Technical Leadership Summary #4

Another recap of a week’s worth of links, news, and discussion around technical leadership and technology; as usual, follow me of Linkedin if you want to receive a notification when I share a new link.

What I bought last week

I talked two weeks ago about attending DevSecOps Days in London, and talking a lot about threat modeling in an Agile context. One of my main questions was how to “guide” developers to perform a threat modeling session without having a security architect in the sprint planning; somebody mentioned that there are actually cards that developers can use to do it.

As expected there are multiple articles and videos on the topic: check for example Learn how to threat model using an interactive board game and Adam Shostack’s article Elevation of Privilege: Drawing Developers into Threat Modeling which resulted in the creation of the Elevation of Privilege deck of cards that you can download freely from Microsoft.

As I plan to give a talk about it, I even went further and found a vendor in the UK who sells these and other cards. I can only comment on the quality of the card so far (very good), I still haven’t had the time to explore them.

Topics I talked about this week

This week I discovered Adrian Colyer’s blog, and what a nice discovery has been. I don’t know him personally, but I consider him one of my early inspirations when we were both at IBM in early 2000s. Adrian was the creator of AspectJ, which I was really passionate about at the time, and I remember writing him an email about it; don’t remember well the details, although I’m pretty sure he answered. Adrian now updates regularly his blog analyzing research papers; this week he wrote about a study on secret leakages on Github. I’m sure you’ll see regularly his posts here as they are all extremely interesting.

Another regular guest of my summaries is Comic Relief’s Technology Blog. This time they didn’t share their article on their blog though, but on ITNext; still, very interesting: Load testing Serverless with Serverless at Comic Relief. I never thought about it before, but using serverless for load testing seems like a no-brainer. Serverless Artillery is the tool they used.

This week I also discovered the beautiful API Style Book, a collection of links and comments on several public API style guides. Talking about API, I posted also an article on using OpenAPI as a tool to customize API security testing.

James Governor of Redmonk gave recently a talk in London about Progressive Delivery, and you can find a summary here. Progressive Delivery is a collective term to identify a set of practices to continuously deliver new features in a fine-grained way. Example of these practices are

  • User segmentation
  • Traffic management
  • Observability
  • Automation

On the CI/CD area, I also posted Modernizing you build pipelines (by Thoughtworks) and A comprehensive guide to canary releases.

Another research area (in the slow-burner) for me is the visualization of software architectures; I talked in the past of my attempts to use Graphviz to automate software diagrams; this week I found a good video about Lyft Cartography, a tool to display cloud infrastructure.

StackOverflow has published its 2019 Developer Survey. Lots of insights and information there to understand what developers all around the world are doing.

A few more links before finishing: