaways from Stack 2022 Developer Conference, Singapore, 16 Nov (Part 2 of 2)

Taking time to learn, reflect and re-imagine

Stack 2022 Developer Conference {GovTech}

I finally managed to complete this, thanks to some rest days between the World Cup round of 16 and the quarter-finals😄. You may refer to this another post for Part 1.

Opening Address by Dr Janil Puthucheary (Senior Minister of State at Ministry of Communications and Information, and Minister-in-charge of GovTech)

I took away 2 key points from Minister’s sharing:

1. The Singapore government is trying to move more services to the public cloud. In some cases, there have been ~50% savings in hosting costs.
2. Minister also spoke about the need to look beyond the hard technologies and into the softer aspect of creating the right engineering and learning culture in the government. I fully agree with this, but it will not be easy and requires capable and experience leadership to drive such outcomes.

Talent, Culture and Purpose by Mr Kok Ping Soon (Chief Executive, GovTech), Mr Frank Koo (Head of Asia, Talent and Learning Solutions, LinkedIn), Mr Noah Pepper (Former APAC Head, Stripe, and GovTech Board Member)

There were a lot of soundbites shared to think and reflect about talent attraction/retention matters and building of engineer culture.

1. Tongue-in-cheek, the tech industry seems to have moved from the Great Resignation to the Great Layoff to the Great Remorse and is now in a phase of the Great Reshuffle. However, the general consensus is that there is still more demand than supply of tech talent.
2. On talent attraction, it’s become increasingly clear that it’s not enough to “sell” what you do, but also why you do what you do i.e. mission / purpose of the organisation.
3. It’s also important to empower teams and allow them to take accountability of their work. An example to facilitate this is to encourage the teams to visit their customers, see the product in action and get feedback. I believe this is a key shift to move teams and mental models from project to product management.
4. On individual’s upskilling and continuous learning, it’s useful to think of oneself as always being a work-in-progress (WIP). Consider your needs in 2 to 3 years out and make time to learn and teach someone else.
5. On training — “Train your people so well that they can leave anytime. Treat your people so well that they don’t want to leave.”

Zero Trust at Scale by Mr Paul Lorimer (Corporate Vice President, Microsoft Enterprise and Cloud)

1. We are moving into an era of global Cloud providers with local services and instantiations. Such localisations include data residency, local security and regulatory and compliances needed.
2. Traditional approach of enforcing a strong perimeter is no longer adequate as boundaries are blurred with more devices/apps and users being interconnected. Today’s model is one of hybrid of everything, with an explosion of signals to monitor.
3. This leads to the need for the zero-trust approach i.e. trust must be validated at every stage of digital interaction even within the organisation’s network. There is a need to assume that breach has happened, to verify explicitly, and to use least privilege access.
4. A broad 3-phase approach to zero-trust architecture:

• (Phase 1) Set up the 1st line of defence by protecting identities, endpoints and apps
• (Phase 2) Protect data — discover and classify data, apply comprehensive and right protection to data
• (Phase 3) Modernize ability to detect and respond — defend across attack vectors, defend across external threats, defend across internal threats

Simplifying Data and AI with Lakehouse Platforms by Mr Matei Zaharia (Co-founder & Chief Technologist, Databricks)

1. Data, analytics and AI are critical elements for business disruptions.
2. We generally have 2 incompatible platforms today. We use the Data Warehouse for business intelligence (BI), whereas AI/ML uses cases are typically run on top of a Data Lake. These leads to higher costs, higher maintenance of multiple platforms, and disjointed and duplicated data.
3. The Data Lake House combines the 2 paradigms from storage to mgmt tools to offer a unified programming interface, governance model and query engine to deal with variety of data types and both BI and AI/ML use cases.

Building a Distributed Data Mesh with a DevOps Approach by Adrian Lee (Senior Solutions Engineer, Snowflake)

1. Impetus for data mesh: proliferation of complex ETL/ELT processes where centralised data engineering teams are unable to cope nor have the deep domain knowledge of the data.
2. Principles: domain centric ownership, data as product (make data discoverable, useful), self-serve platform, federated governance. This is essentially a summary of the great piece, Data Mesh Principles and Logical Architecture from Thoughtworks.
3. Data assets are treated as Products, with data consumers shifted from a “push and ingest” to a “serve and pull” model and having the ability and flexibility to pull form more than one data domain.

Navigating Cybersecurity in the Digital Darkness by Mr Chong Rong Hwa (Director, Cyber Security Group, GovTech)

1. Lesson 1: More effort might not yield better security, especially when applied to solve the wrong problem (aka diminishing returns). An interesting statistic shared was that about 90% of uncovered vulnerabilities were due to insecure coding, while 10% were due to vulnerable versions of software in the environment. However, we spend about 10% of our efforts addressing insecure coding and 70% of our efforts on patching and other manual processes to manage vulnerable software versions. Hence, a multi-layered approach to security is needed e.g. bug bounty, red teaming/pen-testing, secure coding framework. This is applicable in every aspect of work and life, and always useful to review if we are applying the right effort to solving the right problem.
2. Lesson 2: Rounds fired, none hit (or ineffective processes and use of tools leading to poor results despite investments made in security). Such examples include ignoring static application security scanning tools (be honest, how many of us how done this…), using blacklists instead of whitelists, keeping web application firewalls/container security tools in learning mode instead of blocking mode, container sec, manual log review and SOPs that introduces human errors or non-compliance.
3. Lesson 3: Security tools/processes are easy to add, but hard to subtract. Always useful to Review, Reduce, Reuse to simplify the environment.

High Fidelity Deployment of Microservices by Ms Samantha Wong (Software Engineer, GovTech)

1. Issues: Feature lockstep, dysmorphia, bug proliferation, production environment failure.
2. Goals: Ability to select features to deploy, confidence to move to production with representative tests in staging environments and good rollback procedures, no downtime.
3. Approach by team:

• Make use of environment branching,
• Use the sprint cycle as the release cycle
• Use of layer 4 firewall to conduct canary deployment (aka rolling out to subset of users to test new features) and blue-green deployment

The 10-Minute Guide to Running an API Program by Zen Chua (Lead Product Manager, GovTech)

1. Impetus for an API Program: improve agility, reuse, compliance, facilitate bi-modal IT, promote collaboration, and facilitate omnichannel applications.
2. API lifecycle mgmt (used by GovTech’s APEX platform team)

API Life Cycle Management {Image from The 10-Minute Guide to Running an API Program by Zen Chua (Lead Product Manager, GovTech)}

Upskilling Trends for the Humans of DevOps by Ms Jayne Groll (CEO and Co-founder, DevOps Institute)

1. Evolution of development practice: from Waterfall to Agile to Devops to SRE (site reliability engineering)
2. Related practices that are also gaining traction — Cloud native, Observability, Chaos engineering (born out of Netflix), Container orchestration, Open-source value stream management
3. Top 3 challenges in APAC IT organisations: Insufficient skills or resources, budget and funding issues, managing technical debt
4. APAC top 5 must-have skills: Process and framework skills, technical skills, leadership skills, human skills, automation skills
5. APAC top 5 must-have process and framework skills: DevSecOps, Agile, Design/System thinking, SRE, Value stream management
6. APAC top 5 must-have tech skills: Cloud compute platform, Cybersecurity, Container orchestration, Modern compute technology and architecture (I have no idea what this means nor was it properly explained during the talk), Application technologies
7. Resource: Global Report on Upskilling IT 2022 by DevOps Institute
8. Top 15 DevOps skills

Top 15 DevOps Skills {Image from Upskilling Trends for the Humans of DevOps by Ms Jayne Groll (CEO and Co-founder, DevOps Institute)}

That’s a wrap for Day 2 and concludes the Stack 2022 Developer Conference in Singapore. Until the next post!