2023

May 28, 2023
10 min read

Application Of Innovation Approach with Design Thinking

Design thinking is not easy. I am writing the essay below to reflect on the human-centered innovation approach, processes, tools, and techniques that I have experienced for the past few weeks. From a leadership perspective, I would like to provide an analysis and critique of how this approach could be relevant to my organization at Thought Machine. I foresee there would be significant obstacle to attempting to integrate design thinking into my organization and work practices.

Thought Machine is a startup in the fintech industry, specializing in cloud native core banking products. Founded in 2014 in the United Kingdom by ex-Googler, the company has a unique focus with a strong engineering culture and hiring with mostly technical employee. Unlike traditional banks that are more business driven, our organization has not yet prioritize with customer-centric mindset by “putting people first before technology”.

One of the pitfalls with our existing mindset is working technology for the sake of technology. Our team is obsessed with software engineering tasks rather than solving customer pain points. A typical backend engineer working from home in Europe has a big barrier to feel the pain from the clients in Asia from many thousand miles away in a different time zone. He has a lens from an engineering perspective on the process and list of features implementation, instead of asking what the banks want and understand their needs from the user experience perspective.

Another barrier to design thinking is that smart engineers tend to jump to the solution. They tend to not be spending enough time with users to understand the problem. They easily come up with brilliant solutions and jump into a rabbit hole to dive deep into technical challenges, solving one technical issue after another that no users really care. They may spend a whole day refactoring the code in a different programming language, yet provide no business benefit to the end users. They are too obsessed with the tools, build fancy software than try to find a use case to fit in the tool, rather than discover the real job to be done. If all you have is a hammer, everything looks like a nail. They should be aware that technology has changed, but jobs are still the same if they can find out the human needs.

The challenge doesn’t end there. Another potentially unsettling aspect of design-thinking methods is the reliance on divergent thinking. It requires engineers to not race to finish line or converge on an answer as quickly as possible but to expand the numbers of options, to go sideways for a while rather than forward. This is difficult with our training to valuing a clear direction, cost savings, efficiency and so on as a software engineer. We are long accustomed to being told to be rational and objective, while design thinking connects with customers can feel uncomfortably emotional and sometimes overly personal.

My role at Thought Machine is a client facing role as an Engineering Manager. I think the customer-centric innovation approach would work best in my team. Because it is an iterative design process with a focus on user need. It is not a one-off process, and I can slowly improve my organization by inserting the user-centric DNA in it. My role is at the sweet spot between users, technology, and business, where I can estimate the desirability, feasibility and viability of new ideas for innovation. I have to remember that I am not my user, and I should always question my assumptions. By immersing ourselves closely with the banking clients, we can focus on the users and their needs, involve them in the design process, get ah aha moments, find opportunities to innovate and create highly usable and accessible core banking products for them. I get the realization and learn something new by keeping an eye on my banking client without having a solution in mind in the first place. I could separate solutions from the problem that people are trying to solve and understand the financial market need.

Working in the financial services industry, the banks are under constraints from the regulator, and they are mostly risk averse. To make matters worse, traditional banks have a complex organization structure, making it more difficult to innovate. Most of them would avoid failure to prevent large punishment by the Monetary Authority. This is one of the biggest barriers to innovation and therefore, the banks remain in legacy systems, such as the mainframe, and they are not willing to take the risk to change.

However, this also opens new opens new opportunities, because the bank customers are forcing the banks to change. Nowadays, banks users are expecting a seamless digital experience, zero downtime and easily accessible on the mobile app. This could be enabled by the latest technology and infrastructure on the cloud, which my company product is offering.

My role as a client engineering manager can play as digital leader to drive and facilitate this human centric approach and make it successful. Successful innovation happens at the intersection of business models and when it is enabled by technology. Currently, my team have great software development capabilities and is strong on cloud-native technology. However, the business model was not disruptive as we are still using the traditional licensing model with project implementation costs. I could change the customer experience by understanding the real motivation of banks to move away from the legacy mainframe core to the modern cloud-native architecture. I could manage different stakeholders and pitch new ideas on different kinds of innovation, such as process innovation, and not limited to technical changes. By having the viewpoints from different client’s teams, such as the accounting team, operational team and product team, they would see different problem statements and there would not be a one size fit all solution. I can look for future business opportunities and map them to existing technological capabilities to solve problems in a more efficient way.

For implementation, I would drive my team to ask How Might We, like the exercise that I did for solving the aging population challenge. In the class project, we were doing research on How Might We encourage seniors to lead an active lifestyle so that they can enjoy health? In the workplace, I could take up the challenge such as How Might We design the core banking product for the traditional banks, so that they can easily install and integrate with their existing complex system? Or How Might We design the financial products in the digital banks for the younger generation, so that they can enjoy the innovative products without going to the branch? Or How Might We automate the requirement-gathering process, so that the team can save time for documentation and enjoy time to solve more interesting problems? There are many opportunities to use design thinking and do research with a human-centric approach. By having empathy, backend engineers can see the world through the eyes of bankers. We could put aside our own pre-conceived ideas and design solutions that work for the banks. We can imagine the world from multiple perspectives and imagine solutions that are inherently desirable and meet explicit or latent needs. By taking a people first approach, we can notice things that others do not and use the insights to inspire innovation.

By preparing interview questions and talking to the customers, we can get deeper and understand the core pains points. We can connect the dots instead of jumping to the solution. Instead of going through the low-hanging food, I could challenge the engineering team to hear something they do not know, discovering both the known unknowns and unknown unknowns. Instead of looking for validation with a solution in mind, ask questions. The customers may not be able to articulate what why want, and they could be limited by their imagination, but I can be a facilitator to get information out from the customer brain by conducting user research. I must do it myself and encourage others to get their hands dirty as well, instead of relying on a proxy, which could not get the full picture. I could write up the personas based on behaviors and avoid breaking down by market segments in the business decision. I would pick a generic persona that captures the user’s needs and pain.

As my team consists of backend engineers, they tend to work in silos, which someone working on the database schema, someone working on the platform infrastructure and someone working on the network connectivity, they do not naturally collaborate with each other’s and align for the customer, because they were too focused on their own technical task. I would also make a service blueprint to ensure the customers are happy or not, making sure it’s smooth by internal alignment. It provides the customer’s perspective and allows visualization from both the customer and business perspective. The service blueprint is a useful tool to map different back-office staff and vendors to the user experience. For example, a customer transaction requires an orchestration of multiple backend microservices, such as accounting, validation by processor and post transaction handling, which is handled by different departments.

For measurement considerations, we should not limit to financial key performance indicator (KPI). Some of the innovations may take a long time to realize, but the change of culture could be a more important measurement than the return of money. One of the indicators could be the number of user journey maps. For example, DBS integrated this as their team KPI, which ends up with hundreds of them. It may not be used for every single user journey map, but it shows the messages from top down and getting everyone to think from the user perspective and changing their mindset. We could also create customer journey maps for a day of banking users interacting with the core banking, from account opening, deposit money to viewing transaction history etc., it could visualize the users positive and negative experiences.

My organization has not been using this approach, because it has been too focused on the software engineering aspect. I could innovate to lead by making change from inside. It would be more effective than finding outside consultants because the engineers tend to ignore advice from non-technical people. It takes a bit of domain knowledge to speak the same language and convey the messages that technical team members can understand. Communication would be a big challenge since there would not be enough trust for the external party to tell us what to do. Some engineers may think they know the best in terms of system design. That’s why I should bring them in front of the clients, initiating a job rotation program, bringing the backend engineer to a production support role, which would be beneficial for them to understand the client’s need. Once they get into a call with the customers, then they would understand the clients are thinking differently from what they assume.

As a leader supporting my team, I would recommend and foster a culture for us to learn. It includes embracing failure. Design-thinking approaches call on the team to repeatedly experience something we have historically tried to avoid: failure. In other larger organizations, there are systems and processes to prevent anything from failure. It inhibits employees from trying new things and it is not good for innovation. In order to innovate, we must celebrate from failure and learn fast from the mistakes. This could be done by continuous release of new features to the client’s development environment instead of the production, making sure there is time for testing and collecting feedback. We could protype by turning ideas into a tangible form, that can be shared and tested with our client as early as possible. For example, instead of building a data model for accounting reconciliation, we could run a low-cost solution on excel to proof the concept before putting it in code for implementation. It would be useful to learn what works and what does not work, iterate to improve on the concept.

As a leader, I can create and reinforce a culture that counteracts the blame game and makes the team feel both comfortable with and responsible for surfacing and learning from failures. I should insist on consistently reporting failures, small and large, systematically analyzing them and proactively searching for opportunities to experiment. The team needs a shared understanding of the kinds of failure that can be expected to occur in a given work context. Openness and collaboration are important for surfacing and learning from them. Accurate framing detoxifies failure.

Another important culture I would recommend fostering is collaboration. The increasing complexity of banking products, services and experiences has replaced the myth of lone creative genius with the reality of the interdisciplinary collaborator. We should not think ourselves is the best and limit our radar in the same industry and same role. Instead, keep an open mind to look around at different people and industries for collaboration. Be comfortable with thick skin to recognize partnership outside of my main business in banking. There is always somebody else who is a real expert, and we should not be afraid to reach out and collaborate with somebody else. Technical hard skills would fade away, but the soft skills to collaborate with others are transferable. I shall keep on trying and working with talents to go through the human centric approach, don’t give up at the beginning by the first trial failure.

Overall, design thinking is a methodology that imbues the full spectrum of innovation activities with a human-centric design ethos. Innovation is powered by a thorough understanding, through direct observation, of what people want and need in their lives and what they like or dislike about my organization’s core banking products are made, marketed, sold and supported. Becoming proficient in design thinking takes time and hard work. As an engineering manager at Thought Machine, I can apply design thinking and learned how to bring a deeper understanding of human behavior to our financial product innovation, challenge the organizational status quo and achieve significant market impact.

May 28, 2023
in zh
1 min read

應用創新方法與設計思維

設計思維並不容易。在過去的幾週中，我經歷了以人為中心的創新方法、流程、工具並且技術，我現在正在寫下以下的文章來反思這些經驗。從領導角度來看，我希望能提供一個分析並評價此方法如何與我在Thought Machine的組織相關聯。我預見到將設計思維融入到我的組織和工作實踐中，將會是一個重大的障礙。

Thought Machine是一家專注於雲原生核心銀行產品的金融科技行業新創公司。該公司由前谷歌員工於2014年在英國創立，他們具有獨特的焦點與強大的工程文化，並主要聘請技術人員。與傳統的更注重業務驅動的銀行不同，我們的組織還沒有將“在技術之前先考慮人”這種以客戶為中心的心態作為優先考慮的事物。

我們現有心態的一個陷阱是為了技術而工作。我們的團隊更著迷於軟件工程任務，而不是解決客戶的痛點。一位通常在歐洲家中工作的典型後端工程師要感受到在時區不同，相隔數千英里的亞洲客戶的痛苦，有很大的障礙。他以工程視角看待過程和功能實現的清單，而不是去問銀行想要什麼並理解他們從用戶體驗角度的需求。

對設計思維的另一個障礙是聰明的工程師傾向於直接跳到解決方案。他們往往沒有花足夠的時間去了解用戶以理解問題。他們很容易提出了出色的解決方案，並且跳入如兔子洞般深入研究技術挑戰，解決一個又一個無人真正關心的技術問題。他們可能花了一整天用一種不同的編程語言重構代碼，但卻沒有為最終用戶帶來任何業務利益。他們太過於著迷於工具，建立華麗的軟件，僅僅是為了找到一個與工具相適應的使用案例，而不是發現真正要完成的工作。如果你只有一把鎚子，那麼一切都看起來像釘子。他們應該意識到，儘管技術已經改變，但只要他們能找出人類的需求，工作仍然一樣。

挑戰並未在此結束。設計思維方法中的一個可能使人不安的方面是依賴分歧性思考。它要求工程師不急於趕到終點或者尽快找到答案，而是擴大選擇的數量，向側面深入一段時間，而不是向前。我們的訓練難以將此和對明確方向、節省成本、效率等作為一個軟件工程師的價值觀相對應。我們已經習慣於被告知要理性和對客戶感到不悅和始終過於個人化的客戶連繫相對應的設計思維。

我在Thought Machine的角色是作為工程經理的客戶對門角色。我認為在我的團隊中，以客戶為中心的創新方法將達到最好的效果。因為這是一個迭代的設計過程，重點在於用戶需求。這不是一次性的過程，我可以通過將以用戶為中心的DNA插入其中以改善我

May 27, 2023
4 min read

Understanding ERC20 Tokens - the Backbone of Fungible Tokens on Ethereum

In the world of blockchain and cryptocurrencies, tokens play a crucial role in representing various assets and functionalities. One popular type of token is the ERC20 token, which has gained significant traction due to its compatibility and standardization on the Ethereum blockchain. In this blog post, we will delve into the details of ERC20 tokens, their significance, and why they have become a cornerstone of the blockchain ecosystem.

What is an ERC20 Token?

An ERC20 token is a digital asset created by a smart contract on the Ethereum blockchain. It serves as a representation of any fungible token, meaning it is divisible and interchangeable with other tokens of the same type. Unlike unique tokens (such as non-fungible tokens or NFTs), ERC20 tokens are identical and indistinguishable from one another.

KrisFlyer to Launch the World's First Fungible Token

To illustrate the practicality and innovation surrounding ERC20 tokens, we can look at Singapore Airlines' frequent flyer program, KrisFlyer. They recently announced plans to launch the world's first fungible token using the ERC20 standard. This move will allow KrisFlyer members to utilize their miles across a broader range of partners and services, enhancing the token's liquidity and usability.

Understanding Fungibility

Fungibility refers to the interchangeability and divisibility of tokens. With ERC20 tokens, each token holds the same value as any other token of the same type. For instance, if you own 10 ERC20 tokens, they can be divided into smaller fractions or traded for other tokens without any loss of value. This characteristic makes ERC20 tokens highly tradable and versatile within the blockchain ecosystem.

The Role of ERC20 Token Smart Contracts

ERC20 tokens are created through smart contracts deployed on the Ethereum blockchain. These smart contracts define the rules and functionality of the tokens, facilitating their issuance, management, and transfer. By leveraging the power of smart contracts, ERC20 tokens provide a transparent and decentralized solution for digital asset representation.

The Importance of Token Standards

While it may seem feasible for anyone to create tokens on Ethereum using smart contracts, adhering to a token standard is crucial for ensuring interoperability. Without a common standard, each token would require customized code, resulting in complexity and inefficiency. The ERC20 token standard was introduced to address this issue by providing a guideline for creating fungible tokens on the Ethereum blockchain.

Exploring the ERC20 Token Standard

The "ERC" in ERC20 stands for Ethereum Request for Comments, which signifies the collaborative nature of developing standards on the Ethereum network. ERC20 defines a set of functions and events that a token smart contract must implement to be considered ERC20 compliant. These functions and events establish a common interface for all ERC20 tokens, ensuring compatibility and seamless integration with various platforms and services.

Key Functions and Events of the ERC20 Interface

To be ERC20 compliant, a smart contract must implement six functions and two events. Let's briefly explore some of these key components:

totalSupply(): This function returns the total supply of ERC20 tokens in existence.
balanceOf(): It allows users to query the token balance of a specific account.
transfer(): This function enables the transfer of tokens from one account to another, provided the sender owns the tokens.
allowance(): Users can use this function to grant permission to another account to spend a certain number of tokens on their behalf.
approve(): This function is used to change the allowance granted to another account.
transferFrom(): It allows a designated account to transfer tokens on behalf of another account.

Additionally, ERC20 defines two events, "Transfer" and "Approval," which provide a mechanism for external systems to track and respond to token transfers and approvals.

Example script

You can try writing and deploying the solidity code on remix IDE:

https://remix.ethereum.org/

Create a new Smart Contract with code below:

pragma solidity ^0.8.13;

import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol";

contract MyERC20Token is ERC20 {
    address public owner;

    constructor() ERC20("victor coin", "VCOIN") {
        owner = msg.sender;
    }

    function mintTokens(uint256 amount) external {
        require(msg.sender == owner, "you are not the owener");
        _mint(owner, amount);
    }
}

Conclusion

ERC20 tokens have emerged as a vital component of the Ethereum ecosystem, offering fungible token representation with standardized functionality. By adhering to the ERC20 token standard, developers ensure interoperability, compatibility, and ease of integration for their tokens across a wide range of platforms and services. With the increasing adoption and innovation surrounding ERC20 tokens, they continue to play a pivotal role in the evolution of blockchain technology and decentralized finance.

May 27, 2023
in zh
1 min read

理解ERC20代幣 - 以太坊上可替代代幣的骨幹

在區塊鏈和加密貨幣的世界中，代幣在代表各種資產和功能方面發揮了關鍵作用。其中一種流行的代幣類型是ERC20代幣，由於其與以太坊區塊鏈的兼容性和標準化，該代幣已獲得先發展大幅度的應用。在這篇博客文章中，我們將深入探討ERC20代幣的細節，它的重要性，以及為什麼它已成為區塊鏈生態系的基石。

什麼是ERC20代幣？

ERC20代幣是在以太坊區塊鏈上由智能合約創建的數字資產。它作為任何可替換代幣的表示，意味著它可以與同類型的其他代幣進行劃分和交換。與唯一代幣（如非可替換代幣或NFTs）不同，ERC20代幣彼此之間是相同且區分不開的。

KrisFlyer推出世界上第一個可替換的代幣

為了說明圍繞ERC20代幣的實用性和創新，我們可以看看新加坡航空的常旅客計劃，KrisFlyer。他們最近宣布計劃使用ERC20標準推出世界上第一個可替換的代幣。此舉將使KrisFlyer會員能夠將他們的英里在更多的合作夥伴和服務中使用，增強了代幣的流動性和可用性。

理解可替換性

可替換性是指代幣的可互換性和可劃分性。對於ERC20代幣，每枚代幣具有與同類型的其他代幣相同的價值。例如，如果您擁有10個ERC20代幣，則可以將它們劃分為更小的部分或交易換取其他代幣，而不會損失價值。這種特性使ERC20代幣在區塊鏈生態系中具有高度的交易性和靈活性。

ERC20代幣智能合約的角色

ERC20代幣是通過部署在以太坊區塊鏈上的智能合約創建的。這些智能合約定義了代幣的規則和功能，促進了其發行，管理和轉移。通過利用智能合約的力量，ERC20代幣為數字資產表示提供了一種透明和去中心化的解決方案。

代幣標準的重要性

雖然任何人似乎都可以使用智能合約在以太坊上創建代幣，但遵守代幣標準對於確保互操作性至關重要。如果沒有共同的標準，每種代幣都需要定制的代碼，從而導致復雜性和效率低下。 ERC20代幣標準的引入就是為了解決這個問題，它為在以太坊區塊鏈上創建可替換代幣提供了指導。

探索ERC20代幣標準

"ERC"在ERC20中代表以太坊請求意見稿，這意味著在以太坊網絡上開發標準的協同性質。 ERC20定義了代幣智能合約必須實現的一組函數和事件，以被視為符合ERC20的。這些函數和事件建立了所有ERC20代幣的通用接口，確保了與各種平台和服務的兼容性和無縫集成。

ERC20界面的關鍵功能和事件

要符合ERC20，一個智能合約必須實現六個函數和兩個事件。讓我們簡單探討一些關鍵組件：

totalSupply()：此函數返回現存的ERC20代幣的總供應量。
balanceOf()：它允許用戶查詢特定帳戶的代幣餘額。
transfer()：此函數使代幣可以從一個帳戶轉移到另一個帳戶，前提是發件人擁有代幣。
allowance()：用戶可以使用此函數授權另一個帳戶代表他們花費一定數量的代幣。
approve()：此函數用於改變給另一個帳戶的額度。
transferFrom()：它允許一個指定的帳戶代表其他帳戶轉移代幣。

此外，ERC20定義了兩個事件，"Transfer"和"Approval"，它們為外部系統跟蹤和響應代幣轉賬和事後批准提供了一種機制。

範例腳本

您可以嘗試在remix IDE上編寫和部署solidity代碼：

https://remix.ethereum.org/

用下面的代碼創建一個新的智能合約：

pragma solidity ^0.8.13;

import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol";

contract MyERC20Token is ERC20 {
    address public owner;

    constructor() ERC20("victor coin", "VCOIN") {
        owner = msg.sender;
    }

    function mintTokens(uint256 amount) external {
        require(msg.sender == owner, "you are not the owener");
        _mint(owner, amount);
    }
}

結論

ERC20代幣已成為以太坊生態系的重要組成部分，提供了具有標準化功能的可替換代幣表示。通過遵守ERC20代幣標準，開發者確保了他們的代幣在各種平台和服務中的互操作性，兼容性和易於集成。隨著對ERC20代幣的接受度和創新的增加，它們將繼續在區塊鏈技術和去中心化金融的演進中發揮關鍵作用。

May 26, 2023
4 min read

Enhancing Software Security with DevSecOps

In today's digital landscape, the need for robust and secure software development practices is more critical than ever. DevSecOps, a fusion of development, security, and operations, provides a proactive and continuous approach to integrating security throughout the software development lifecycle. By embracing DevSecOps principles and practices, organizations can ensure that security is not an afterthought but an inherent part of their software delivery process. In this blog post, we will explore the key components of DevSecOps and discuss strategies to design a secure DevSecOps pipeline.

Test Security as Early as Possible: DevSecOps emphasizes early detection and prevention of security vulnerabilities. By integrating security testing into the development process, teams can identify and address potential risks in the early stages. Automated security testing tools, such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST), should be employed to identify vulnerabilities in code and the running application.
Prioritize Preventive Security Controls: Instead of solely relying on reactive measures, DevSecOps promotes the implementation of preventive security controls. This approach involves establishing secure coding practices, performing regular security code reviews, and implementing secure configuration management. By focusing on prevention, organizations can reduce the likelihood of security incidents and mitigate potential risks.
Identify and Document Responses to Security Incidents: While prevention is crucial, it is also essential to be prepared for security incidents. DevSecOps encourages organizations to have well-defined incident response plans and documentation. This ensures that when an incident occurs, the response is swift and effective, minimizing the impact on the software and the organization. Regular incident simulations and tabletop exercises can help refine incident response capabilities.
Automate, Automate, Automate: Automation is at the core of DevSecOps. By automating security checks, code reviews, vulnerability scanning, and deployment processes, organizations can reduce manual errors and improve efficiency. Automation enables continuous integration and continuous deployment (CI/CD), ensuring that security is not compromised during rapid software delivery.
Collect Metrics to Continuously Improve: DevSecOps encourages a data-driven approach to software security. By collecting and analyzing metrics related to security testing, vulnerabilities, incident response, and compliance, organizations can identify areas for improvement. Continuous monitoring and metrics enable teams to track progress, identify trends, and implement targeted security enhancements.

DevSecOps Pipeline Designing Strategy

To implement DevSecOps effectively, consider the following strategies when designing your pipeline:

Automate everything: Automate the entire software delivery pipeline, from code testing to deployment, ensuring security checks are an integral part of the process.
Include your organization's security validation checks: Tailor security validation checks specific to your organization's compliance requirements and standards.
Start lean: Begin with a minimal viable pipeline and gradually add security controls as needed, maintaining a balance between agility and security.
Treat the pipeline as infrastructure: Apply security practices, such as version control, backup, and disaster recovery, to the pipeline itself.
Have a rollout strategy: Implement changes to the pipeline incrementally, allowing for proper testing and validation before wider deployment.
Include auto rollback features: Incorporate automated rollback mechanisms in case security issues are detected post-deployment.
Establish a solid feedback loop: Leverage observability and monitoring tools to proactively identify anomalies and gather feedback for continuous improvement.
Create prod-like pre-production environments: Ensure that staging, development, and test environments closely resemble the production environment to validate security measures effectively.
Include integrity checks and dependency vulnerability scans: Verify the integrity of build packages and conduct thorough scans to detect and address vulnerabilities in dependencies.
Consider pipeline permissions and roles: Assign appropriate permissions and roles to individuals involved in the pipeline, ensuring security and accountability.

Compliance Requirements

Incorporating compliance requirements into the DevSecOps pipeline is vital for organizations. Consider the following aspects:

Internal policies and standards: Align the pipeline's security practices with internal policies and standards set by the organization.
External regulators: Adhere to regulatory requirements imposed by external entities, such as the Monetary Authority of Singapore (MAS) or other relevant authorities.
Identify the correct security level: Evaluate the sensitivity and criticality of the software and identify the appropriate security level to be implemented.
Consider functional and non-functional requirements: Incorporate security requirements related to the software's functionality, performance, and user experience.

Security of the Pipeline

To ensure the security of the DevSecOps pipeline itself, follow these best practices:

Protect sensitive information: Avoid storing passwords and keys in code or the pipeline. Implement secure secrets management practices.
Software Composition Analysis (SCA): Perform third-party and library reviews, and reuse previously vetted and approved code whenever possible.
Static Application Security Testing (SAST): Conduct code reviews to identify and address vulnerabilities during the development phase.
Dynamic Application Security Testing (DAST): Exercise the application dynamically to discover vulnerabilities and potential exploits.

Key Takeaways

In summary, implementing DevSecOps practices empowers organizations to prioritize security throughout the software development lifecycle. Here are some key takeaways:

Incorporate compliance considerations into the design phase of your DevSecOps pipeline.
Leverage modern security automation tools and practices to detect and prevent security vulnerabilities.
Prioritize preventative controls to mitigate risks and reduce the likelihood of security incidents.
Collect and analyze metrics to continuously improve security practices and processes.
Focus on consistency and collaboration among teams rather than the specific tools used.

By embracing DevSecOps principles, organizations can build a security-focused culture and deliver software that is resilient to modern-day threats. Remember, security is a shared responsibility, and integrating it seamlessly into the development process is essential for building robust and trustworthy software solutions.

May 26, 2023
in zh
1 min read

透過DevSecOps提升軟體安全性

在今天的數位環境中，強大且安全的軟體開發實踐的需求比以往任何時候都更為關鍵。DevSecOps，一種開發、安全和運營的融合，提供了一種積極且連續的方法來在軟體開發生命週期中隨時整合安全。透過擁抱DevSecOps的原則和實踐，組織可以確保安全性不是事後才考慮的問題，而是他們軟體交付過程的固有部分。在這篇博客文章中，我們將探討DevSecOps的關鍵組成部分，並討論設計安全DevSecOps管道的策略。

尽可能早期的测试安全性： DevSecOps强调早期检测和预防安全漏洞。通过将安全性检测融入开发过程，团队可以在早期阶段确定并解决潜在的风险。应该使用自动化安全测试工具，如静态应用程序安全测试(SAST)和动态应用程序安全测试(DAST)，以识别代码和正在运行的应用程序中的漏洞。
優先考慮預防性的安全控制： DevSecOps不僅依賴於反應式控制，還提倡實施預防性的安全控制。這種方法包括建立安全的編碼實踐，定期進行安全代碼審核，並實施安全配置管理。通過專注於預防，組織可以減少安全事件發生的可能性並降低潛在風險。
識別並記錄對安全事件的回應：雖然預防非常重要，但也必須為安全事件做好準備。DevSecOps鼓勵組織制定清晰的事故響應計劃和文件記錄。這確保在發生事故時，回應迅速有效，將對軟體和組織的影響降至最低。定期的事故模擬和演練可以幫助改進事故響應能力。
自動化，自動化，自動化：自動化是DevSecOps的核心。通过自动化安全检查、代码审阅、漏洞扫描和部署过程，组织可以减少人为错误并提高效率。自动化实现持续集成和持续部署(CI / CD)，确保在快速的软件交付中不会妥协安全性。
收集指標以不斷改進： DevSecOps鼓勵用數據驅動的方式來處理軟體安全。通過收集並分析與安全性測試、漏洞、事故響應和合規性相關的指標，組織可以確定改進的領域。持續監控和度量標準使團隊能夠追蹤進度，識別趨勢，並實施針對性的安全增強措施。

DevSecOps 管道設計策略

要有效地實施DevSecOps，請在設計您的管道時考慮以下策略：

自動化所有事情：將整個軟體交付管道自動化，從碼測試到部署，確保安全檢查是流程的一部分。
包括您的組織的安全驗證檢查：根據您的組織的合規要求和標準量身制定的安全驗證檢查。
禁欲起始：從最小可行的管道開始，並根據需要逐步添加安全控制，保持敏捷性和安全性之間的平衡。
將管道視為基礎設施：將安全實踐，如版本控制，備份和災難恢復，應用於管道本身。
擁有卷動策略：將管道的變更逐步實施，此舉可以在更廣泛部署前進行適當的測試與驗證。
包括自動回滾功能：如果在部署後檢測到安全問題，則應加入自動回滾機制。
建立堅固的反饋迴圈：利用可觀測性和監控工具主動識別異常，並收集反饋以進行持續改進。
建立生產環境的前置環境：確保劃定，開發，和測試環境接近生產環境，以有效的驗證保安措施。
包括完整性檢查和依賴性漏洞掃描：驗證組建引泉包的完整性，並進行徹底的掃描來檢測和解決依賴性中的漏洞。
考慮管道權限和角色：指派適當的權限和角色給管道中的參與者，確保安全性和問責性。

合規要求

將遵守標準融合到DevSecOps管道對于组织来说至关重要。考虑以下方面：

内部政策和标准：使管道的安全实践与组织设置的内部政策和标准相一致。
外部监管机构：遵守外部实体，例如新加坡金融管理局(MAS)或其他相关监管机构的监管要求。
識別正確的安全級別：評估軟體的敏感性和關鍵性，確定需要實施的適當安全級別。
考慮功能性和非功能性的要求：以軟體的功能性、效能和使用者體驗相關的安全要求。

管道的安全

要确保DevSecOps管道本身的安全，遵循以下最佳实践：

保護敏感信息：避免在代码或管道中存储密码和密钥。实施安全的密码管理实践。
軟體組成分析（SCA）：執行第三方和函式庫尋找，並儘可能地重用先前已經審批過並且被接受的代碼。
靜態應用程序安全性測試(SAST)：進行程式碼審查以在開發階段識別並解決漏洞。
動態應用程序安全性測試(DAST)：動態運行應用程序以發現漏洞和潜在的利用辦法。

主要結論

總的來說，實施DevSecOps的實踐使組織能夠在整個軟體開發生命週期中優先考慮安全性。以下是一些主要的收穫：

在DevSecOps管道的設計階段納入合規性考慮因素。
利用现代的安全自动化工具和做法来检测和预防安全漏洞。
優先考慮預防性控制以減少風險和降低安全事故發生的可能性。
收集並分析指標以不斷改進安全實踐和流程。
專注於團隊間的一致性和協作，而不是使用的具體工具。

透過擁抱DevSecOps原則，組織可以建立一種以安全為重心的文化，並提供能抵禦現代威脅的軟體。請記住，安全是共同的責任，將其無縫地融入開發過程對構建強大且值得信任的軟體解決方案至關重要。

May 25, 2023
5 min read

Exploring Assisted Intelligence for Operations (AIOps)

In today's digital era, the complexity and scale of operations have significantly increased, making it challenging for organizations to effectively manage and troubleshoot issues. Assisted Intelligence for Operations (AIOps) emerges as a promising solution, combining big data analytics, machine learning, and automation to assist operations teams in making sense of vast amounts of data and improving operational efficiency. Coined by Gartner in 2016, AIOps holds the potential to transform the way businesses handle operations by providing insights, automating tasks, and predicting and preventing issues.

Understanding AIOps

At its core, AIOps leverages advanced algorithms and techniques to harness the power of big data and machine learning. It helps in processing and analyzing large volumes of operational data, such as logs, events, metrics, and traces, to identify patterns, detect anomalies, and provide actionable insights. The primary goal of AIOps is to enable organizations to achieve efficient and proactive operations management by automating routine tasks, facilitating root cause analysis, and predicting and preventing issues before they impact the business.

Key Challenges with AIOps

While AIOps offers immense potential, there are several challenges that organizations need to address to fully realize its benefits:

Limited Knowledge of Data Science: Implementing AIOps requires expertise in data science, machine learning, and statistical analysis. Organizations may face challenges in hiring and upskilling personnel with the necessary skills to effectively leverage AIOps technologies.
Service Complexity and Dependency: Modern IT infrastructures are complex and interconnected, making it difficult to determine service dependencies accurately. AIOps solutions need to handle this complexity and provide a holistic view of the entire system to identify the root cause of issues accurately.
Issue with Trust and Validity: Organizations often struggle with trusting AIOps systems due to concerns about the accuracy and validity of the insights and recommendations generated. Ensuring transparency and reliability are crucial to building trust in AIOps technologies.

The Good: Top Areas for AIOps Implementation

While there are challenges, AIOps also presents several opportunities for improving operations management. Here are some areas where AIOps can deliver significant benefits:

Anomaly Detection: AIOps can help identify and alert operations teams about unusual patterns or outliers in system behavior, enabling faster response and troubleshooting.
Configuration Change Detection: AIOps can automatically detect and track configuration changes, providing visibility into the impact of these changes on the system and facilitating faster problem resolution.
Metrics-based Telemetry and Infrastructure Services: AIOps can analyze metrics and telemetry data to provide insights into the performance and health of infrastructure services, enabling proactive maintenance and optimization.
Suggesting Known Failures: AIOps can leverage historical data and patterns to suggest potential failures or issues that have occurred before, helping teams to proactively address them.
Predictive Remediation: By analyzing patterns and historical data, AIOps can predict potential issues or failures and recommend remediation actions, allowing teams to take preventive measures before the problems occur.

Examples of AIOps in AWS

Amazon Web Services (AWS) offers several services and features that incorporate AIOps capabilities:

CloudWatch Anomaly Detection: AWS CloudWatch provides anomaly detection capabilities, allowing users to automatically identify unusual patterns or behaviors in their monitored data, such as CPU usage, network traffic, or application logs.
DevOps Guru Recommendation: AWS DevOps Guru uses machine learning to analyze operational data, detect anomalies, and provide actionable recommendations for resolving issues and improving system performance.
Predictive Scaling for EC2: AWS provides predictive scaling capabilities for EC2 instances, which leverages historical data and machine learning algorithms to automatically adjust the capacity of EC2 instances based on predicted demand, ensuring optimal performance and cost efficiency.

The Bad: Top Areas for Improvement

While AIOps has shown promise, there are still areas that require improvement to fully realize its potential:

Complex Service and Relationship Dependencies: AIOps solutions need to better handle complex service architectures and accurately identify dependencies between different services to provide more accurate insights and root cause analysis.
Rich Metadata and Tagging Practices: AIOps heavily relies on metadata and tagging practices to contextualize data. Organizations must maintain comprehensive metadata and adhere to good tagging practices to ensure accurate analysis and effective troubleshooting.
Long-Term Data for Recurring Patterns: AIOps systems can benefit from long-term historical data to identify recurring patterns and anomalies effectively. Organizations need to ensure data retention and build data repositories to leverage this capability.
Services You Don't Know, Control, or Instrument: AIOps may face limitations when dealing with third-party services or components that are outside the organization's control or lack proper instrumentation. Integrating such services into AIOps workflows can be challenging.
Cost vs. Benefit: Implementing and maintaining AIOps solutions can be resource-intensive. Organizations need to carefully evaluate the cost-benefit ratio to ensure that the insights and automation provided by AIOps justify the investment.

Examples of AIOps in AWS

To address some of these challenges, AWS offers services like:

Distributed Tracing with AWS X-Ray: AWS X-Ray provides distributed tracing capabilities, allowing users to trace requests across microservices and gain insights into the dependencies and performance of different components, aiding in troubleshooting and performance optimization.
AWS Lookout for Metrics: AWS Lookout for Metrics applies machine learning algorithms to time series data, enabling users to detect anomalies and unusual patterns in their metrics, facilitating faster troubleshooting and proactive maintenance.

Tips to Remember when Implementing AIOps:

Best Place to Tag: Tags should be added during the creation of a service or resource to ensure consistency and ease of analysis.
Use Human-Readable Keys and Values: Shorter tags with meaningful and easily understandable keys and values simplify parsing and analysis, enhancing the effectiveness of AIOps.
Consistency in Naming and Format: Establish consistent naming conventions and tag formats across services and resources to ensure accurate data analysis and troubleshooting.
Consider Infrastructure as Code: Embrace infrastructure as code practices to maintain consistency and repeatability, enabling easier integration of AIOps capabilities into the development and deployment processes.

Must-Haves: Design Thinking for Engineers

To effectively utilize AIOps, engineers should adopt a design thinking approach that encompasses the following:

Known Knowns: Utilize analogies, lateral thinking, and experience to solve known problems efficiently.
Known Unknowns: Build hypotheses, measure, and iterate using AIOps tools to explore and resolve previously unidentified issues.
Unknown Knowns: Engage in brainstorming and group sketching sessions to leverage the evolving AI features to uncover insights from existing data.
Unknown Unknowns: Embrace research and exploration to identify and address new and emerging challenges that current AIOps capabilities may not fully address yet.

The Ugly: Automatic Root Cause Analysis

Despite the progress made in AIOps, fully automated root cause analysis remains a challenge. AIOps can assist in narrowing down the potential causes, but human expertise and investigation are still required to determine the definitive root cause in complex systems.

Summary

AIOps presents a powerful approach to managing and optimizing operations by harnessing the capabilities of big data analytics, machine learning, and automation. While challenges exist, AIOps can deliver significant benefits, including anomaly detection, configuration change detection, predictive remediation, and providing insights into infrastructure services. Organizations should carefully evaluate the implementation of AIOps, considering factors like service complexity, metadata management, and cost-benefit analysis. By combining human expertise with the capabilities of AIOps, organizations can unlock greater operational efficiency and proactively address issues before they impact their business.

May 25, 2023
in zh
2 min read

探索運營的輔助智能（AIOps）

在今天的數位時代，運營的複雜性和規模已經顯著提高，這讓組織在有效管理和解決問題上面臨著挑戰。運營的輔助智能（AIOps）作為一種有前途的解決方案出現，結合大數據分析、機器學習和自動化，以幫助運營團隊理解大量數據，提高運營效率。GAN託在2016年首次提出AIOps，它具有改變企業處理運營的方式的潛力，提供洞察力、自動化任務，以及預測和防止問題。

理解AIOps

在其核心，AIOps利用先進的算法和技術來釋放大數據和機器學習的力量。它有助於處理和分析大量的運營數據，如日誌、事件、指標和跟蹤，以識別模式，檢測異常並提供可行的見解。AIOps的主要目標是通過自動化既定的任務，促進根本原因分析，以及預測和防止問題，使企業能夠實現有效和主動的運營管理。

AIOps的主要挑戰

雖然AIOps提供了巨大的潛力，但是組織需要處理幾個問題才能完全實現其效益:

1.數據科學知識有限：導入 AIOps 需要數據科學、機器學習和統計分析的專門技術。公司可能會在招聘和提升具有必要技能的人員方面遇到挑戰，以有效地利用 AIOps 技術。

2.服務複雜性和依賴性：現代 IT 基礎設施複雜且相互關聯，這使得準確確定服務依賴性變得困難。AIOps 解決方案需要處理這種複雜性並提供整個系統的全面視圖，以準確識別問題的根本原因。

3.對信任和有效性的問題：組織往往會因對生成的洞察和建議的準確性和有效性的擔憂而對 AIOps 系統的信任度變低。確保透明和可靠是建立對 AIOps 技術信任的關鍵。

土法煉鋼：首選 AIOps 落地場景

雖然存在挑戰，但 AIOps 也提供了改善運營管理的許多機會。以下是 AIOps 可以提供重大效益的一些領域：

异常检测：AIOps 可以帮助识别并通知运维团队系统行为中的不寻常模式或异常值，从而实现迅速回应和故障排除。
配置更改检测：AIOps 可以自动检测和跟踪配置更改，提供对这些变更对系统影响的可见性，促进问题快速解决。
基于指标的遥测和基础设施服务：AIOps 可以分析指标和遥测数据，提供有关基础设施服务性能和健康状况的见解，实现积极维护和优化。
建议已知故障：AIOps 可以利用历史数据和模式，建议可能发生的失败或以前发生过的问题，帮助团队积极应对它们。
預測糾正：通過分析模式和歷史數據，AIOps可以預測可能的問題或故障，並推薦糾正行動，這樣團隊就可以在問題發生之前採取預防措施。

AWS 中 AIOps 的示例

亞馬遜網絡服務（AWS）提供了數種結合AIOps能力的服務和特性：

CloudWatch异常检测：AWS CloudWatch 提供异常检测功能，允许用户自动识别其监控数据（例如，CPU 使用量、网络流量或应用日志）中的不寻常模式或行为。
DevOps Guru 建议：AWS DevOps Guru 使用机器学习分析运营数据、检测异常，并提供解决问题和改善系统性能的行动建议。
EC2 的预测性扩展：AWS 为 EC2 实例提供预测性扩展功能，这个功能利用历史数据和机器学习算法自动调整 EC2 实例的容量，以便根据预测的需求进行调整，确保最佳性能和成本效益。

短版：改进领域

雖然 AIOps 表現出了潛力，但仍有一些領域需要改進以充分實現其潛力：

服務和關係依賴性複雜：AIOps 解決方案需要更好地處理複雜的服務架構，並準確識別不同服務之間的依賴關係，以提供更準確的見解和根本原因分析。
豐富的元數據和標記實踐：AIOps 在很大程度上依賴元數據和標記實踐來使數據具有語境。組織必須保持全面的元數據並堅持良好的標記實踐，以確保準確的分析和有效的故障排除。
長期數據用於重複模式：AIOps 系統可以從長期的歷史數據中獲益，有效地識別重複的模式和異常。組織需要確保數據的保存並建立數據庫，以利用這種能力。
您不知道，無法控制或儀器的服務：當處理第三方服務或組件時，AIOps 可能遇到限制，這些服務或組件在組織的控制之外或缺乏適當的儀器。將這種服務整合到 AIOps 工作流程中可能會面臨挑戰。
成本對效益：實施和維護 AIOps 解決方案可能需要大量資源。組織需要仔細評估成本效益比，以確保 AIOps 提供的見解和自動化值得投資。

AWS 中 AIOps 的示例

為了解決這些挑戰，AWS 提供了像：

AWS X-Ray 的分散追蹤：AWS X-Ray 提供了分散追蹤的能力，用戶可以追蹤微服務的請求，了解其依賴性和性能，從而對不同的組件進行故障排除和性能優化。
AWS Lookout for Metrics：AWS Lookout for Metrics 將機器學習算法應用於時間序列數據，使用戶可以檢測他們的指標中的異常和不尋常的模式，從而促進更快的故障排除和積極的維護。

實施 AIOps 時應記住的建議：

最好的標記地點：在創建服務或資源時應添加標籤，以確保分析的一致性和容易度。
使用易讀的鍵和值：較短的標籤，具有有意義且易於理解的鍵和值，可以簡化解析和分析，從而提高 AIOps 的效果。
命名和格式的一致性：在服務和資源中建立一致的命名慣例和標籤格式，以確保準確的數據分析和故障排除。
考慮基礎設施作為代碼：擁抱基礎設施作為代碼的實踐，以維持一致性和可重複性，使得 AIOps 的能力更容易整合到開發和部署流程中。

必不可少：針對工程師的設計思維

為了有效運用 AIOps，工程師應該採用包含以下內容的設計思維方法：

已知知識：利用類比、橫向思維和經驗來有效解決已知問題。
已知未知：使用 AIOps 工具建立假設，衡量和迭代，探索並解決以前未識別的問題。
未知已知：參與頭腦風暴和群體速寫會議，利用不斷發展的AI功能，從現有數據中發掘見解。
未知的未知：接受研究和探索，以識別和解決新興的挑戰，這些挑戰目前的 AIOps 能力可能尚未完全解決。

非常尷尬：自動根本原因分析

儘管 AIOps 已經取得了進展，但完全自動化的根本原因分析仍然是一個挑戰。AIOps 可以幫助縮小潛在的原因範圍，但在複雜系統中，仍需要人類的專業知識和調查來確定確定的根本原因。

總結

通過利用大數據分析、機器學習和自動化的能力，AIOps提供了一種管理和優化運營的強大方法。雖然存在挑戰，但AIOps可以提供重大好處，包括異常檢測、配置變更檢測、預測糾正以及提供基礎設施服務的見解。組織在實施 AIOps 時應仔細評估，考慮到如服務複雜性、元數據管理以及成本效益分析等因素。通過結合人類的專業知識和 AIOps 的能力，組織可以實現更大的運營效率，並趨助於在問題影響他們的業務之前，主動處理問題。

May 24, 2023
4 min read

Introduction to Amazon DocumentDB

In today's digital landscape, modern applications face increasing demands for performance, scalability, and availability. With millions of users generating terabytes to petabytes of data across the globe, developers need robust and flexible database solutions. One such solution is Amazon DocumentDB, a purpose-built document database offered by Amazon Web Services (AWS). In this blog post, we will explore the benefits of document databases, the role they play in meeting modern application requirements, and delve into the features and advantages of Amazon DocumentDB.

Meeting Modern Application Requirements

Modern applications need to handle immense data volumes and serve a large user base while maintaining optimal performance and availability. However, there is no one-size-fits-all solution when it comes to databases. Different types of databases serve different purposes. Relational databases like AWS Aurora and RDS are ideal for structured data, while key-value databases such as AWS DynamoDB excel in fast and scalable key-value storage. For applications dealing with complex and flexible data structures, a document database like Amazon DocumentDB proves to be the right tool for the job.

Why Document Databases?

Document databases offer several advantages over other database models. They leverage JSON, a flexible and widely-used data format, as the native storage format. This allows developers to store, query, and index JSON data natively, making it a natural fit for applications where data structures are dynamic and evolving. Document databases support both denormalized and normalized data models, offering the flexibility to model complex relationships while maintaining performance. With native support for inserting and querying documents, document databases streamline the development process and provide efficient data retrieval.

When to Use a Document Database?

Document databases are well-suited for various use cases. For example, consider a gaming application that needs to store and retrieve user profiles, which may contain different fields based on individual preferences. Document databases excel in handling such flexible data structures. Similarly, document databases are a great fit for building catalogs where products may have varying attributes and specifications. Another use case is object tracking, where document databases provide a convenient way to store and retrieve data about objects with changing properties.

Introduction to Amazon DocumentDB

Amazon DocumentDB is a fully managed document database service offered by AWS. It is built to deliver high performance, scalability, and availability for modern applications. With Amazon DocumentDB, developers can focus on building their applications while relying on the managed service to handle infrastructure management, automatic failover, recovery, and maintenance tasks.

Fully Managed

Amazon DocumentDB takes care of essential database operations, such as automatic failover and recovery, automated maintenance, and seamless integration with other AWS services. This ensures that your application remains highly available and performs optimally. Additionally, Amazon DocumentDB follows a pay-as-you-go pricing model, allowing you to scale resources based on demand and only pay for what you use.

MongoDB Compatible

Amazon DocumentDB is compatible with MongoDB, a widely adopted document database. This compatibility allows you to leverage your existing MongoDB skills, tools, and applications, making it easier to migrate from MongoDB to Amazon DocumentDB seamlessly.

Security and Compliance

Amazon DocumentDB prioritizes security and compliance. It operates within an Amazon Virtual Private Cloud (VPC), providing strict network isolation. By default, data at rest is encrypted, and the service enforces safe defaults for secure operations. Amazon DocumentDB is designed to meet various compliance requirements, ensuring that your data remains protected.

Backup and Recovery

With Amazon DocumentDB, you can rely on automatic backups without experiencing any performance impact on your applications. These backups allow you to restore your database to any point in time within the last 35 days, thanks to the Point-in-Time Recovery (PITR) feature. Additionally, you have the option to create archive snapshots to retain snapshots for as long as you need.

Amazon DocumentDB Global Clusters

For globally distributed applications, Amazon DocumentDB offers the capability to create global clusters. These clusters provide replication to up to five secondary regions, ensuring low replica lag and fast recovery in case of failure. With compatibility for versions 4.0 and later, Amazon DocumentDB global clusters provide a scalable and resilient solution for serving data to users around the world. Furthermore, global reader instances enable offloading read traffic from the primary region, improving performance and responsiveness.

Conclusion

As modern applications face increasing demands for performance, scalability, and flexibility, purpose-built databases become essential. Amazon DocumentDB, a fully managed document database service by AWS, offers a powerful solution for applications that require the flexibility and scalability of a document database. With its seamless integration with other AWS services, MongoDB compatibility, robust security features, and global replication capabilities, Amazon DocumentDB empowers developers to build modern applications that can handle vast amounts of data, serve a global user base, and scale effortlessly as demand grows.

May 24, 2023
in zh
1 min read