Environmental factors play as much a role in helping or thwarting good programming. View in browser »

The New Stack Update

ISSUE 205: John Henry and the 10x Programmer

Talk Talk Talk

“If your goal is to grow your business by delivering an application or service, dealing with the plumbing of an application is not what your users want to pay for.”

Stackery’s Tim Zonca
Add It Up
Who Holds the Most Responsibilty in Securing an Application Throughout Its Build?

CEOs, boards of directors, DevOps, developers — it seems like everyone is responsible for security except for actual security teams. Our review of recent industry studies shows how confusion about job roles is causing potentially damaging conflict.

A new survey by Scale Venture Partners finds that 65% of respondents believe that someone in the C-suite is ultimately accountable for security. A majority of C-level executives would be understanding and help the security team in the event of a significant security breach, but 29% of chief information security officers (CISOs) in U.K. domain name broker Nominet‘s latest report also believe the employee or contractor responsible for the breach would be fired. With their jobs on the line, security professionals are skeptical that cybersecurity is everyone’s job.

The latest “EY Global Information Security Survey” of senior business leaders found that there is mutual trust between security and IT teams at 80% of companies, but less than 40% can say the same thing about security’s relationship with R&D and product development teams. The report highlights the fact that 36% of companies have their cybersecurity teams join new business initiatives during the planning stage. Another 27% of companies get security involved in the design phase, with another 21% joining new initiatives in the build, test, or deploy stage. Given these results, it appears that companies are at least giving lip service to security teams’ importance.

Last year, we noted pockets of significant friction when security and non-security teams collaborate. In particular, companies in the midst of expanding DevOps have people in security roles discussing problems with these relationships. However, in that same study from Snyk, 86% of the security-focused respondents believe security is a joint responsibility between security and “delivery” teams.

Yet another survey, this one by MongoDB, found disagreement among European developers and IT decision-makers (ITDMs) about who is most responsible for securing an application throughout its build. Twenty-nine percent of developers think the developer that built an application is most responsible. ITDMs are more likely to say a security specialist they are able to identify is most responsible (28%) and are less likely to say cite developers (21%). It is worrisome that 12% of all respondents say that an unidentified security specialist is responsible — how can an unnamed, unknown team be held accountable?

Please take our 1-minute survey!
Is 2020 the year of the service mesh? Your opinion will inform The New Stack’s coverage over the next few months. The three-question poll closes on Monday and the results will be made available later in the week.


What's Happening

The traditional role of the IT security professional in the past largely involved drafting and implementing policies and best practices, as well as managing security-vulnerability detection and remediation. Interaction with developers was usually relegated to the post-deployment stages of software development.

But in this new age of DevOps, security practices have evolved, especially for cloud native security. Many of the differences can be attributed to how software development underpins DevOps processes. Consequently, security team members have become more development focused and should play a role throughout the entire production pipeline (think of it as part of a shift to the left in CI/CD).

In this edition of The New Stack Makers podcast recorded live at Palo Alto Networks’ studio in Santa Clara, CA, how security practices have evolved and changed are discussed. The guests were:

  • Ben Bernstein, senior vice president of product and engineering at Palo Alto Networks.
  • Matt Chiodi, chief security officer of public cloud at Palo Alto Networks.
  • Xiaobo Long, senior vice president of cloud security at Citibank.

The New Stack Publisher Alex Williams hosted this episode.

Why Security Is Really Different in Today’s Cloud Native World

John Henry and the 10x Programmer

Remember the 19th-century folk tale of John Henry? Aghast at the idea that machines could do a better job than humans at driving steel rods into mountain rocks (to make room for explosives), John Henry agreed to a contest with a steam-powered rock drilling machine. He won the contest, but, of course, lost the war, as the machines were, in the end, more efficient for the long haul. 

At The New Stack, we are primarily interested in easy scalability — how to harness the inherent power of computation to multiply value by some impressive order of magnitude. It is what computers do best, after all. So we’ve always been slightly suspicious of the idea of the “10x programmer,” those John-Henry-of-the-computer-coders who putatively can program 10 times (or greater) more efficiently than their peers.  For even if they are magically more productive, in the end, the gain is not worth as much as you might expect. 

Now we have some scientific backing. 

Bill Nichols, a researcher from Carnegie Mellon University, questioned the relevance of individual developer productivity. His recently published survey of 490 programmers using the C programming language suggested that instead, half of the difference in “program-development effort” can actually be attributed to variations in each individual programmer’s day-to-day performance, and “most of the differences resulted from a few very low performances, rather than exceptional high performance …” 

Does this mean the idea of the 10x programmer that all managers are seeking is a myth? “[W]hile some programmers are better or faster than others, the scale and usefulness of this difference have been greatly exaggerated,” Nichols wrote.

In other words, environmental factors play as much a role in helping or thwarting good programming. Get your shop a solid DevOps workflow — one that allows your programmers to code with minimal distraction — and you may find that your need for master programmers may not be urgent as you thought necessary.

Managed Kubernetes Services Make K8s Simple for Platform Teams and App Developers

The latest in our series of feature posts examining the state of Kubernetes in 2020. Of course, we have heard, or experienced, how difficult it can be to use Kubernetes. But is the point really to use it off-the-shelf in such a way? In this piece we talk with Platform9, Rancher and Google to find out how they and other service providers are making the Kubernetes “developer experience” more palatable.

Stackery Adds Provisioned Currency to Hasten Serverless Cold Starts

Amazon Web Services offers this neat feature for users of its Lambda serverless compute: provisioned currency, which keeps a customer's serverless functions in-memory for faster cold-start times. One problem: It is tricky to add and can’t be automated. Stackery’s visual editor for managing serverless functions now makes it as easy as clicking a checkbox. It can also be automated into an Infrastructure as a Service architecture. 

Deep Neural Network AI Reconstructs Mysterious Image Hidden in Picasso Painting

We hear a lot about how AI can be used to maliciously create deep fakes, such as altered or outright fabricated videos and images. But these same powers can also be used for good. University College London researchers recently used AI to reconstruct a never-before-seen painting of a nude woman by famed Spanish painter Pablo Picasso, which was apparently hidden under The Old Guitarist. Using a computer vision technique known as neural style transfer (NST), the researchers were able to reconstitute the ghostly image of a woman hidden underneath. 

On The Road
KubeCon + CloudNativeCon Europe 2020 // APRIL 1 // AMSTERDAM, THE NETHERLANDS @ RAI AMSTERDAM


KubeCon + CloudNativeCon Europe 2020

Cloud native security is now everyone’s responsibility. Come learn the importance of DevOps with security in mind at our pancake breakfast at KubeCon + CloudNativeCon in Amsterdam for a discussion about all things DevSecOps. You’ll learn a lot while eating pancakes, too. Thanks to Palo Alto Networks for sponsoring. Come join us for a short stack with The New Stack, pancakes await! No need to pre-register, first come, first served. 
KubeCon + CloudNativeCon event registration 15% off with code KCEU20TNS15 for the first 50 people. Register now!

The New Stack Makers podcast is available on: — Pocket CastsStitcher — Apple PodcastsOvercastSpotifyTuneIn

Technologists building and managing new stack architectures join us for short conversations at conferences out on the tech conference circuit. These are the people defining how applications are developed and managed at scale.
Copyright © 2020 The New Stack, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp