[04:44.000 --> 04:49.000]  So, yes, for this interview, I prepared some questions,
[04:49.000 --> 04:53.000]  and I prepared some slides.
[04:53.000 --> 04:55.000]  They show the questions that I'm telling you,
[04:55.000 --> 04:57.000]  so you don't have to remember what I'm saying.
[04:57.000 --> 04:59.000]  You can just read them on this list.
[04:59.000 --> 05:02.000]  So maybe one thing, and at once,
[05:02.000 --> 05:07.000]  I was able to watch the first use case.
[05:07.000 --> 05:08.000]  Okay.
[05:08.000 --> 05:13.000]  And I had to call with [redacted] 10 minutes ago,
[05:13.000 --> 05:17.000]  and he told me, well, did you also read this companion story?
[05:17.000 --> 05:20.000]  Well, that was something to read.
[05:20.000 --> 05:21.000]  Yeah.
[05:21.000 --> 05:25.000]  So only for that in advance.
[05:25.000 --> 05:27.000]  Yeah, no problem.
[05:27.000 --> 05:29.000]  If something is not clear,
[05:29.000 --> 05:32.000]  I prepared some backup slides here.
[05:32.000 --> 05:36.000]  We can quickly discuss anything that's unclear.
[05:36.000 --> 05:43.000]  So the first use case is, yeah, it shows that the framework is able to capture
[05:43.000 --> 05:47.000]  the security related compliance rules.
[05:47.000 --> 05:53.000]  The second use case shows that it can capture also a bit more
[05:53.000 --> 05:57.000]  sophisticated compliance rules that has multiple nodes.
[05:57.000 --> 06:01.000]  So if you remember the work by [redacted],
[06:01.000 --> 06:08.000]  you can describe compliance rules that talk about more than one software
[06:08.000 --> 06:12.000]  component within your application.
[06:12.000 --> 06:17.000]  The major difference to what [redacted] did is that we deal now with
[06:17.000 --> 06:21.000]  instance models, not with the deployment model.
[06:21.000 --> 06:26.000]  So that's why we reconstructed the architecture
[06:26.000 --> 06:31.000]  of the instance model, not the original application.
[06:31.000 --> 06:37.000]  Using certain technology specific plugins like we have a plugin for
[06:37.000 --> 06:42.000]  Kubernetes, we have a plugin for Opentosca, of course, for Toska.
[06:42.000 --> 06:49.000]  Yeah, and then we refine this model with extra information that
[06:49.000 --> 06:51.000]  are needed for the checking.
[06:51.000 --> 06:55.000]  So the second use case says, okay,
[06:55.000 --> 07:05.000]  for a specific database in our application, only user A must be allowed.
[07:05.000 --> 07:10.000]  So we want information that, okay, are there any other users that are allowed
[07:10.000 --> 07:12.000]  on this machine?
[07:12.000 --> 07:16.000]  So in the first step, we reconstruct the general instance model,
[07:16.000 --> 07:19.000]  but it doesn't have this detailed information.
[07:19.000 --> 07:22.000]  So that's why we have refinement plugins.
[07:22.000 --> 07:24.000]  And in this case, only one refinement plugin.
[07:24.000 --> 07:29.000]  This refinement plugin searches for MySQL databases and talks to them and
[07:29.000 --> 07:33.000]  asks them about the users of databases.
[07:33.000 --> 07:36.000]  And then it refines the model with this information.
[07:36.000 --> 07:40.000]  If there's a violation, we have like user A, but also user B.
[07:40.000 --> 07:41.000]  Oh, I kept it.
[07:41.000 --> 07:45.000]  I always wondered why do you call them refinement plugins,
[07:45.000 --> 07:48.000]  but it's a refinement of the instance model.
[07:48.000 --> 07:49.000]  Exactly.
[07:49.000 --> 07:51.000]  How do I get this primer?
[07:51.000 --> 07:54.000]  Because this would be all, I've been all one of my feedback things
[07:54.000 --> 07:58.000]  where I like, why is such a stupid naming, but now I get a disappointed naming.
[07:58.000 --> 08:01.000]  Yeah, it's always naming.
[08:01.000 --> 08:03.000]  Yeah, it's always naming.
[08:03.000 --> 08:05.000]  I'm not actually...
[08:05.000 --> 08:07.000]  Yeah, it's a genius.
[08:07.000 --> 08:11.000]  I hope the paper describes it a bit better than just the video.
[08:11.000 --> 08:13.000]  Yeah, you know, it's a bit difficult too.
[08:13.000 --> 08:15.000]  Yeah, sure thing.
[08:16.000 --> 08:19.000]  As I mentioned, I only had time to watch the first use case.
[08:19.000 --> 08:23.000]  Maybe if I had watched the second one as well, then...
[08:23.000 --> 08:27.000]  Yeah, so that's the major difference from like the first use case.
[08:27.000 --> 08:32.000]  The compliance rule is a bit more complicated, but it follows the same idea.
[08:32.000 --> 08:35.000]  One question from my side.
[08:35.000 --> 08:41.000]  How many [redacted] people from industry have you already interviewed?
[08:41.000 --> 08:47.000]  Because I'm always wondering if does somebody understand all this abstraction stuff
[08:47.000 --> 08:53.000]  with whatever configurations, deployments and instance models and whatever?
[08:53.000 --> 08:58.000]  It's not gone through all these details within the institute.
[08:58.000 --> 09:05.000]  Yeah, so we had a first round of interviews with a few guys from [redacted].
[09:06.000 --> 09:10.000]  And they are system admins mostly.
[09:10.000 --> 09:16.000]  Mostly responsible for the security of, let's say,
[09:16.000 --> 09:19.000]  internal applications within [redacted].
[09:19.000 --> 09:24.000]  And yeah, I presented kind of the same stuff to them.
[09:24.000 --> 09:32.000]  And they were able to understand it because of the follow-up questions they had.
[09:33.000 --> 09:42.000]  And of course, they use different terminology, but when I explain the meaning of the terms I'm using, they got it.
[09:42.000 --> 09:50.000]  And they focus mostly on compliance rules that are similar to the first use case.
[09:50.000 --> 09:55.000]  So compliance rules that are about the configuration of operating systems.
[09:55.000 --> 09:59.000]  So that's why we added this first use case.
[09:59.000 --> 10:08.000]  And the initial design was just like architectural, focusing on architecture and multiple nodes and their relation.
[10:08.000 --> 10:13.000]  But they wanted compliance rules that focus on configuration of individual nodes.
[10:13.000 --> 10:16.000]  Okay, cool.
[10:16.000 --> 10:24.000]  Okay, so yeah, as I told you, we have to record this audio.
[10:24.000 --> 10:27.000]  Yeah, everything okay.
[10:27.000 --> 10:31.000]  So if everything will be anonymized, so no worries.
[10:31.000 --> 10:35.000]  I trust you 100%.
[10:35.000 --> 10:37.000]  Yeah, okay.
[10:37.000 --> 10:44.000]  So yeah, do you have any other follow-up questions on the video or?
[10:44.000 --> 10:49.000]  Yeah, despite my apologize, nothing.
[10:49.000 --> 10:51.000]  Yeah, no problem.
[10:51.000 --> 10:52.000]  Okay.
[10:52.000 --> 10:56.000]  So now some demographic questions.
[10:56.000 --> 10:59.000]  So how can you describe your role in the company?
[10:59.000 --> 11:00.000]  CTO.
[11:00.000 --> 11:01.000]  CTO.
[11:01.000 --> 11:06.000]  And what kind of tasks do you usually do in your work?
[11:06.000 --> 11:08.000]  Drawing architecture diagrams.
[11:08.000 --> 11:11.000]  No, I'm just kidding.
[11:11.000 --> 11:25.000]  Yeah, of course, the CTO stuff on the one hand, meaning investigating the relevant technologies, we have to build our systems on
[11:25.000 --> 11:26.000]  the one hand.
[11:26.000 --> 11:33.000]  But also, we are currently in the state where we look for funding from external capital.
[11:33.000 --> 11:42.000]  So also doing a lot of presentations at the moment of our platform capabilities, something to arrange a capitalist, et cetera.
[11:42.000 --> 11:50.000]  So maybe this is just you do the current situation after property.
[11:51.000 --> 12:04.000]  What I also do is, let's say in terms of the approach, more project specific stuff, I also have to roll as the lead architect.
[12:04.000 --> 12:11.000]  So say off the top of the community for several systems, like this, because it's a small company.
[12:12.000 --> 12:17.000]  This also answers the fifth questions, less than 50 people.
[12:17.000 --> 12:23.000]  Therefore you will accumulate several roles in one person.
[12:23.000 --> 12:24.000]  Okay.
[12:24.000 --> 12:25.000]  Yeah.
[12:25.000 --> 12:26.000]  Okay.
[12:26.000 --> 12:40.000]  So now question three, this question is about estimating if you are capable to understand architectures that are described using some
[12:40.000 --> 12:41.000]  IAC technology.
[12:41.000 --> 12:42.000]  Yeah.
[12:42.000 --> 12:49.000]  So if you have enough time, can you using some IAC script, can you understand the architectures?
[12:49.000 --> 12:50.000]  Yes.
[12:50.000 --> 12:51.000]  Okay.
[12:51.000 --> 12:59.000]  So for how many years have you worked on tasks associated with IAC tools in general, and TOSCA is one of them?
[12:59.000 --> 13:07.000]  If TOSCA is one of them, then 10 years.
[13:07.000 --> 13:08.000]  Okay.
[13:08.000 --> 13:09.000]  Perfect.
[13:10.000 --> 13:11.000]  Okay.
[13:11.000 --> 13:17.000]  And now for the real questions.
[13:17.000 --> 13:28.000]  So for any of these questions, feel free to clarify and also deviate in your answer from the text of the question.
[13:28.000 --> 13:43.000]  So how do you check the compliance of the software applications in your company?
[13:43.000 --> 13:53.000]  So compliance means both externally imposed regulations and internally imposed regulations or policies you can call them.
[13:53.000 --> 13:54.000]  Yeah.
[13:54.000 --> 13:55.000]  Indeed.
[13:55.000 --> 14:04.000]  And let me sort my thoughts for a second.
[14:04.000 --> 14:05.000]  Yeah.
[14:05.000 --> 14:13.000]  Take your time.
[14:13.000 --> 14:14.000]  Okay.
[14:14.000 --> 14:28.000]  Because just what came immediately to my mind is the situation between or the difference between external influences, but also, of course, I also have to deal with different aspects of an application.
[14:28.000 --> 14:33.000]  One thing, of course, architecture of the application and its core itself and what it does.
[14:34.000 --> 14:37.000]  On the other hand, also the operation of the applications.
[14:37.000 --> 14:43.000]  I would also somehow speak these two kinds of things.
[14:43.000 --> 14:46.000]  So first of all, operations.
[14:46.000 --> 14:47.000]  Yeah.
[14:47.000 --> 14:49.000]  Of course, we do it manually.
[14:49.000 --> 15:02.000]  And if we have a look at operations, then what we do, we have a look at the August 20 or 20 or they call the rules issues, whatever they call.
[15:02.000 --> 15:14.000]  And we do regular reviews of our deployments and say, configuration and deployment as code.
[15:14.000 --> 15:24.000]  Because we have a GitOps repository where we reflect the whole configuration, the entire configuration of the system.
[15:25.000 --> 15:33.000]  So we base on a given framework, so to say.
[15:33.000 --> 15:37.000]  And then, of course, we do with this kind of manual reviews.
[15:37.000 --> 15:54.000]  So, and the, let's say, regarding the more or less the architecture style, architecture stuff, etc.
[15:54.000 --> 15:59.000]  So what we follow is a continuous delivery approach.
[15:59.000 --> 16:14.000]  So our development process is really fluent, which means we don't have, we even do not plan sprints also.
[16:14.000 --> 16:20.000]  We plan features and then they are more or less in a compound style.
[16:20.000 --> 16:24.000]  It's a continuous development process.
[16:25.000 --> 16:35.000]  This means we don't have this kind of typical checkpoints where new features are designed up front and the architecture.
[16:35.000 --> 16:40.000]  This typically you created another PowerPoint slide with, etc.
[16:40.000 --> 16:42.000]  We don't have these things.
[16:42.000 --> 16:51.000]  So when new feature requests come up, then this is also part of the, let's say, really, the development process itself.
[16:51.000 --> 17:00.000]  What we do then to match the new features on new stuff to be implemented with also our guidelines.
[17:00.000 --> 17:02.000]  First of all, yes, we have guidelines.
[17:02.000 --> 17:04.000]  We have guidelines for code.
[17:04.000 --> 17:11.000]  And of course, we also have a set of guidelines which we want to follow with our architecture stuff.
[17:12.000 --> 17:24.000]  And then in this, let's say, a few process, then we have, let's say, refinements of these features and within them,
[17:24.000 --> 17:35.000]  and not only the refinements, but also in then I take a thin face or say, well, we already do this kind of design of the newer things.
[17:36.000 --> 17:40.000]  We actually, we discuss it also, let's say, manually.
[17:40.000 --> 17:41.000]  It's a manual abroad.
[17:41.000 --> 17:42.000]  It's nothing automated.
[17:42.000 --> 17:46.000]  It's just we discuss and then we have this.
[17:46.000 --> 17:50.000]  So we don't have isolated developers.
[17:50.000 --> 17:57.000]  We follow more or less what extreme programming or pair and more programming style,
[17:57.000 --> 18:01.000]  where we also try to pair seniors with union.
[18:01.000 --> 18:06.000]  So that then, of course, the seniors are most like most of the time.
[18:06.000 --> 18:16.000]  They also the role to, to ensure that the design, et cetera, our architecture center follows our guidelines.
[18:16.000 --> 18:24.000]  Although there's not a really regal process where you have a checklist and then you check, well, did I follow this?
[18:24.000 --> 18:26.000]  And then we just don't have this.
[18:27.000 --> 18:30.000]  But you have this for the operational side, right?
[18:30.000 --> 18:32.000]  With this list you mentioned.
[18:32.000 --> 18:34.000]  You always spent 20.
[18:34.000 --> 18:41.000]  This is, I don't know how, I always forget for what this acronym stands for.
[18:41.000 --> 18:43.000]  So there will follow the list.
[18:43.000 --> 18:55.000]  And we also track, of course, and we have the list and we have like a cross table where we also track issues and also track actions to be conducted.
[18:55.000 --> 19:01.000]  To all come even issues that might have occurred or might be there.
[19:01.000 --> 19:17.000]  So this is, I think, qualifies as an answer to, as an answer to question seven, which asks about the, which format do you have for defining compliance rules.
[19:17.000 --> 19:25.000]  So, so for, for what you called operational compliance rules, you have this list, right?
[19:25.000 --> 19:33.000]  And it shows you the rules plus, in addition, the status of the system in relation to these rules.
[19:33.000 --> 19:35.000]  Yes, yes.
[19:36.000 --> 19:49.000]  So, of course, on a more extract layer than, or level, then if you would consider, or if you would investigate an actual instance model of course, yeah.
[19:49.000 --> 20:01.000]  But the summary of such an investigation is, of course, captured in this review, you could say review of the system.
[20:01.000 --> 20:04.000]  Okay.
[20:04.000 --> 20:12.000]  Okay. So in the following, when I say complexity, what I mean is the need for an expert to do some task.
[20:12.000 --> 20:22.000]  And when I say effort, what I mean is, given someone with enough expertise, something takes time or doesn't take time.
[20:22.000 --> 20:25.000]  That's, that's what I mean with effort.
[20:25.000 --> 20:36.000]  Okay. So, do you think having, having a well-defined and machine-readable format for compliance rules reduces the complexity associated with checking them?
[20:37.000 --> 20:54.000]  So, with the whole process of course, of course, you would be, at least there would be a huge potential that it reduces compliance reduces.
[20:55.000 --> 20:59.000]  Complexity means effort.
[20:59.000 --> 21:10.000]  No, complexity means that you need an expert to do the task. If it reduces complexity, then the person doesn't need to be very, very much an expert.
[21:11.000 --> 21:18.000]  So, kind of the expertise is embedded within the rule or not.
[21:18.000 --> 21:24.000]  Let me read the question again. Maybe I have had so many meetings to say.
[21:24.000 --> 21:27.000]  Yeah, it's quite late.
[21:27.000 --> 21:33.000]  You don't think having a well-defined with checking them?
[21:38.000 --> 21:39.000]  Yes.
[21:40.000 --> 21:43.000]  Yeah, okay.
[21:43.000 --> 21:53.000]  So, the next question, do you think having such well-defined rules reduces the uncertainty associated with interpreting them?
[21:53.000 --> 21:56.000]  Reduces, yes.
[21:56.000 --> 21:57.000]  Okay.
[21:57.000 --> 22:02.000]  So, how often do you deal with new compliance rules?
[22:03.000 --> 22:08.000]  If you do deal with new compliance rules.
[22:08.000 --> 22:17.000]  So, let's focus on the use case you have. So, this list that you follow, and does it get updated at all?
[22:17.000 --> 22:25.000]  Yeah, of course, don't ask me how often, but not that often, because these are the typical top 20 issues.
[22:26.000 --> 22:33.000]  Check if you have like a SQL injection problem, like these things.
[22:33.000 --> 22:37.000]  These are the top 20. Why? Because these are the top 20.
[22:37.000 --> 22:38.000]  Yes.
[22:38.000 --> 22:40.000]  It doesn't change that often.
[22:40.000 --> 22:41.000]  Okay.
[22:41.000 --> 22:47.000]  All the time, this changes, but not monthly or yearly.
[22:47.000 --> 22:55.000]  Maybe yearly, yes, but then one flips out and another points steps in also.
[22:55.000 --> 23:00.000]  Yeah, [redacted] had the similar estimation.
[23:00.000 --> 23:04.000]  Okay. So, the next questions are similar to the ones before.
[23:04.000 --> 23:09.000]  We now just try to get some numerical estimation.
[23:09.000 --> 23:16.000]  So, how much do you agree with the following statement using IACMF, which is the name of the framework,
[23:16.000 --> 23:23.000]  which uses the effort associated with defining and checking compliance rules?
[23:23.000 --> 23:26.000]  Yeah, totally agree.
[23:26.000 --> 23:33.000]  Okay. So, now the next statement is using the framework.
[23:33.000 --> 23:37.000]  It always depends on the size of course of the system.
[23:37.000 --> 23:41.000]  If I have a world application, it wouldn't.
[23:41.000 --> 23:53.000]  Of course, it wouldn't reduce the effort, because, well, I've seen one glimpse of what's going on there.
[23:53.000 --> 24:02.000]  If I have a huge system consisting of multiple components, of course, this would be...
[24:02.000 --> 24:08.000]  Okay, yeah, that makes sense.
[24:08.000 --> 24:20.000]  So, the next statement, using the framework, reduces the complexity associated with defining and checking compliance rules.
[24:20.000 --> 24:28.000]  Now, it's not only about the checking process, but also defining the compliance rules.
[24:28.000 --> 24:35.000]  So, do you think you need an expert for checking and for defining?
[24:35.000 --> 24:38.000]  So, you can answer these separately.
[24:38.000 --> 24:43.000]  The thing is the formula. I think this is very closely related to the next question,
[24:43.000 --> 24:50.000]  because I think it takes lots of efforts to create uncertainty.
[24:50.000 --> 24:53.000]  What means uncertainty?
[24:53.000 --> 24:56.000]  That you are not sure about the interpretation?
[24:56.000 --> 25:00.000]  The opposite is then such here.
[25:00.000 --> 25:06.000]  Of course, you strive for certainty in your rule.
[25:06.000 --> 25:13.000]  So, when you express them, if you have an excellent list, or if you have a word document, whatever.
[25:13.000 --> 25:18.000]  This is the thing.
[25:18.000 --> 25:25.000]  You have to put a lot of effort into defining good complexity.
[25:25.000 --> 25:28.000]  Do you think you need an expert to do that?
[25:28.000 --> 25:29.000]  Yes.
[25:29.000 --> 25:31.000]  Definitely expert.
[25:31.000 --> 25:36.000]  So, of course, this doesn't reduce the complexity of defining.
[25:36.000 --> 25:37.000]  Exactly.
[25:37.000 --> 25:39.000]  What about checking the rule?
[25:39.000 --> 25:46.000]  Of course, if you have them, then, of course, you can automate everything.
[25:46.000 --> 25:48.000]  Then, they use huge benefit.
[25:48.000 --> 25:51.000]  Again, if you have huge systems, this is absolutely beneficial.
[25:51.000 --> 25:57.000]  If you have small systems, if you have many small systems, you have also...
[25:57.000 --> 25:59.000]  You also benefit from them.
[25:59.000 --> 26:02.000]  But if you have just one small system, I think...
[26:02.000 --> 26:04.000]  Yeah.
[26:04.000 --> 26:06.000]  And it's more than that.
[26:06.000 --> 26:08.000]  It doesn't matter.
[26:08.000 --> 26:10.000]  It's always the same.
[26:10.000 --> 26:15.000]  Automation helps you if you have to do the same thing quite often.
[26:15.000 --> 26:18.000]  You have to do it once.
[26:18.000 --> 26:19.000]  Yeah.
[26:19.000 --> 26:21.000]  Makes sense.
[26:21.000 --> 26:27.000]  So, as an numerical estimation, how much do you agree with the following statement?
[26:27.000 --> 26:36.000]  Using well-defined models for compliance rules reduces the uncertainty associated with interpreting them.
[26:36.000 --> 26:38.000]  So, now we assume you already have it.
[26:38.000 --> 26:39.000]  Yeah.
[26:39.000 --> 26:42.000]  I totally agree.
[26:43.000 --> 26:46.000]  Maybe...
[26:46.000 --> 26:50.000]  There's maybe one thing which we pops up at the moment.
[26:50.000 --> 26:59.000]  The cool thing, if you have this more or less formal representation of something, and you can automate it.
[26:59.000 --> 27:04.000]  Then, of course, you have also...
[27:04.000 --> 27:10.000]  It opens the gate for this kind of doing something test-driven.
[27:10.000 --> 27:11.000]  Yeah.
[27:11.000 --> 27:20.000]  Not just I do something and I'm faster in it, but it really enables something completely new.
[27:20.000 --> 27:23.000]  And I think it's not representative.
[27:23.000 --> 27:29.000]  I just want to mention it because I didn't see it represented in these questions until now.
[27:29.000 --> 27:38.000]  So, this is, I think, also a huge opener for new kind of opportunities to develop systems.
[27:39.000 --> 27:40.000]  Yeah.
[27:40.000 --> 27:44.000]  I mean, one of the goals of these interviews is having new ideas.
[27:44.000 --> 27:45.000]  Yeah.
[27:45.000 --> 27:46.000]  Thanks.
[27:46.000 --> 27:51.000]  So, now it's about the architecture of reconstruction.
[27:51.000 --> 27:59.000]  So, and we focus now on the architecture of reconstruction of running systems.
[27:59.000 --> 28:09.000]  So, meaning, yeah, how do you get an understanding of the architecture of an existing system that is already running?
[28:09.000 --> 28:10.000]  Yeah.
[28:10.000 --> 28:14.000]  So, how do you do this?
[28:14.000 --> 28:15.000]  Yeah.
[28:15.000 --> 28:16.000]  How do you do this?
[28:16.000 --> 28:20.000]  If you face such a task, that's hypothetical.
[28:20.000 --> 28:21.000]  Yeah.
[28:21.000 --> 28:23.000]  How would you do that?
[28:24.000 --> 28:33.000]  First of all, I would, I would search for a kind of a deployment model to understand, well, which components aren't deployed.
[28:33.000 --> 28:42.000]  Where and how and how do they communicate, how are they configured, ideally, because also deployment to be also contained.
[28:42.000 --> 28:44.000]  Configuration stuff, of course.
[28:44.000 --> 28:50.000]  And then, of course, also, I would also have a look at a resource code level.
[28:50.000 --> 29:04.000]  Depending on how the system is built, because what might be, you could have kind of a monolith, which might be deployed in several instances.
[29:04.000 --> 29:18.000]  And maybe then you would have a kind of a, say, gateway in front of them as a facade and different instances deal with different capabilities of the whole thing.
[29:18.000 --> 29:19.000]  Things like that.
[29:19.000 --> 29:33.000]  I would also have a look at the source code to investigate how things are implemented, how things are separated to then, of course, reconstruct the overall architecture.
[29:33.000 --> 29:41.000]  But also, if you had a monolith, not every monolith is necessarily a big ball of mud.
[29:41.000 --> 29:53.000]  You could also have a monolith, which is internally well-structured with different capabilities are interfaced quite well.
[29:53.000 --> 30:00.000]  But this is what I think all these days, these kind of majestic monolith approach.
[30:00.000 --> 30:15.000]  So start with the monolith and try to encapsulate or interface all the stuff and assure that things in your monolith only talk to each other while this interface is.
[30:15.000 --> 30:20.000]  So that you already prepare for separation.
[30:21.000 --> 30:22.000]  Yeah.
[30:22.000 --> 30:23.000]  Okay.
[30:23.000 --> 30:33.000]  So if you want to actually do this task, would you use, or do you know, of semi or automated tools for doing it?
[30:33.000 --> 30:43.000]  So you said you would check the deployment model and get an understanding of the architecture using it.
[30:43.000 --> 30:50.000]  Are there tools that help you in doing that, or will you just read the texts of the deployment model?
[30:50.000 --> 30:57.000]  Currently, I'm a bit poisoned with, because we built everything in Kubernetes.
[30:57.000 --> 31:06.000]  At the moment, we use Helm for doing things.
[31:07.000 --> 31:15.000]  There's some kind of, I would look at least, I would search for, we saw the shape, we saw the section tool.
[31:15.000 --> 31:31.000]  On the other hand, I would also look at something like a deployment automation tool, which of course would reflect the instance model, at least in terms of,
[31:31.000 --> 31:35.000]  for instance, we use ArgoCD.
[31:35.000 --> 31:42.000]  And there you have a view, which shows you at least different parts.
[31:42.000 --> 31:51.000]  And you can also click them, have a look at logs, and I can also have also a look at environment variables, which of course, and
[31:51.000 --> 31:58.000]  more or less good design should of course reflect also the configuration parameters.
[31:58.000 --> 32:01.000]  So this tool works only for Kubernetes.
[32:01.000 --> 32:16.000]  Yeah, I think so, yes, this translates or this applies actually, Kubernetes manifests or renders help charts in the Kubernetes manifests and applies them on the cluster.
[32:16.000 --> 32:18.000]  I see, yeah, okay.
[32:18.000 --> 32:26.000]  And it also tells you, for instance, if you do manual configurations, bypassing,
[32:26.000 --> 32:39.000]  so to say that you are GitOps flow, it also tells you, well, you are out of sync with your defined configuration.
[32:39.000 --> 32:50.000]  Then you can of course also click on it and say, well, then of course, sync again and assure that the system runs in the configuration, which is fine.
[32:51.000 --> 32:57.000]  Yeah, this is probably relevant for the next set of questions, which is about fixing violations.
[32:57.000 --> 32:58.000]  Ah, okay, I see.
[32:58.000 --> 33:10.000]  But this also, it also shows you the current state, just if we have a look at it, it shows you if something is out of sync and of course it gives you also a high level overview.
[33:10.000 --> 33:12.000]  That's deployed.
[33:12.000 --> 33:13.000]  Okay.
[33:13.000 --> 33:15.000]  Yeah, interesting.
[33:16.000 --> 33:24.000]  So the framework applies this process of architecture reconstruction I told you about.
[33:24.000 --> 33:30.000]  So an initial instance model and then refinement steps that can be configured.
[33:30.000 --> 33:32.000]  I don't know.
[33:32.000 --> 33:44.000]  So if you didn't watch the second part of the video, it shows that when you execute a compliance job, you can also visualize the reconstructed architecture.
[33:44.000 --> 33:52.000]  So the architecture after applying all refinement steps, you can also visualize that using winery.
[33:52.000 --> 33:59.000]  So only focusing on the task of architectural reconstruction, so understanding the architecture.
[33:59.000 --> 34:04.000]  Do you think that using the framework reduces the effort associated with this task?
[34:04.000 --> 34:12.000]  The question for me here is if you say that the tooling like winery is part of the framework, I say, yes.
[34:13.000 --> 34:20.000]  Because all the frameworks are extremely powerful if you have the right tooling in place.
[34:20.000 --> 34:30.000]  For instance, why Kubernetes is such a success, so to say, in the industry, although it lacks many things which you could achieve with something like Tosca.
[34:30.000 --> 34:36.000]  But unless you have good support with tooling for Tosca, it's dead.
[34:36.000 --> 34:37.000]  Okay.
[34:37.000 --> 34:51.000]  So we kind of changed, not changed, but upgraded winery to accept EDMM models, which are the result of the reconstruction.
[34:51.000 --> 34:54.000]  So the integration.
[34:54.000 --> 34:55.000]  Yeah.
[34:55.000 --> 34:56.000]  Go ahead.
[34:56.000 --> 34:57.000]  Okay.
[34:57.000 --> 34:58.000]  Sorry.
[34:58.000 --> 34:59.000]  Sorry.
[34:59.000 --> 35:00.000]  Go ahead.
[35:00.000 --> 35:01.000]  No problem.
[35:01.000 --> 35:25.000]  So basically we kind of have a Docker compose.
[35:26.000 --> 35:31.000]  That runs the framework and then instance of winery.
[35:31.000 --> 35:37.000]  And from the UI of the framework, you just click a link and then everything is visualized.
[35:37.000 --> 35:41.000]  You don't need to interact with winery for this purpose.
[35:41.000 --> 35:42.000]  Yeah.
[35:42.000 --> 35:43.000]  And this would be great.
[35:43.000 --> 35:44.000]  Absolutely.
[35:44.000 --> 35:52.000]  This would be, then in this case, it would reduce the effort dramatically, of course.
[35:52.000 --> 35:54.000]  Okay.
[35:54.000 --> 35:57.000]  So we are about to be done.
[35:57.000 --> 35:59.000]  No worries.
[35:59.000 --> 36:06.000]  So now we're talking about fixing violations in case you do detect that some compliance will be violated.
[36:06.000 --> 36:11.000]  So what do you do if you find such a violation?
[36:11.000 --> 36:19.000]  And now, yeah, let's assume that the system that has this violation is a running system.
[36:20.000 --> 36:23.000]  It's not a violation that you detect during design time.
[36:23.000 --> 36:25.000]  It's a runtime violation.
[36:25.000 --> 36:26.000]  Yeah.
[36:26.000 --> 36:27.000]  Yeah.
[36:27.000 --> 36:39.000]  Then you have to distinguish between, let's say, architectural stuff because then you, of course, you had to refactor somehow your application, followed in your guidelines.
[36:39.000 --> 36:46.000]  And then, of course, this would be development, the design and development and new releases, et cetera.
[36:47.000 --> 36:52.000]  And if you could, of course, fix it while adapting the configuration.
[36:52.000 --> 36:59.000]  This is, yeah, then I did all depending on the automation of everything.
[36:59.000 --> 37:00.000]  Yeah.
[37:00.000 --> 37:06.000]  You would have to run some best trip from admin from hell or so, like this.
[37:06.000 --> 37:15.000]  Or, of course, you feel more sophisticated than this, but you would have to, of course, the thing is you would have to translate how to fix this.
[37:15.000 --> 37:25.000]  Or to fix this compliance issue into steps to be taken in the configuration and at the technical version.
[37:25.000 --> 37:38.000]  This is, I think, this is actually an interesting part of how you can translate this higher level concepts like a compliance violation into adapting a system regarding configuration.
[37:38.000 --> 37:39.000]  Yeah.
[37:39.000 --> 37:40.000]  Okay.
[37:40.000 --> 37:47.000]  So, um, do you currently use automated tools for this?
[37:47.000 --> 37:54.000]  So this ARGO CD, can you consider it as an automated tool for fixing violation?
[37:54.000 --> 38:09.000]  Not for, not for, it is the tool that doesn't know something about, um, well, if you, if you were considered this one compliance,
[38:09.000 --> 38:20.000]  the thing that you have compliance in the sense, you have, in, in, in terms of a Git ops repository, you, you have infrastructure as code.
[38:20.000 --> 38:25.000]  And then you're actually running system deviates from it.
[38:25.000 --> 38:27.000]  This, yes.
[38:27.000 --> 38:38.000]  But beyond this kind of compliance violation, you can't, this doesn't know something about all compliance
[38:38.000 --> 38:43.000]  means you don't have, you are not allowed to deploy something on a US server also.
[38:43.000 --> 38:53.000]  And so this tool allows you to synchronize configuration with the running system, but not beyond that.
[38:53.000 --> 38:55.000]  So it helps in fixing violations.
[38:55.000 --> 39:01.000]  If these violations deal with the configurations that are part of the script, right?
[39:01.000 --> 39:03.000]  It's part of the IAC script itself.
[39:03.000 --> 39:10.000]  But if the, the rule is not described within the script, this tool doesn't help.
[39:10.000 --> 39:27.000]  And my gut feeling is that the compliance rule are in most cases more than just, I have to switch the number of instances from one to two or so.
[39:28.000 --> 39:36.000]  Still this, if you, if you think of a compliance, let's say you have to run a system in a high availability mode.
[39:36.000 --> 39:40.000]  You have to have at least two instances running or so.
[39:40.000 --> 39:50.000]  Well, this could be a rule, but the configuration of the continuous delivery system, obviously, that doesn't have this abstraction.
[39:50.000 --> 39:59.000]  It just says you, well, you have to find one, one instance in, in a configuration and run, you run one instance.
[39:59.000 --> 40:00.000]  Everything is clean.
[40:00.000 --> 40:06.000]  If you have to find two instances, but one is only running, then it says, well, this is not in sync.
[40:06.000 --> 40:14.000]  You see, there is not this, this coupling with this higher level concepts, which are typically, I think, reflected with compliance rules.
[40:15.000 --> 40:16.000]  Okay.
[40:19.000 --> 40:28.000]  So, so you saw that the framework using plugins can actually fix compliance violations.
[40:28.000 --> 40:41.000]  Some plugins are like kind of general purpose, like the first use case that you saw, you can configure a bash script that actually goes to a VM
[40:41.000 --> 40:44.000]  and fixes security violation there.
[40:44.000 --> 40:49.000]  But there are also plugins that are a bit use case specific.
[40:49.000 --> 41:07.000]  So if you consider this plugin that says, okay, only specific users are allowed on a specific database, then we have a plugin that ensures one, one specific user or a list of specific users are there
[41:07.000 --> 41:10.000]  and just deletes the other users.
[41:10.000 --> 41:13.000]  So it's a very specific plugin.
[41:13.000 --> 41:21.000]  So it would be cool to have those plugins be configurable, like you can also feed in some, like, input.
[41:21.000 --> 41:36.000]  You have this plugin which checks, which use are available, but you don't have to define within the plugin, which uses, but you can define, well, use this, whatever, input parameters to get to.
[41:36.000 --> 41:38.000]  Yeah, we do actually.
[41:38.000 --> 41:45.000]  So the checking step produces what we call an issue.
[41:45.000 --> 41:53.000]  And an issue is a data structure and it points to, like, the nodes which are causing the issue plus some details.
[41:53.000 --> 41:58.000]  And the fixing plugin is expecting these details and based on them acts.
[41:58.000 --> 42:03.000]  So it has inputs, but not from the user, from the previous step in the process.
[42:03.000 --> 42:05.000]  Some plugins also require use.
[42:05.000 --> 42:07.000]  Also the detect.
[42:07.000 --> 42:17.000]  So I gathered us that the fixing step allows us, but that's also the, because you also need this kind of plugin to identify the desor violation.
[42:17.000 --> 42:32.000]  But you don't want to define a plugin which checks exactly for [redacted] and [redacted], you would more or less want to write a plugin with detects for all Postgres databases.
[42:32.000 --> 42:36.000]  If a given set of users is trusty or something.
[42:36.000 --> 42:42.000]  Yeah, you can do that with the proper design of a compliance rule.
[42:42.000 --> 42:47.000]  You don't need a special plugin for this, but the compliance rules allow this.
[42:47.000 --> 42:48.000]  Perfect.
[42:48.000 --> 42:55.000]  So, yeah, using, do you agree with the following statement or how much do you agree?
[42:55.000 --> 43:01.000]  Using the framework reduces the effort associated with fixing compliance violations.
[43:01.000 --> 43:12.000]  Maybe you would consider two situations like, do you have the plugins or you don't have the plugins and you need someone to implement it?
[43:12.000 --> 43:16.000]  You have had the same thing in mind.
[43:17.000 --> 43:22.000]  My whole dissertation is around this question.
[43:22.000 --> 43:31.000]  At three points, does it, is it affordable to create such kind of a structure who allows you to automate?
[43:31.000 --> 43:34.000]  And this is, I think, always the holy grail.
[43:34.000 --> 43:36.000]  Or is it the question?
[43:36.000 --> 43:43.000]  Well, again, if you have dozens of systems, yes, it reduces effort immensely.
[43:43.000 --> 43:54.000]  If you have just one little system, if you have to put in more effort into defining this compliance rules, then develop a system you want.
[43:54.000 --> 43:56.000]  That's the point.
[43:56.000 --> 44:04.000]  So, in general, if you consider medium and to large systems, totally agree.
[44:04.000 --> 44:06.000]  Okay.
[44:06.000 --> 44:22.000]  And also, like an numerical estimation for your agreement of the following statement, how having well-defined models for compliance jobs reduces the uncertainty associated with handling the detected violations.
[44:22.000 --> 44:35.000]  So, a compliance job is not only the rule, so it says, okay, for this set of rules, if you check, if you find violations, fix them using these.
[44:35.000 --> 44:43.000]  Yeah, so this is, like, it says what to do when you do find a violation.
[44:43.000 --> 44:52.000]  Do you think having such models reduce the uncertainty of what to do when you find a violation?
[44:52.000 --> 45:00.000]  I think, yes, in the long term, this is somewhat similar to test room development.
[45:00.000 --> 45:08.000]  Sometimes you feel very, very safe if you conduct a test room development.
[45:08.000 --> 45:16.000]  But if you oversee that you have extremely poor tests, I don't mean test coverage.
[45:16.000 --> 45:21.000]  You could have 100% test coverage, but you test the wrong things.
[45:21.000 --> 45:22.000]  Then what's the point?
[45:22.000 --> 45:30.000]  And it feels very safe, but it isn't, because you missed out many, many edge cases.
[45:30.000 --> 45:36.000]  So, and this is kind of similar here.
[45:36.000 --> 45:43.000]  I think in the long run, you will establish definitely certainty.
[45:44.000 --> 45:48.000]  So, you compare a compliance job with one of these tests.
[45:48.000 --> 46:00.000]  And you say if you do have good compliance jobs that cover the space, the problem space that you have, then, yeah, this reduces uncertainty.
[46:00.000 --> 46:04.000]  But if you, yeah, I get it.
[46:04.000 --> 46:07.000]  Okay, yeah, this makes sense.
[46:07.000 --> 46:11.000]  And now the last set of questions, and these are general questions.
[46:11.000 --> 46:16.000]  And so, and they try to answer them according to your knowledge.
[46:16.000 --> 46:20.000]  You don't necessarily have answers for all of these questions.
[46:20.000 --> 46:26.000]  So, how do you evaluate the novelty of the framework?
[46:26.000 --> 46:36.000]  For me, it's new because I didn't have a dignity to this kind of compliance check.
[46:36.000 --> 46:40.000]  So, how do you evaluate the extensibility of the framework?
[46:40.000 --> 46:46.000]  Is it extensible, plus is extensibility a good thing or not?
[46:46.000 --> 46:50.000]  It is an absolute requirement.
[46:50.000 --> 47:04.000]  As mentioned, although, if I want to start with something, and of course, first of all, I have to reflect the old Wasp 20, top 20 in the first place.
[47:04.000 --> 47:08.000]  And next year, there's another issue added to the list.
[47:08.000 --> 47:11.000]  Then they extend it to the old Wasp, top 30 or so.
[47:11.000 --> 47:13.000]  It's essential.
[47:13.000 --> 47:14.000]  It's absolutely essential.
[47:14.000 --> 47:21.000]  Or if there's not these things, but if you switch to the BSI, whatever, I don't know how they are called.
[47:21.000 --> 47:27.000]  There's also a list provided by the BSI, which you could follow.
[47:28.000 --> 47:35.000]  Yeah, just a hint, because I looked at this a bit in detail.
[47:35.000 --> 47:44.000]  Yeah, there is these sticks, which are published by the Department of Defense, and they are kind of interesting.
[47:44.000 --> 47:56.000]  They are not only for operating systems, but for even more complicated systems, like for cloud applications and for cloud applications on specific platforms and so on.
[47:56.000 --> 48:01.000]  So it's interesting to take a look at them.
[48:01.000 --> 48:06.000]  So would you use this framework in your work, hypothetically?
[48:06.000 --> 48:18.000]  And if so, in which areas, maybe you don't employ it entirely, but for certain tasks?
[48:19.000 --> 48:22.000]  I mean, why not?
[48:22.000 --> 48:26.000]  Again, this is the same what I mentioned before.
[48:26.000 --> 48:30.000]  The tooling is good and mature enough, yes.
[48:30.000 --> 48:35.000]  If the framework is a good idea, but you have really poor tooling, no.
[48:35.000 --> 48:47.000]  This really depends on what I learned is if you have a weaker framework or solution with good tooling,
[48:47.000 --> 49:00.000]  it's much better developer experience than having the general solution you could achieve everything with,
[49:00.000 --> 49:07.000]  but you have to open your notepad and start writing XML also.
[49:08.000 --> 49:23.000]  This is really this, if in practice, if somebody would use something that's extremely depend on the usability and tooling.
[49:23.000 --> 49:26.000]  Yeah, totally makes sense.
[49:26.000 --> 49:29.000]  So what's your general impression?
[49:29.000 --> 49:33.000]  I like it. I like the idea in general.
[49:33.000 --> 49:45.000]  And really, I think if you have to maintain huge systems or also huge fleets of systems, I think this is essential.
[49:45.000 --> 49:51.000]  So I guess for huge companies, this is essential.
[49:52.000 --> 49:58.000]  Yeah, it goes in line with the opinion of all others who interviewed.
[49:58.000 --> 50:05.000]  So for small companies, people say most likely the effort is a bit too much to employ such a tool.
[50:05.000 --> 50:12.000]  For large companies, they are quite impressed with the potential, but also...
[50:12.000 --> 50:15.000]  Just because of the manpower available.
[50:15.000 --> 50:23.000]  I think if you have time left, for instance, if you have to maintain a landscape of more than 5,000 applications,
[50:23.000 --> 50:27.000]  this is a management problem.
[50:27.000 --> 50:30.000]  You need this kind of automation.
[50:30.000 --> 50:38.000]  Otherwise, you would have to have whole departments just dealing with this stuff.
[50:38.000 --> 50:51.000]  And if you're a small company, let's say if we're 30 people maintaining many applications of others, like hundreds,
[50:51.000 --> 50:58.000]  I would say, I would opt in and say, well, then this would be an essential part of the tool chain.
[50:59.000 --> 51:10.000]  If you just maintain one system, which is your product, then of course, you would want to spend your efforts on this.
[51:10.000 --> 51:17.000]  So you say it's mostly about the number of systems and the size of the systems, not the company size per se.
[51:17.000 --> 51:28.000]  Indeed, it depends on the economy. Let's say the economy of scale, if you put in your efforts in this kind of plug-ins and rules.
[51:28.000 --> 51:36.000]  Because you have to run it once a day for 1,000 systems, do it.
[51:36.000 --> 51:41.000]  If you have to run it once per year for one system, why should you do it?
[51:41.000 --> 51:45.000]  Yeah, totally makes sense.
[51:45.000 --> 51:52.000]  Therefore, it goes hand-in-hand. Typically, huge companies with many people have many systems.
[51:52.000 --> 51:59.000]  So it's more likely that they are faced with these problems than smaller companies.
[51:59.000 --> 52:07.000]  But this is just a correlation of the cost, the economy of scale aspect of this automation stuff.
[52:07.000 --> 52:09.000]  Yeah, I agree with you.
[52:09.000 --> 52:12.000]  Okay, I'll stop the recording now.