[02:17.540 --> 02:21.980]  First I want to thank you that you spend a lot of time watching the video
[02:21.980 --> 02:27.600]  I'm preparing and dedicating time for the interview itself. Yeah, thanks a lot
[02:31.040 --> 02:38.040]  Okay, so yeah, I prepared I mean the questions are also written down
[02:38.040 --> 02:42.880]  So you can look at them while I'm speaking so you don't have to like remember every word I say
[02:44.440 --> 02:46.440]  So I'll share the screen
[02:51.980 --> 02:53.980]  Yeah
[03:07.180 --> 03:09.180]  Yeah, do you see it?
[03:09.700 --> 03:11.700]  Not yet. I
[03:12.740 --> 03:18.540]  See I see already a white box saying that you start to do something. Oh, no, it's there. Okay
[03:19.540 --> 03:21.540]  Okay, so
[03:22.220 --> 03:28.900]  First, yeah, this is how we process the data. It's exactly how I told you so we will I
[03:29.900 --> 03:34.540]  Will record this audio and then transcribe it and then
[03:35.420 --> 03:37.740]  I don't analyze the answers. So
[03:38.420 --> 03:43.900]  Yeah, your name and the company name will not be in the stuff that we report
[03:43.900 --> 03:45.900]  And
[03:45.900 --> 03:49.420]  Then we will kind of summarize the answers from all participants
[03:50.780 --> 03:56.420]  And report that in the paper. So we plan to submit this to Koopas at the end of this month
[03:57.260 --> 04:01.300]  Yeah, and yeah, that's the only way we will use the answers
[04:02.060 --> 04:07.140]  Yeah, perfect. Okay. Yeah, because in any other case, it's a little bit
[04:08.260 --> 04:12.660]  Complicated. Yeah, I know whatever I'm doing. It's always
[04:14.500 --> 04:19.540]  On behalf of [redacted]. Mm-hmm. So that's why even just mentioning the company
[04:20.020 --> 04:26.980]  Without my name. I I need an official approval to do so. Yeah. Yeah. Yeah, no worries
[04:26.980 --> 04:33.140]  But so in the next slide the one after that you see all information like that are
[04:33.900 --> 04:35.260]  relevant for
[04:35.260 --> 04:41.420]  For the company like the size and so on and of course if something you see you feel okay
[04:41.420 --> 04:47.780]  This is not okay. Just tell me we will not include that part. Yeah, okay. Yeah, perfect. Even after the call
[04:47.780 --> 04:50.280]  Yeah, but not not after we submit
[04:55.300 --> 04:57.300]  Something like the
[04:57.500 --> 05:01.300]  Domain or something like that should be no problem
[05:02.460 --> 05:06.820]  Because I mean if it's just saying automotive industry or something like that
[05:07.540 --> 05:11.540]  Yeah, probably we will not report that even but I'm not sure yet, but
[05:12.100 --> 05:18.980]  So far it doesn't seem we will report the industry of the company itself, but we will report like your role and what you do there
[05:20.340 --> 05:22.340]  Okay, I think
[05:24.060 --> 05:29.980]  So did you manage to watch the tutorial? Mm-hmm. Do you have questions about it?
[05:30.820 --> 05:36.700]  Hmm not really okay. Yeah, doing the interview if you remember something
[05:37.620 --> 05:43.420]  Just tell me I'll explain it. I have some backup slides as well. Okay. Yeah, okay
[05:45.020 --> 05:51.180]  Okay, so now with the some demographic questions, so what's your current role in the company?
[05:52.940 --> 05:54.940]  Yeah, that's good
[05:55.740 --> 05:57.740]  See the official role is
[05:58.540 --> 06:00.540]  Was it called
[06:01.980 --> 06:11.220]  So in German it's a big lungs engineer. Okay, it sounds a little bit weird. So actually I'm I'm researching. So I'm doing research
[06:13.420 --> 06:21.100]  Yeah, I would call it like this because this development engineer. I mean, I'm not really developing products or something like that
[06:21.660 --> 06:26.060]  So that's why I'm yeah, it makes more sense to say yeah
[06:26.060 --> 06:29.420]  and the end of it's in research and development
[06:30.940 --> 06:32.940]  Department, I'm yeah
[06:33.340 --> 06:36.260]  Organized and I'm actually doing research
[06:37.660 --> 06:45.540]  Yeah, that's the kind of also the next question. So what what what do you do in your job? What kind of tasks do you usually do?
[06:46.980 --> 06:48.980]  Yeah, I mean to to really
[06:50.780 --> 06:53.460]  abstractly summarize it. It's kind of
[06:54.420 --> 06:56.420]  research in the sense of
[06:56.820 --> 07:04.220]  knowledge and and state-of-the-art transfer I would say from from the scientific field into the actual
[07:05.380 --> 07:10.100]  application in in the target domain because as as you know
[07:11.620 --> 07:14.260]  Sometimes the industry they are kind of way back
[07:15.940 --> 07:18.100]  Based on the state-of-the-art in research
[07:18.100 --> 07:24.060]  Yeah, and that's it. I mean also in the in the big
[07:26.260 --> 07:28.260]  Publicly funded project
[07:28.460 --> 07:30.460]  You're I mean the Institute is also
[07:31.660 --> 07:34.140]  Into in the sofdcar project. Maybe you heard of it
[07:34.940 --> 07:41.100]  It's kind of the same. So we have some topics and we try to figure out is there already something
[07:42.300 --> 07:46.380]  To to solve the issues we have I mean more this let's say
[07:47.220 --> 07:52.460]  Really application oriented issues. Yeah, not really the let's say
[07:54.660 --> 07:56.660]  Yeah
[07:57.180 --> 08:02.260]  Groundwork theoretical stuff. It's really there's an real-world problem
[08:03.140 --> 08:08.940]  With real-world numbers because often this is actually the problem. Yeah, but there's just a super complex
[08:10.820 --> 08:13.220]  Situation and you somehow have to deal with it
[08:13.740 --> 08:15.060]  and
[08:15.100 --> 08:22.660]  From a methodological point of view. It's quite clear how to solve it, but to really bring it in action is the actual problem
[08:23.220 --> 08:30.580]  Yeah, so you are kind of the bridge between yes between the research and and the application of the research
[08:30.980 --> 08:33.060]  In your company. Yeah, I kind of yeah
[08:34.180 --> 08:36.620]  Because this is also quite interesting
[08:37.260 --> 08:39.260]  and new to me
[08:39.500 --> 08:42.380]  Because just knowing how to do it is not
[08:42.540 --> 08:44.540]  not
[08:44.540 --> 08:46.540]  enough
[08:49.020 --> 08:51.020]  And that's sometimes really different
[08:51.500 --> 09:00.260]  I also didn't expect that just bring things which are kind of commonly known commonly agreed in the scientific community
[09:00.780 --> 09:05.340]  just bring them into real world into action and
[09:07.780 --> 09:09.940]  Kind of organizational things
[09:12.380 --> 09:17.300]  How things work currently is also a big thing because you can't say okay
[09:17.300 --> 09:22.460]  Just forget what you did the last 50 years just do it like that because everyone would say no
[09:24.140 --> 09:26.140]  Yeah, I can imagine that
[09:27.380 --> 09:29.380]  Yeah, so it's diplomacy as well
[09:30.260 --> 09:33.500]  Yeah, I would say especially for really
[09:34.460 --> 09:36.740]  more kind of groundbreaking stuff
[09:37.740 --> 09:43.780]  And for example bringing in kind of standardized approaches stuff like that because normally there
[09:44.780 --> 09:50.100]  The gap is way larger than if you just say switch from this tool to that tool
[09:50.580 --> 09:55.660]  There people might be okay. We have to do some courses and then the transition is done
[09:55.660 --> 09:59.020]  But if you really change the method
[10:00.260 --> 10:02.180]  The way to think
[10:02.180 --> 10:04.180]  how to solve a problem
[10:04.260 --> 10:06.020]  this I mean
[10:06.060 --> 10:10.300]  It's kind of way more complex and and often things are
[10:11.300 --> 10:13.660]  distributed among a lot of
[10:15.300 --> 10:18.020]  Yeah domains and departments and
[10:19.140 --> 10:25.580]  This I mean there as always as we learned during our studies there are a lot of silos a lot of
[10:26.220 --> 10:32.700]  Coupled things that come together at some point, but everyone is optimizing in his own
[10:33.740 --> 10:35.740]  local sphere
[10:36.020 --> 10:37.100]  And
[10:37.100 --> 10:42.540]  Yeah, bringing everything together is really really complex. Mm-hmm. Yeah, I can't imagine
[10:43.060 --> 10:46.020]  And you you are involved in in the middle
[10:46.700 --> 10:48.460]  Yeah
[10:48.460 --> 10:54.460]  Actually, it's also this kind of bringing in this big picture. Maybe that's also part of the job
[10:55.020 --> 10:58.060]  Because I always I mean I always at least try to
[10:59.060 --> 11:01.420]  Talk to everyone within the whole company
[11:02.420 --> 11:07.700]  Regarding one single problem and see how they their view point is
[11:08.380 --> 11:10.380]  To then really get why
[11:11.020 --> 11:19.260]  Everything is like it is. Mm-hmm. Yeah, because this is something that also turned out to be I mean the most important thing
[11:20.060 --> 11:22.900]  To know what you try to solve
[11:24.060 --> 11:30.660]  From from a really even from a global viewpoint because often there are not that many people
[11:30.660 --> 11:35.020]  Sometimes even no one that has this global view
[11:35.700 --> 11:41.380]  Because they they don't have time to do so. I mean, it's it's not that they are not interested in often
[11:41.380 --> 11:46.500]  It's exactly opposite. They always they're always interested when you come by and say okay
[11:46.500 --> 11:50.300]  I talked to this to this and that guy and they say okay, what what did he?
[11:52.260 --> 11:56.180]  But they just don't have the time and it's also not their responsibility
[11:57.180 --> 12:01.340]  Yeah, but it's interesting that there's the guy responsible for that now
[12:04.260 --> 12:07.740]  Okay, so yeah now question three
[12:10.380 --> 12:12.380]  It's just to see if
[12:13.580 --> 12:16.940]  Your field of expertise applies to the paper
[12:19.020 --> 12:20.460]  So
[12:20.460 --> 12:23.980]  Let's say you are familiar with some IAC
[12:24.980 --> 12:28.020]  Scripting tool or language
[12:29.020 --> 12:31.140]  Kubernetes or Ansible or one of these
[12:32.380 --> 12:37.620]  And you are given one of you are given a script in one and in one of these IAC
[12:38.820 --> 12:44.740]  Languages that you are familiar with can you using the script and providing enough time?
[12:44.740 --> 12:50.820]  Can you understand the architecture that is described using the script?
[12:50.820 --> 12:58.980]  Can you create in your mind and an understanding of how the application system
[12:59.660 --> 13:02.540]  Will be like when this script is is used
[13:05.780 --> 13:10.300]  So IAC script is basically a deployment model. Yeah, so for any
[13:12.140 --> 13:14.540]  Do you have enough knowledge in any of
[13:15.220 --> 13:19.260]  Deployment model languages to that allows you to understand the application
[13:20.300 --> 13:23.140]  Behind it. So that's being described using it
[13:25.220 --> 13:32.140]  Is a tasker also can be seen as an IAC script. Yeah, okay, then yes, okay
[13:33.100 --> 13:38.220]  Because I to be honest since it was not part of my research and also not what I'm doing now
[13:38.220 --> 13:42.660]  It's really in that direction of cloud application deployment and stuff like that
[13:43.180 --> 13:46.540]  I'm not really an expert in all of these technologies
[13:47.780 --> 13:49.780]  but yes, I
[13:49.780 --> 13:54.860]  Get the fundamental point and I also I would say I have enough knowledge to interpret
[13:56.060 --> 14:01.620]  Given enough time. Yeah. Yeah, that's the minimum we want
[14:04.940 --> 14:10.340]  Okay, so for how many years have you worked even in research with tasks
[14:10.820 --> 14:13.180]  Somehow related with IAC tools
[14:14.220 --> 14:19.700]  Open Tosca and Tosca is also considered IAC. Yeah, okay
[14:20.580 --> 14:24.940]  Yeah, since it was mostly kind of a side story
[14:26.620 --> 14:29.020]  Maybe two or three years, okay
[14:31.460 --> 14:35.740]  So for the next one, I don't know if you know the number we can I can look it up later
[14:35.740 --> 14:41.620]  But maybe you should be should be larger than one. I mean if the company
[14:42.300 --> 14:49.860]  Worldwide, yeah, I think it's the case. I think so, but even for [redacted]. I think it's more. Yeah, even for [redacted]. It's more
[14:49.860 --> 14:51.860]  Okay, let's always see
[14:55.700 --> 14:57.700]  Yeah, so
[14:59.060 --> 15:04.820]  For any of the following questions just feel free to clarify the question
[15:04.820 --> 15:12.740]  If something is unclear and to speak freely like even beyond the the text of the question itself
[15:14.780 --> 15:16.780]  So
[15:16.780 --> 15:21.620]  How do you check compliance of software applications in your company?
[15:24.260 --> 15:31.100]  Maybe not you personally, but if you know the process no, I don't know I mean
[15:34.900 --> 15:39.220]  As always, there's definitely kind of manual checks and also
[15:42.140 --> 15:44.140]  Regarding the overall
[15:45.180 --> 15:51.580]  Development methodology, I think they're also built in compliance or quality assurance steps
[15:53.860 --> 15:59.340]  Because of all these safety and security related questions in the automotive industry
[16:00.340 --> 16:04.100]  But yeah, there I'm not
[16:05.940 --> 16:12.660]  Experienced enough to be honest to to say what actually is in place and how much of the stuff is
[16:13.340 --> 16:19.580]  Maybe also automated and what is manually done and how the actual processes look like
[16:20.460 --> 16:25.500]  Okay, yeah, yeah, no problem. Yeah, just tell me what's but you really know
[16:26.340 --> 16:33.740]  Yeah, but I would say for sure there are compliance checks. I mean compliance and definitely in terms of
[16:36.300 --> 16:40.460]  Certification relevant stuff so that a car is allowed to
[16:41.860 --> 16:43.860]  Drive on the street
[16:44.340 --> 16:48.620]  Because this is kind of all these legal and regular compliance stuff and
[16:49.340 --> 16:51.820]  Same for data compliance and all these
[16:52.620 --> 16:58.060]  Aspects so that no data without customer consent is leaving a vehicle and stuff like that
[16:59.260 --> 17:01.260]  So that's definitely there
[17:01.260 --> 17:07.700]  But yes, as I said, I I don't know all the processes how it's how it's done
[17:09.100 --> 17:11.100]  Okay
[17:12.500 --> 17:15.340]  Yeah, so for some of the questions maybe
[17:15.900 --> 17:21.740]  Yeah, baby based on the video you watched you try to like estimate an answer
[17:24.460 --> 17:26.460]  Yeah
[17:26.580 --> 17:29.820]  Not about how you things are already done, but how
[17:31.580 --> 17:36.700]  Do you think such a framework will be used? We will see when we reach the questions
[17:38.220 --> 17:45.300]  So for seven maybe you also are not sure so do you use well-defined models for compliance?
[17:45.340 --> 17:53.980]  Rules or these catalogs of compliance rules are they just in text format or are they modeled in a machine readable way?
[17:54.660 --> 17:59.620]  You probably yeah, I also can't answer that one. Hmm. Yeah
[18:02.060 --> 18:04.380]  So do you think if if you do have
[18:05.940 --> 18:09.340]  Well-defined a machine readable format for compliance rules
[18:10.420 --> 18:13.740]  Does this reduce the complexity with checking them?
[18:14.740 --> 18:16.740]  Yes, I think so definitely
[18:18.060 --> 18:24.420]  And another concern with compliance rules is the uncertainty associated with
[18:25.220 --> 18:28.220]  compliance rules that are just like known
[18:29.820 --> 18:34.180]  Implicitly and or the ones that are written down as a human readable form
[18:34.700 --> 18:36.620]  they might be
[18:36.620 --> 18:43.700]  Like interpreted in different ways. So do you think this can be solved this type of uncertainty can can be?
[18:43.900 --> 18:46.940]  solved using machine readable and
[18:47.580 --> 18:49.380]  well-defined
[18:49.380 --> 18:51.380]  format for compliance rules
[18:51.460 --> 18:53.060]  Yeah, I
[18:53.060 --> 18:59.020]  mean, I would say maybe just from the automation perspective. This is always
[19:00.860 --> 19:09.900]  Bringing I mean having something centralized and in an automated fashion is always reducing ambiguity uncertainty and also
[19:10.660 --> 19:13.500]  Yeah, there's different types of interpretation
[19:13.900 --> 19:18.700]  And also in this build environments if you have different stakeholders
[19:18.860 --> 19:23.300]  Maybe having different tools to do their part of the job
[19:24.460 --> 19:26.460]  Because I think there's also a lot of
[19:28.580 --> 19:31.500]  Potential errors that might
[19:33.380 --> 19:35.900]  Might rise and or might be undetected
[19:36.900 --> 19:41.060]  Because there are gaps between the tools the sets and what they're doing and I think
[19:41.780 --> 19:45.860]  Bringing this into a unified centrally defined and
[19:47.780 --> 19:51.980]  Yeah, clear form would be definitely
[19:53.700 --> 20:01.860]  Yeah, there you will and improve the overall process. I think that's also in general my feeling that
[20:01.860 --> 20:07.740]  Yeah, having this kind of centralized knowledge
[20:09.420 --> 20:11.420]  Define it once use it often
[20:12.220 --> 20:17.900]  is is getting more attraction because thing I mean the world is getting more and more complex and
[20:18.900 --> 20:20.740]  having
[20:20.740 --> 20:25.540]  Thousands let's say of local solutions for the same problems. I
[20:26.340 --> 20:29.120]  Think it won't work. I mean it doesn't scale
[20:31.860 --> 20:36.780]  Yeah, that's what we assumed as well. Yeah, yeah, I can yeah
[20:37.460 --> 20:39.460]  This is definitely true
[20:40.220 --> 20:42.460]  So do you have an idea how often
[20:43.100 --> 20:47.020]  compliance rules are kind of updated in your company?
[20:48.140 --> 20:52.780]  Well, I think I would say very often
[20:53.940 --> 20:57.180]  Because the scale because of the scale I mean
[20:57.180 --> 21:04.900]  We are touching I think anything because we have the car and customer hands we have
[21:05.580 --> 21:07.260]  apps
[21:07.260 --> 21:13.860]  We have back-end systems and spread all over the world. So we have I don't know how many legislations
[21:15.620 --> 21:19.300]  Which we have to comply in with and they are changing
[21:20.860 --> 21:22.860]  rapidly and
[21:23.700 --> 21:28.380]  So I'm not sure how often there are new rules, but
[21:29.740 --> 21:34.460]  Yeah, probably no one knows how often exactly about in rough estimation
[21:34.740 --> 21:38.540]  You think it's it's often in for for for the domain of
[21:39.420 --> 21:41.420]  And the size of your company I
[21:42.580 --> 21:44.580]  Would say so
[21:45.220 --> 21:48.500]  Yeah, I mean I would to do really roughly estimate
[21:48.500 --> 21:52.900]  But I'm not sure if it's really an estimate is and I would say every year there's
[21:53.580 --> 21:59.060]  definitely a bunch of things that are new external as well as internal
[22:01.100 --> 22:03.100]  Yeah, I think so too
[22:03.380 --> 22:09.860]  And we had an interview with another large enterprise and they also have like crop it changes. Yeah, yeah
[22:11.220 --> 22:13.220]  Okay, yeah, I think it's just
[22:13.860 --> 22:15.380]  the
[22:15.380 --> 22:22.060]  Factor rises if you have I mean if you're just in Germany and it's might be not might be not that much
[22:22.060 --> 22:26.020]  But I think just because of you're acting in multiple companies
[22:26.020 --> 22:30.540]  This is already introducing a factor and then if you're touching
[22:31.260 --> 22:37.140]  multiple domains of legislation like having some data that is processed having some
[22:38.140 --> 22:43.460]  Products that have some safety critical features and stuff like that because then you're touching
[22:43.460 --> 22:45.460]  I don't know different catalog of
[22:46.300 --> 22:52.300]  Yeah, and and many many many of them and for different countries. Maybe there are different tools. Yeah
[22:52.820 --> 22:59.940]  Definitely. I mean they differ a lot. I what I am kind of familiar with all these data compliance aspects and
[23:00.940 --> 23:02.940]  there is
[23:02.980 --> 23:08.620]  It's a vast amount of stuff and some countries are really going there their own way. Let's say
[23:09.860 --> 23:12.100]  They have some specialized rules that just
[23:13.300 --> 23:15.820]  That are just for this specific
[23:16.500 --> 23:17.620]  country
[23:17.620 --> 23:21.260]  You don't have anywhere else on on the world and
[23:21.940 --> 23:23.660]  Yeah
[23:23.660 --> 23:26.420]  Yeah, I can see that this is
[23:27.260 --> 23:33.420]  Yeah, a big thing for for company to manage. Yeah, and yeah, probably rapidly changing
[23:34.260 --> 23:38.620]  Okay, so now the following questions are just to give kind of
[23:39.340 --> 23:40.660]  numerical
[23:40.660 --> 23:47.620]  Equivalence with to the questions before so they are not like new questions just
[23:48.900 --> 23:52.380]  numerical estimations of the previous questions so
[23:53.060 --> 23:55.620]  How much do you agree with the following statement?
[23:56.660 --> 23:59.900]  Using IACMF, which is the name of the compliance framework
[24:01.100 --> 24:03.460]  reduces the effort associated with
[24:04.180 --> 24:13.460]  Defining and checking compliance rules. So here we are talking about like defining new compliance rules and also the process of checking them
[24:15.060 --> 24:17.060]  Yeah, so maybe
[24:17.980 --> 24:22.460]  You can answer differently for each of these two things if you want
[24:22.460 --> 24:24.460]  Yeah
[24:25.340 --> 24:28.020]  So based on the video and
[24:29.020 --> 24:31.500]  What you could know already, I don't know
[24:31.940 --> 24:37.180]  Yeah, exactly. That's that's I think that's a problem with the effort question
[24:37.820 --> 24:40.860]  Because it hardly depends on how it's done
[24:41.780 --> 24:43.780]  currently
[24:44.300 --> 24:52.380]  But I mean just from what I what I've seen in the video, I would say totally agree
[24:52.540 --> 24:54.540]  I'm
[24:55.980 --> 25:04.780]  Yeah, because any because if it's somehow automated it has to be somehow defined in a machine-reable format
[25:05.340 --> 25:06.860]  and so
[25:06.860 --> 25:08.860]  But I think to make it really
[25:11.740 --> 25:14.820]  Yet to to kind of support the whole process
[25:16.020 --> 25:19.420]  In in a uniform standardized manner
[25:20.380 --> 25:27.020]  And would definitely reduce the overall effort and in my opinion
[25:28.780 --> 25:30.540]  Okay
[25:30.540 --> 25:33.740]  So now a similar question related to complexity
[25:35.740 --> 25:42.980]  So do you think that the framework reduces the complexity of defining and checking compliance rules
[25:43.860 --> 25:45.860]  Yeah
[25:46.340 --> 25:50.260]  Kind of the same thing I also totally agree because I think the
[25:51.260 --> 25:53.260]  as always that the
[25:55.820 --> 26:00.740]  The actual game changer in my opinion is that you really
[26:02.660 --> 26:04.500]  Yeah, fix
[26:04.500 --> 26:09.420]  What has what is the identifier? So what has to be matched where to apply the rule?
[26:10.380 --> 26:14.060]  Because at least I would assume that this is something
[26:14.820 --> 26:18.220]  Experts do often in many more manual
[26:18.860 --> 26:24.380]  Processes so that they are saying okay here in this case we have to check this and that at this note and
[26:25.660 --> 26:27.660]  to really make it
[26:27.660 --> 26:33.180]  Transparent and concrete to say this is the context where this rule has to be applied
[26:33.180 --> 26:37.260]  I think this will change everything because there are also a non-expert user
[26:37.820 --> 26:43.860]  Can run the rule without any previous knowledge and it will come to the same result as an expert
[26:45.220 --> 26:48.620]  Would have created and I think this is
[26:49.700 --> 26:55.660]  Something which is super relevant especially in really complex environments
[26:56.580 --> 26:58.580]  And I think it doesn't matter
[26:59.300 --> 27:01.300]  which industry
[27:02.180 --> 27:06.340]  Domain application field because at the end of the day at least from my perspective
[27:06.580 --> 27:11.020]  You can model everything in such a graph-based manner
[27:11.380 --> 27:19.140]  It doesn't matter if it's a if it's I don't know a back-end system a car. I don't know some smartphone or other
[27:20.100 --> 27:22.340]  Thing you can always say
[27:23.060 --> 27:25.660]  There are some type notes. They have some relations
[27:26.140 --> 27:31.700]  They have some properties and and I think same pose for these compliance rule as far as I got it from the video and
[27:32.260 --> 27:34.260]  So you have kind of a really?
[27:34.900 --> 27:36.900]  generic mechanism to
[27:38.100 --> 27:42.700]  Yeah, to check compliance in anything that can be
[27:43.860 --> 27:45.860]  specified and
[27:46.980 --> 27:53.460]  And I think the trick is to yeah use kind of a divide-and-conquer approach
[27:54.340 --> 27:55.900]  because you
[27:55.900 --> 27:59.540]  Because maybe you have a super complex system with millions of nodes
[27:59.620 --> 28:03.940]  But it doesn't matter because for the compliance rules. You just say this is the context
[28:04.460 --> 28:06.940]  There you have to check this and that and that's it
[28:08.180 --> 28:10.180]  And I think this this
[28:11.100 --> 28:13.100]  Yeah, it's what is also
[28:13.860 --> 28:19.300]  At least from my point of view the only thing that will help to
[28:19.900 --> 28:21.900]  To handle the complexity
[28:22.380 --> 28:26.220]  of of really large distributed systems
[28:27.220 --> 28:29.220]  Yeah, whatever they are. I mean
[28:30.940 --> 28:32.940]  Yeah, that's
[28:32.940 --> 28:37.060]  That's what we had in mind when we designed this. Yeah, yeah
[28:37.580 --> 28:42.740]  Yeah, because I mean we designed it after our first round of review with a
[28:43.180 --> 28:46.220]  with an enterprise, so we spoke with their
[28:47.340 --> 28:49.860]  administrators and we yeah kind of
[28:50.740 --> 28:56.740]  Based the newest design of the framework based on their answers. So it's kind of
[28:57.620 --> 28:59.620]  Yeah, for for large at least
[28:59.740 --> 29:06.140]  For large distributed systems. It's difficult to do things manually
[29:06.740 --> 29:08.900]  Yeah without without models
[29:10.020 --> 29:11.220]  Yeah
[29:11.220 --> 29:14.260]  Yeah, okay. So now question 13
[29:15.260 --> 29:17.940]  How much do you agree with the following statement using?
[29:18.420 --> 29:24.580]  Well-defined models for compliance rules reduces the uncertainty associated with interpreting them
[29:26.140 --> 29:30.220]  Yeah, it's the same as before I also would say four or five
[29:32.820 --> 29:34.820]  Because yeah, as you also said
[29:35.540 --> 29:39.540]  Maybe it's handable for smaller systems
[29:40.300 --> 29:46.700]  Less complex models, but if you reach a certain level of complexity, I think yeah
[29:47.220 --> 29:52.140]  You need you need something some language some model you can rely on
[29:55.500 --> 29:59.820]  Okay, and now about architecture reconstruction, so so
[30:01.180 --> 30:07.060]  In the video and I don't know if you were was able to also read the document and
[30:09.580 --> 30:16.060]  Process that is supported by the framework. We we first reconstruct the architecture of the instance
[30:18.220 --> 30:20.700]  Application instance, so we kind of
[30:21.380 --> 30:25.580]  talk to the IAC tool that's responsible for managing the instance and
[30:26.380 --> 30:33.940]  Create an initial instance model only from the knowledge that the IAC tool knows and then based on the
[30:34.940 --> 30:41.860]  Compliance rules that we want to check we add extra information to this instance model using a refinement plugins
[30:44.020 --> 30:52.380]  So this process of creating an initial instance model and then refining it in multiple steps in order to reach in a model
[30:52.380 --> 30:58.860]  That describes the system and has enough information for the compliance rules to be automatically checked
[30:58.940 --> 31:03.180]  We call this process architectural reconstruction and it's
[31:03.980 --> 31:07.820]  It's useful for compliance checking, but also in
[31:08.660 --> 31:14.140]  For generally understanding the architecture of the application you have at hand
[31:16.460 --> 31:18.460]  So
[31:19.420 --> 31:22.500]  If you face a new application
[31:23.100 --> 31:28.620]  Instance that you want to understand the architecture of how do you do that?
[31:28.620 --> 31:30.620]  I
[31:31.420 --> 31:34.020]  Mean the only thing I know
[31:35.140 --> 31:37.140]  in this direction
[31:37.140 --> 31:38.740]  is
[31:38.740 --> 31:41.420]  I'm using observability mechanisms
[31:42.580 --> 31:46.460]  but this I'm not sure if it's not really the architecture is more like the
[31:48.780 --> 31:55.100]  Yeah, kind of communication architecture of different services how they interact and invoke each other
[31:55.540 --> 31:59.540]  But yeah for for let's say
[32:00.540 --> 32:02.540]  really from a
[32:02.900 --> 32:04.900]  Topology point of view
[32:05.340 --> 32:07.340]  I'm not sure
[32:08.140 --> 32:10.500]  Yeah, okay. Yeah, I mean that
[32:11.060 --> 32:13.060]  monitoring communication is totally
[32:14.500 --> 32:19.300]  Accepted method for architectural reconstruction in research. Yeah, so that's
[32:19.980 --> 32:21.980]  that's
[32:22.500 --> 32:25.260]  That's something we heard of often
[32:26.180 --> 32:28.180]  Okay, yeah
[32:29.460 --> 32:33.500]  So do you know of automated or certainly semi automated tools for that?
[32:35.180 --> 32:41.540]  Yeah, I mean in this in this sense, I think this the factor standard open telemetry
[32:42.420 --> 32:44.420]  It's also applied
[32:45.300 --> 32:48.220]  But yeah, also not sure what what else or what
[32:49.220 --> 32:53.260]  co-creatly is used in terms of tools and
[32:55.180 --> 32:57.180]  Yeah, yeah, sure
[33:00.460 --> 33:06.220]  So do you think that using the framework it reduces the effort?
[33:07.220 --> 33:15.460]  Associated with reconstructing the architecture of running application instances. So maybe you can answer in
[33:16.300 --> 33:17.860]  two
[33:17.860 --> 33:19.060]  situations
[33:19.060 --> 33:21.060]  first if you do have
[33:21.180 --> 33:29.580]  the plugins required for like the for communicating with a specific tool my AC tool and then
[33:30.340 --> 33:38.220]  refining the instance model with additional information or if you don't have these plugins and you need to
[33:39.460 --> 33:41.140]  Implement them
[33:41.140 --> 33:43.140]  But then you can reuse them
[33:44.140 --> 33:51.580]  So in in in each of these cases, do you think the framework reduces the effort of
[33:52.460 --> 33:54.460]  reconstruction the architecture
[33:54.580 --> 33:57.860]  Also for small architecture or large architecture. Yeah
[34:01.500 --> 34:08.020]  Yeah, I think so I mean as you said most probably depends on the the efforts spend in integrating
[34:09.020 --> 34:13.140]  new methods for for getting the information from
[34:14.820 --> 34:17.180]  Yeah, to reconstruct the architecture
[34:19.820 --> 34:23.180]  But yeah, I think this also as always
[34:24.220 --> 34:27.540]  Depends if maybe there's a community that
[34:29.100 --> 34:32.820]  Kind of takes care of producing these
[34:33.820 --> 34:37.820]  Plugins in an open-source manner because then I think the effort will
[34:39.140 --> 34:42.380]  Yeah decrease for each and really
[34:44.900 --> 34:47.580]  But yes, I think so
[34:49.420 --> 34:51.940]  Because I mean what is the other approach
[34:53.340 --> 34:59.860]  In one extreme it would be to do it somehow manually by analyzing. I don't know system locks whatever
[35:00.860 --> 35:02.380]  I
[35:02.380 --> 35:10.260]  Yeah, or checking these observability tools and trying to reconstruct but then the gap is still how to
[35:11.940 --> 35:13.940]  Yeah, formalize it
[35:14.300 --> 35:18.180]  Specified in a well-defined manner and as far as I got it from the video and also from the slides
[35:19.660 --> 35:23.300]  This is actually the the benefit so that
[35:24.740 --> 35:26.740]  So the two things one is that
[35:27.700 --> 35:35.420]  The process is kind of the process of reconstruction is implemented within the the framework
[35:36.540 --> 35:43.740]  And second that the result is created in a in a well-defined and
[35:44.820 --> 35:46.820]  formalized language
[35:49.060 --> 35:51.060]  We produce EDMM models
[35:52.820 --> 35:56.340]  That you consider that a benefit right yes
[35:56.980 --> 35:58.980]  I would say so, yeah
[35:59.100 --> 36:03.820]  Okay, yeah, so I mean at the end of the day. It's kind of the trade-off is
[36:04.420 --> 36:06.420]  putting the effort in
[36:07.460 --> 36:11.100]  Integrating whatever I have into this ICMF
[36:11.820 --> 36:14.300]  But then I get the rest kind of for free
[36:14.700 --> 36:19.820]  Maybe I can benefit from the effort others spend because they already provide some plugins
[36:21.020 --> 36:23.260]  And then I don't have any effort
[36:24.860 --> 36:26.700]  Yeah
[36:26.700 --> 36:31.660]  Versus the effort I spend in coming up with my own stuff, which is maybe
[36:33.180 --> 36:38.500]  Then I'm again in such kind of a lock-in situation because I
[36:38.980 --> 36:45.260]  Mean in a far future you can think of that maybe some tool vendors also support
[36:47.260 --> 36:49.860]  Standardized models or hopefully
[36:50.860 --> 36:57.740]  And then maybe you can directly use them there and else you you always have to do this on your own
[36:59.340 --> 37:01.340]  Yeah, yeah
[37:02.420 --> 37:04.780]  Similar situation in other things
[37:05.340 --> 37:06.860]  Yeah
[37:06.860 --> 37:10.140]  Yeah, I think it's it's it's the general question. I would say
[37:12.260 --> 37:14.260]  Yeah integrating to something
[37:15.660 --> 37:17.580]  that is
[37:17.580 --> 37:19.580]  provides a uniform way to
[37:19.860 --> 37:21.860]  solve a problem
[37:22.900 --> 37:29.460]  That then you most probably you have more integration effort versus using something that is maybe
[37:30.780 --> 37:34.380]  Provided by some tool vendor, but then you're some are locked in
[37:35.220 --> 37:38.260]  Because then you have to stick with the model state define
[37:39.300 --> 37:43.180]  Yeah, yeah, so I mean I during previous
[37:44.140 --> 37:46.140]  interviews
[37:46.700 --> 37:54.900]  Some company guys said okay, we have tools that work in the Kubernetes part of our systems
[37:55.100 --> 37:57.900]  But when we deal with the Google cloud
[37:58.700 --> 38:01.900]  Managed part we we have to do stuff manually
[38:02.460 --> 38:04.460]  Yeah, so
[38:05.340 --> 38:11.940]  You have some sometimes tools from specific providers, but even for not so large
[38:12.580 --> 38:15.660]  Applications you you need multiple tools
[38:16.420 --> 38:18.420]  and then you it's a
[38:18.900 --> 38:20.900]  It's a difficult situation
[38:21.860 --> 38:28.180]  And it's also not constant. I think that that's something that comes on top because maybe for some reason
[38:29.780 --> 38:32.220]  Company the company might switch a cloud provider
[38:32.580 --> 38:40.940]  And then then you have it again and again and again and again or start switching from from on premise to off premise and and all these things are maybe
[38:41.500 --> 38:43.420]  new tools are
[38:43.420 --> 38:45.420]  hosted on other platforms
[38:45.860 --> 38:52.620]  You buy a software as a service and stuff like that. I mean, so I think it yeah, it's worth spending the effort in
[38:53.140 --> 38:55.540]  having something that produces a
[38:57.020 --> 39:02.660]  Unification and unify yeah having results on unified models
[39:03.380 --> 39:04.820]  then yeah
[39:04.820 --> 39:09.100]  Spending the effort this kind of the same or more effort over and over again
[39:11.940 --> 39:16.060]  Okay, so we're about to be done. No worries
[39:17.500 --> 39:20.220]  And now it's about like fixing
[39:21.020 --> 39:23.020]  violations
[39:24.460 --> 39:26.460]  So
[39:26.980 --> 39:34.700]  What what would you do if you find out that like an application system that you're responsible for
[39:35.580 --> 39:38.660]  Violates a compliance rule. What would you do?
[39:41.940 --> 39:46.180]  A good question. That's also something I haven't no idea
[39:47.700 --> 39:49.700]  Yeah, that's fair
[39:51.860 --> 39:55.100]  Yeah, so I think 18 doesn't make much sense
[39:56.180 --> 40:00.060]  If they are automated or semi automated tools for that
[40:01.860 --> 40:07.420]  Okay, so now 19 is based on on what the framework does
[40:07.420 --> 40:18.060]  So do you think that using the framework reduces the effort associated with fixing compliance violations?
[40:23.260 --> 40:27.860]  Yeah, I think so I mean again most probably it's this integration effort that has to be spent
[40:28.100 --> 40:31.260]  But I think the actual doing as far as I got it from the video is
[40:32.260 --> 40:39.020]  Well, there's no effort right so you say if you do have the plug-ins suitable for for
[40:39.420 --> 40:44.020]  Your use case the effort is like almost no effort
[40:44.420 --> 40:47.540]  But if you don't the integration is a problem, right?
[40:47.860 --> 40:52.380]  Yes, because you have to bring up the these fixing plugins, right?
[40:53.100 --> 40:58.260]  Yes, sometimes they are generic, but sometimes they are use case specific
[40:58.780 --> 41:00.780]  Yeah
[41:00.860 --> 41:04.140]  Yeah, yeah, but I would say in general. Yes, definitely
[41:04.860 --> 41:08.460]  reduces the effort and and that's what I
[41:09.340 --> 41:11.340]  also check 20 because I
[41:12.380 --> 41:14.380]  Was not sure if
[41:14.380 --> 41:16.980]  effort also comprises
[41:19.420 --> 41:21.420]  Yeah, let's say the ambiguity
[41:22.660 --> 41:30.140]  So so that not let's say this department is fixing the issue in this way and the other department in another way and maybe
[41:31.060 --> 41:37.300]  By having different fixes applied later on other compliance issues my might arise
[41:43.140 --> 41:50.220]  Because I think this is also definitely reduced so let's say follow-up efforts might be also reduced
[41:51.140 --> 41:53.860]  that yeah might arise because
[41:54.900 --> 41:56.900]  People are doing it differently
[41:58.300 --> 42:00.300]  so
[42:00.980 --> 42:05.180]  Having a defined well-defined model for a compliance job, which also
[42:06.180 --> 42:08.300]  Says how we to fix a problem
[42:09.300 --> 42:11.900]  This reduces the uncertainty
[42:12.540 --> 42:15.220]  Yeah, that's what we'll say for sure. Yeah
[42:16.980 --> 42:20.340]  Okay, so now like the last few questions
[42:22.540 --> 42:27.580]  As far as you know, of course, how do you evaluate the novelty of the framework?
[42:30.340 --> 42:35.540]  Yeah, since I'm not an expert in this field. I mean
[42:36.820 --> 42:38.820]  It seemed like
[42:40.140 --> 42:42.140]  It's kind of a
[42:42.900 --> 42:45.260]  New way of combining
[42:46.340 --> 42:51.340]  known things at least from from what what I know let's say
[42:52.820 --> 42:57.980]  But bringing everything together. I would at least for me it was something
[42:58.980 --> 43:00.980]  new
[43:02.180 --> 43:08.900]  Yeah, to have this chain of steps and also combine different information sources and
[43:09.220 --> 43:14.060]  You find the rules and link them and automate them and also this automated fixing stuff
[43:16.420 --> 43:18.420]  Yeah, that's
[43:20.180 --> 43:26.180]  That's the opinion of the people who interview we interview so far, especially regarding the fixing
[43:28.100 --> 43:30.100]  Okay, so how do you
[43:30.100 --> 43:37.100]  Evaluate the extensibility of the framework. So first is it extensible and second? Do you think extensibility is useful?
[43:39.500 --> 43:47.500]  I mean from what I've seen the video is I don't remember any architecture slides. No, no individual no
[43:48.940 --> 43:55.380]  But in the slides. Oh, so yeah, I can tell you about it. Of course. I'm also a source of information
[43:55.900 --> 44:06.980]  Regarding the framework. Yeah, it's for each of the steps you can we have an interface for plugins and you can program plugins
[44:07.740 --> 44:14.980]  The plugins are programmed in Java and yeah, you can use them in the in the framework
[44:15.700 --> 44:24.020]  So we define like what are the inputs and the outputs for for the plugin and then you can just use it within within the framework
[44:25.540 --> 44:30.500]  Of course, you can define your own compliance rules your own compliance jobs, and you can have
[44:33.260 --> 44:35.260]  Compliance rules that are customizable
[44:36.420 --> 44:42.660]  With like variables and then in the compliance job you specify values for for compliance rules
[44:42.660 --> 44:49.660]  So you don't need to define compliance rules that are very use case specific. You can make them a bit more generic
[44:50.300 --> 44:59.340]  So I would say this like plugins and and compliance rules compliance jobs are kind of you can extend the
[44:59.740 --> 45:02.380]  functionality of the framework using these aspects
[45:04.060 --> 45:11.940]  Do you think this is useful? Yeah, that was also my impression. Yeah, I think it's useful and I also like the as you said
[45:13.060 --> 45:15.060]  Summarized now
[45:15.140 --> 45:18.020]  This two levels that you have this
[45:20.420 --> 45:23.020]  Can can have I mean one is in
[45:23.980 --> 45:28.220]  Integrating a logic additional logic and form of plugins for at the for the different steps
[45:29.340 --> 45:31.340]  to integrate new
[45:31.540 --> 45:36.140]  IOC technologies and stuff like that and the also the other level that you can
[45:37.620 --> 45:39.620]  Introduce parameterizable
[45:41.220 --> 45:43.220]  Plugins so that you say okay
[45:43.780 --> 45:45.780]  This is something I have to do
[45:47.380 --> 45:52.180]  Always but it might differ in which context I'm doing I'm checking it for example
[45:52.180 --> 45:55.020]  And therefore I can introduce variables parameters stuff like that
[45:55.380 --> 45:59.660]  Because I think that makes definitely sense because else you end up in
[46:00.980 --> 46:02.980]  introducing thousands of plugins
[46:03.620 --> 46:05.620]  and so you have the freedom of
[46:05.980 --> 46:11.860]  Choosing the level of abstraction you want to go for the plug-in, but you still can can
[46:12.420 --> 46:18.420]  provide the relevant information to yeah to support a specific use case
[46:19.700 --> 46:24.940]  So I kind of like this hard kind of yeah way of extending it
[46:24.940 --> 46:30.740]  Uh-huh. I mean it's more kind of yes, you said customizing or parameterizing the steps
[46:32.900 --> 46:38.300]  Okay, so hypothetically would you use the framework and your work?
[46:39.180 --> 46:41.180]  Yeah
[46:43.100 --> 46:48.460]  Absolutely, I mean the only pitfall is as always you need
[46:50.020 --> 46:52.780]  You you need the information about the system, right and
[46:54.060 --> 47:02.620]  Some kind of having a model and so yeah to work with it and I think that's kind of the
[47:03.900 --> 47:06.900]  The pitfall but if this is there
[47:07.780 --> 47:11.860]  Which I definitely think it's it's valuable to have this anyhow
[47:12.820 --> 47:15.220]  Um, then definitely I think it's it's a good
[47:16.420 --> 47:18.420]  tool
[47:19.060 --> 47:24.820]  For handling all these compliance related questions and also enforcing it because this is also
[47:25.540 --> 47:28.020]  Whatever thinking during watching the video
[47:28.820 --> 47:29.780]  um
[47:29.780 --> 47:34.500]  Because I think often it's like okay, we know what we have to be compliant with
[47:35.380 --> 47:38.820]  and we during development during maintenance
[47:40.340 --> 47:42.340]  Within the development processes
[47:43.060 --> 47:45.060]  um, this is kind of
[47:45.060 --> 47:46.580]  um
[47:46.580 --> 47:49.380]  Yeah, everyone is is taking care of it
[47:50.260 --> 47:52.980]  but what about the system
[47:53.780 --> 47:55.780]  um, which is out there
[47:56.340 --> 47:58.340]  for example in the product which is
[47:59.300 --> 48:03.620]  Traveling around the world. Yeah, how can you enforce that? No one else later on?
[48:04.260 --> 48:05.380]  Um
[48:05.380 --> 48:08.820]  Interacting with the device doing some updates, whatever
[48:09.460 --> 48:16.660]  Is violating the rules you placed in because yeah, there are also situations where you are
[48:17.140 --> 48:19.140]  Maybe not in full control anymore
[48:20.420 --> 48:25.700]  Uh, if you have an open system for example when people can bring up there bring in their own software
[48:26.340 --> 48:28.340]  But you still want to say okay
[48:28.340 --> 48:32.260]  Um, maybe not really enforcing more like okay, if you do this
[48:33.140 --> 48:34.980]  Isn't that might happen?
[48:34.980 --> 48:36.980]  Because we can cannot guarantee
[48:38.020 --> 48:39.780]  Isn't that property anymore?
[48:39.780 --> 48:45.540]  So detection of of issues when yes during runtime, right? Yeah, I mean for for example with this, um,
[48:46.100 --> 48:50.660]  Now, okay password thing. It could be also something like, um
[48:51.620 --> 48:54.100]  During or when the product is shipped
[48:55.300 --> 49:00.180]  Everything I mean, it's it's kind of uh checked and then if if the customer
[49:01.140 --> 49:03.540]  Says yes, but I want to have no password
[49:04.100 --> 49:06.100]  Then he can do so, but this
[49:06.660 --> 49:09.380]  Is then also kind of uh reported
[49:10.180 --> 49:14.660]  And so you you are kind of fine because the customer said I want to have it like that
[49:15.300 --> 49:19.060]  But until that point you enforce that this is not happening
[49:20.100 --> 49:22.900]  Yeah, I think this is also something
[49:23.860 --> 49:25.860]  That that will help
[49:26.420 --> 49:29.060]  And maybe you can even come back. Let's say if you have
[49:30.660 --> 49:32.900]  Second product lives in areas or whatever
[49:33.620 --> 49:37.540]  So if the customer um sells the product to someone else, um
[49:38.500 --> 49:45.140]  Then you can maybe reinforce such rules because maybe this customer is not aware of that the previous customer
[49:46.020 --> 49:52.100]  Kind of deactivated a lot of stuff and so you can just maybe even automatically say okay now
[49:52.580 --> 49:56.500]  We are bringing it back into a fully compliant state
[49:56.660 --> 49:58.100]  Uh
[49:58.100 --> 50:03.940]  And to to again take the guarantee that everything is as it was when we delivered it
[50:04.980 --> 50:06.980]  I can also imagine such scenarios
[50:08.340 --> 50:09.780]  Yeah
[50:09.780 --> 50:12.420]  Um good good to hear this
[50:13.380 --> 50:15.700]  Possible scenarios. That's that's very useful
[50:17.140 --> 50:20.020]  Okay, so, uh, what's your general impression
[50:20.020 --> 50:22.020]  Yeah
[50:23.140 --> 50:25.140]  Yeah, I mean
[50:25.780 --> 50:27.140]  Good
[50:27.140 --> 50:33.460]  Is it looks really promising? I think the as you most probably know the the always the thing is the
[50:34.660 --> 50:41.540]  The the effort that is needed to come to the stage where everything works as expected
[50:42.180 --> 50:44.180]  But I think that's always the case
[50:45.060 --> 50:47.460]  And i'm i'm pretty sure that
[50:48.340 --> 50:50.340]  Um, there is no
[50:51.300 --> 50:53.300]  Silver bullet to to
[50:54.100 --> 50:55.540]  I mean
[50:55.540 --> 50:58.260]  However, you do it. You have to spend effort
[50:59.540 --> 51:04.660]  And from my perspective, it's always worse to spend the effort in something
[51:05.940 --> 51:10.180]  Uh, yeah, which makes things as precise as possible
[51:11.140 --> 51:14.740]  Uh, with having as much automation as possible
[51:15.140 --> 51:20.100]  And that's what that's was my impression that this was also kind of the focus
[51:20.500 --> 51:22.980]  Um, when designing the framework and the processes
[51:24.180 --> 51:27.140]  Yeah, that was the intention
[51:27.860 --> 51:29.460]  Yeah
[51:29.460 --> 51:32.980]  Yeah, I think that's the most you can do because um, yeah
[51:35.220 --> 51:38.020]  Okay, so that's that's it for the questions
[51:38.020 --> 51:41.780]  I'll stop the audio recording now