Secure Deployment: 10 Pointers on Secrets Management

In a previous blog we talked about secure deployment. Secrets management is an important part of that. So what does that mean? In this blog we’ll give some pointers on how to do secrets management well in the perspective of a secure deployment. It’s easy to start saying “use tool X to store the secret” or “have all these detection tools in place!”, but that would lead to blind spots. Instead, let’s take a look at some pointers that would help you increase secret security holistically.

That’s a whole lot of secrets to manage…
Source: https://commons.wikimedia.org/wiki/File:Birn_Municipal_Bank_HQ_Safes.jpg
Read more →

Sustainable change requires architecture of technology and organization

A desire to improve. Each organization I have met is searching for new ways to do better. A higher quality of their product. Optimize their process to deliver software quicker. A caveat however is that organizations are typically focused on technology. Learning new skills, introducing new tools. Yes, they have their benefits. They can make your product better or improve the process. However, if you are solely focusing on the technology you only reap part of the benefits. In worst case you are even actively harm the organization. 

Making the technology process more sustainable 

Nicole Forsgren, the lead researcher of the State of DevOps reports, puts it in this way: 

“Investments in technology, are also investments in people, and these investments will make our technology process sustainable.” 

Which basically means it is not simply about technology. If we don’t invest in the people in the organization we won’t create a sustainable process and organization. And this might be recognizable. Ever witnessed the introduction of a new technology or tool that only a few people understood? Not only how it works, but also why it is introduced? If so, you might recognize that the introduced tool only solved a part of the problem. On the other hand, it caused confusion and questions. 

The dynamics between technology and people we call socio-technical systems. It’s about the technical, social and cognitive aspects of an organization and system. Designing a socio-technical system means you explicitly thinking about the interrelation of these three aspects. It might still sound a bit vague, but this article will introduce you to the key concepts. Knowledge about socio-technical engineering can help you to understand what constraints might prevent or help you to succeed in your current project. 

The origins of socio-technical systems 

The study of socio-technical systems concerns around the way we organise complex work. It specifically looks at the interaction between people and technology. Although it might come across as new, it is a relatively old field of study. The theory is founded in World War II-era by British scientists that did research in the English coal mines. 

In these times mines started to introduce mechanization. Instead of labour-intensive approaches machines were brought in to do the heavy work and reduce a lot of the toil. This must yield into higher efficiency and more output of the coal mine right? Well yes, but there was a negative effect at the same time that negated the gained efficiency. The reason? Social interactions were dramatically changed. 

In the manual process, the workers worked closely together, encouraging strong social bonds and were able to execute all tasks as an autonomous unit. The mechanised method, however, put a distance between the people. The shifts that were introduced had as a side effect that no worker had the entire overview of the process. As a consequence, moral problems arose, internal fights happened, and workers started to resist. 

The research and the published paper shows that there is a strong connection between the technology used and the social factors. It shows the importance of jointly optimise both systems to yield success. 

Technology, in this case, does not refer to IT systems. Wikipedia describes technology as 

Technology is the sum of techniques, skills, methods, and processes used in the production of goods or services or in the accomplishment of objectives, such as scientific investigation.  

The definition shows it is broader than just the software systems that we create. It also relates to operational processes. 

—- 

Wiebe Bijker

Society is not determined by technology, nor is technology determined by society. Both emerge as two sides of the sociotechnical coin. 

—- 

So, socio-technical systems? 

While researching this subject in the past months I have found many different definitions of  the term socio-technical system. And here I am adding yet another. My definition is 

A socio-technical system is a network of interrelated components where social, technological and cognitive components interact. 

Often this is bounded in the context of an organisation, but depending on the context of the system we might want to analyse smaller or broader units. 

The focus is on the relation between the various components. One of the main principles is that the interaction between social and technological factors creates the condition for the organisation’s success. The other main principle states that optimising each aspect on its own tends to increase the number on undesired relations and hurts the existing one. For example, adding a new piece of technology in your software project adds relations between the external components. For engineers involved in the project, it increases the cognitive load. They have to have more knowledge about the used tools and the interaction between them 

You almost assume this is common sense right? Why should we put even more emphasise on this? Well, in our – and many other people’s – observations we often see that there is a strong focus on one aspect of the socio-technical systems. Not that the other component is forgotten, but it is outsourced to a colleague or an agency. For example, a company that is transitioning to a DevOps philosophy and HR has to arrange the on-call schedules. 

Consciously designing and optimising the interactions and relations between social and technical components is called socio-technical engineering. As a prerequisite however it is essential to start observing the socio-technical systems in your environment. There is no such thing as a greenfield system, there are always dynamics at play. By observing this initial state you can start to evolve the socio-technical system. 

Looking at the system as a whole is a crucial undertaking. Successful projects look at both components and are just as important for a development project as the developed artefacts. For example, that company that moves to DevOps is not just introducing new tools and methodologies, but also social practices as a change in work procedures, different communication paradigms and other changes. By engineering on both sides of the aisles, the optimum impact is reached. 

Complexity ain’t simple 

Dealing with complexity is a common theme in socio-technical systems. This complexity can come in many forms and display in different ways. Fred Books coined a widely-used definition of different types of complexity that helps us think about this.  

Essential complexity – is the complexity of the problem you are actually trying to solve, it is irreducible unless you agree to change the scope of the initial task. In other words: ‘The Thing’ an application needs to do.  

Accidental complexity – is the complexity added by tools or a selected path to solve the problem, they are not initial and can be (in theory) removed without change of the scope of the initial task.  

As a socio-technical engineer, you are mainly concerned with the accidental complexity. It requires you to dissect the artificially created complexity from the complexity that belongs to the problem. For example, travelling from The Netherlands to Germany was a lot harder in the early ’90s. Not due to the distance or the method of transportation, but simply due to created complexity. We had borders, I needed to make sure I had a passport, I need to stop at a checkpoint so I could be vetted and all of these things. This complexity is artificial, it does not belong to the complexity of the essential problem. Fortunately, the Schengen Convention removed the accidental complexity. The complexity of a journey from The Netherlands to Germany has been reduced a lot. 

Why should you care about this? 

I believe that socio-technical engineering is one of the key instruments for anyone involved in an organization. We all have the ability to influence the success or failure of our department. The structure, processes and constraints created have a huge impact on the interaction between social and technical components. Often we find ourselves focussing solely on one of the components, but this is ineffective.   

In these times of COVID-19 we can find practical examples. The technology of vaccines and the process of administering them is one element. However, it only a small part of the success to remove current restrictions. People have to trust the research, design and development of vaccines. There has to be trust in the governing bodies that control and validate the safety of the technology and the process. More importantly not just a small body of the population, but an extremely large population of the world. It requires investments in technology, but also in the people. 

We all are responsible for the environment we create. Not just technically, but also socially. Socio–technical engineering is a capability everyone should possess in order to get the most out of your organisation. To me, it is one of the key capabilities a manager should have. The environment at play in the organisation is the responsibility of a manager and as a consequence should be the main component to improve for beneficial results. It requires managers to invest in people at least as much they do in technology. 

Are you interested to learn more about socio–technical systems? These articles and books are full of interesting information or reach out to us for a chat! 

More to read 

I am a specialist at Qxperts. We empower companies to deliver reliable & high-quality software. Any questions? We are here to help! www.qxperts.io

This image has an empty alt attribute; its file name is Copy-of-Blog-post-banner-xebia.com-PdR-1.png

Burst your bubble: using machine learning to change the world

Social media has been blamed for locking people in a bubble, only showing them news that is in line with their beliefs. This divides society into different groups that have almost nothing in common. People read what they think they want to read, never seeing a different opinion. At the same time governments and influencers have started to call for filtering. Facebook would have to filter out lies and fake news, so we all see the truth only. The problem with the filter approach is that it will cause opinions to drift toward some bottom line truisms we can all agree on. If we start fining social media for violations, the companies will get more and more conservative, and we’ll end up in a boring world. Like having a perpetually overcast sky and an eternal drizzle. Grey goo everywhere.

This is not what we need. What we need is to be confronted with opinions that differ from what we think is right. So we (i.e. Albert Brand, Arjan Molenaar and myself) started a one-day research project at Xebia, inspired by a feature of my favorite Dutch newspaper, NRC. The feature is called Twistgesprek. The format is that two people discuss a statement during the week. Their conversation is summarized and published in the Saturday paper as a back-and-forth of messages. Quite often I start with a strong opinion about the subject being discussed, but end up with a more thorough understanding of its nuances because of the discussion. Having your convictions challenged and modified is a wonderful gift.
So, the idea was to show people ideas that directly contradict each other.
more

Designing your DynamoDB tables efficiently and modelling mixed data types with Kotlin

AWS (Amazon Web Services) offers a pretty neat NoSQL database called DynamoDB. It is fast and it can scale, what more can you wish for? The thing is, as a developer you are still responsible for designing your tables in such a way, that you actually make appropriate use of the benefits DynamoDB has to offer. If you simply apply your knowledge gained using other databases, you might end up wasting money and performance.

Read more →

DevOps in a data science world

Many organisations have a new ambition to become a data-driven organisation. In essence, this means the organisation wants to make better business decisions based on insights provided by data [4]. Data itself is not able to advise a business for better decision-making. Therefore these organisations introduce a new capability: Data & Analytics. 
This blog elaborates on how adopting DevOps principles can enhance business value creation for the world of Data & Analytics.

Read more →

Structured Logging That Makes Everybody Happy

When we run our software, we obviously want to see and understand what is happening and how well our software performs. To achieve this, we need observability as a key characteristic for our software. Observability is a measure of how well internal states of a system can be inferred from knowledge of its external outputs. This definition, borrowed from control theory, infers that metrics, tracing, and logging are key topics to be implemented in your software system.

Two of these pillars, metrics and tracing, are also of great importance to allow yourself to paint the complete picture. In this blog post, I will focus on getting the most benefits from your logging.

Read more →

Improving Security by influencing Human Behavior

We all know that the hardening of a system or implementing 2FA does not magically improves the security of an organisation. For a successful implementation of IAM, PKI a holistic approach is needed. Also for the successful improvement of security in your organisation, a holistic approach is needed. Implementing and improving security demands your approach to cover both people, process and technology.

This blog provides you with a mental model on how to change behavior of people and how to change the culture of an organisation. To change the culture of your organisation you need to change the structures and lead by example. And there is more to it, why this works in changing the behavior of individual persons. 

I also highlight material to facilitate a workshop that helps you in making the mental models behind the behavior of people explicit.

Read more →

Threat modeling without a diagram

Most threat model approaches (like e.g. STRIDE) assume you have a technical overview like a Data Flow Diagram. An interesting question therefore is; can you threat model when there is no such thing available? A common situation would be when your are forming an epic, but as an exercise let’s take a legal contract or service level agreement; can you threat model that? Let us find out….

At first sight this might be a stretch or weird thing to do as there are no assets to protect or technical risks to identify, but I will show you can still get interesting results by tweaking the process and making a translation first.

Read more →