[04:02.000 --> 04:04.000]  So I just start sharing my screen
[04:04.000 --> 04:06.000]  I have prepared like the same questions
[04:06.000 --> 04:08.000]  Honest on slides
[04:08.000 --> 04:10.000]  So you don't have to remember what I'm saying yeah
[04:10.000 --> 04:12.000]  Okay
[04:12.000 --> 04:16.000]  Okay
[04:16.000 --> 04:20.000]  Okay so
[04:20.000 --> 04:22.000]  Do you see the screen?
[04:22.000 --> 04:24.000]  Yes I do
[04:24.000 --> 04:26.000]  Yeah it's the same thing
[04:26.000 --> 04:28.000]  Things I told you we will record the audio now
[04:28.000 --> 04:30.000]  And
[04:30.000 --> 04:32.000]  Yeah I will anonymize it
[04:32.000 --> 04:34.000]  So the audio itself will be removed
[04:34.000 --> 04:36.000]  After we transcribe it
[04:36.000 --> 04:38.000]  We'll be anonymized
[04:38.000 --> 04:40.000]  So no names no company names
[04:40.000 --> 04:42.000]  What's over?
[04:42.000 --> 04:44.000]  And then
[04:44.000 --> 04:46.000]  Yeah I will just like associate your answers
[04:46.000 --> 04:48.000]  With the questions
[04:48.000 --> 04:50.000]  And then we'll report
[04:50.000 --> 04:52.000]  The whole thing
[04:52.000 --> 04:54.000]  So kind of a summary of all answers
[04:54.000 --> 04:56.000]  Of all nine participants
[04:56.000 --> 04:58.000]  So yeah that's what we'll do
[04:58.000 --> 05:00.000]  So if you agree we can continue
[05:00.000 --> 05:02.000]  Of course before we publish
[05:02.000 --> 05:04.000]  You can tell me
[05:04.000 --> 05:08.000]  Please take away my answers
[05:08.000 --> 05:12.000]  After July 1 that would be difficult
[05:12.000 --> 05:14.000]  Okay let's move on
[05:14.000 --> 05:16.000]  Okay
[05:16.000 --> 05:18.000]  So first you just watch the tutorial
[05:18.000 --> 05:22.000]  So do you have questions about it?
[05:22.000 --> 05:24.000]  I would have some technical questions
[05:24.000 --> 05:26.000]  But I think that will be in the answer
[05:26.000 --> 05:28.000]  In the following
[05:28.000 --> 05:30.000]  Yeah sure no problem
[05:30.000 --> 05:32.000]  I have some backup slides here
[05:32.000 --> 05:34.000]  So we can take a look at them if needed
[05:34.000 --> 05:36.000]  Okay so now
[05:36.000 --> 05:38.000]  It's some demographic questions
[05:38.000 --> 05:40.000]  Yeah
[05:40.000 --> 05:42.000]  What's your current role in the company?
[05:42.000 --> 05:46.000]  Okay I'm a research software architect
[05:46.000 --> 05:48.000]  And
[05:48.000 --> 05:52.000]  We're researching new code stuff for the company
[05:52.000 --> 05:54.000]  Okay so
[05:54.000 --> 05:56.000]  Does this answer also question two
[05:56.000 --> 05:58.000]  Or do you want to say further things
[05:58.000 --> 06:00.000]  So what kind of things you have to do
[06:00.000 --> 06:02.000]  In the company?
[06:02.000 --> 06:04.000]  Oh
[06:04.000 --> 06:08.000]  On the one hand
[06:08.000 --> 06:10.000]  Providing blue prints
[06:10.000 --> 06:12.000]  For applications like
[06:12.000 --> 06:14.000]  Kind of meta architectures
[06:14.000 --> 06:16.000]  And other things like
[06:16.000 --> 06:18.000]  Normally we research work
[06:18.000 --> 06:22.000]  But a typical researcher would do
[06:22.000 --> 06:26.000]  Like in papers producing things
[06:26.000 --> 06:28.000]  Communicating and so on
[06:28.000 --> 06:30.000]  I like the term meta architecture
[06:30.000 --> 06:32.000]  Okay
[06:32.000 --> 06:34.000]  So
[06:34.000 --> 06:38.000]  Now assume you have some
[06:38.000 --> 06:40.000]  Some iac script
[06:40.000 --> 06:42.000]  Of a language that you are familiar with
[06:42.000 --> 06:44.000]  Just by looking at the script
[06:44.000 --> 06:46.000]  Can you understand the
[06:46.000 --> 06:50.000]  Architecture that it's trying to describe
[06:50.000 --> 06:54.000]  If you have enough time of course
[06:54.000 --> 06:56.000]  Yeah sure
[06:56.000 --> 07:00.000]  And also providing that the iac
[07:00.000 --> 07:02.000]  Language really describes
[07:02.000 --> 07:04.000]  Architecture as not just like
[07:04.000 --> 07:06.000]  Configuration files
[07:06.000 --> 07:08.000]  So something like Terraform
[07:08.000 --> 07:10.000]  Yeah
[07:10.000 --> 07:12.000]  Yeah
[07:12.000 --> 07:14.000]  Enough time
[07:14.000 --> 07:16.000]  Sure
[07:16.000 --> 07:18.000]  So for how many years have you
[07:18.000 --> 07:22.000]  Worked on tasks associated with iac tools?
[07:22.000 --> 07:24.000]  Is
[07:24.000 --> 07:26.000]  Especially included there or not
[07:26.000 --> 07:28.000]  Um
[07:28.000 --> 07:30.000]  Yeah
[07:30.000 --> 07:32.000]  We kind of sometimes include
[07:32.000 --> 07:34.000]  In the discussion
[07:34.000 --> 07:36.000]  Yeah because the thing is
[07:36.000 --> 07:38.000]  With iac
[07:38.000 --> 07:40.000]  Tools it would be less than one year
[07:40.000 --> 07:42.000]  As a little terraform
[07:42.000 --> 07:44.000]  And companies and help
[07:44.000 --> 07:46.000]  And whatever
[07:46.000 --> 07:48.000]  This is nearly zero
[07:48.000 --> 07:50.000]  You know what we are doing
[07:50.000 --> 07:52.000]  Yeah i mean
[07:52.000 --> 07:54.000]  We also in this research
[07:54.000 --> 07:56.000]  Consider TOSCA to be iac
[07:56.000 --> 07:58.000]  Okay
[07:58.000 --> 08:00.000]  But then it's 12
[08:00.000 --> 08:02.000]  Okay
[08:02.000 --> 08:04.000]  Okay so
[08:04.000 --> 08:06.000]  How large is the company you currently
[08:06.000 --> 08:08.000]  Work for?
[08:08.000 --> 08:10.000]  D
[08:10.000 --> 08:12.000]  Okay
[08:12.000 --> 08:14.000]  Glad it's not A and E
[08:14.000 --> 08:16.000]  We only had A and E's
[08:16.000 --> 08:18.000]  The chart was looking weird
[08:18.000 --> 08:20.000]  You did not interview anyone
[08:20.000 --> 08:22.000]  From [redacted]
[08:22.000 --> 08:24.000]  No
[08:24.000 --> 08:26.000]  They said they are [redacted]
[08:26.000 --> 08:30.000]  Or maybe my Wikipedia
[08:30.000 --> 08:32.000]  Look up is wrong
[08:32.000 --> 08:34.000]  Maybe i don't know
[08:34.000 --> 08:36.000]  I'm trusting the answers
[08:36.000 --> 08:38.000]  Yeah sure
[08:38.000 --> 08:40.000]  Okay
[08:40.000 --> 08:42.000]  And now for the real questions
[08:42.000 --> 08:44.000]  So for any of these questions
[08:44.000 --> 08:46.000]  Feel free to clarify
[08:46.000 --> 08:48.000]  And feel free to answer
[08:48.000 --> 08:50.000]  Beyond beyond the question
[08:50.000 --> 08:54.000]  Mm-hmm
[08:54.000 --> 08:56.000]  So how do you check
[08:56.000 --> 08:58.000]  The compliance of software
[08:58.000 --> 09:00.000]  Applications in your company
[09:00.000 --> 09:06.000]  Of course as far as you know
[09:06.000 --> 09:08.000]  Yeah i can only verify
[09:08.000 --> 09:12.000]  You're not familiar with the
[09:12.000 --> 09:14.000]  With the whole process
[09:14.000 --> 09:16.000]  But according to your knowledge
[09:16.000 --> 09:20.000]  Yeah sure i'm thinking
[09:20.000 --> 09:24.000]  What did i hear about
[09:24.000 --> 09:26.000]  About the things
[09:26.000 --> 09:28.000]  Anything i don't know
[09:28.000 --> 09:30.000]  I don't know
[09:30.000 --> 09:32.000]  I could do wild guessing
[09:32.000 --> 09:34.000]  But i don't know
[09:34.000 --> 09:36.000]  Yeah i mean okay
[09:36.000 --> 09:38.000]  Well you can guess
[09:38.000 --> 09:40.000]  I have it
[09:43.040 --> 09:45.040]  So compliance
[09:45.040 --> 09:47.040]  Refers to both like external
[09:47.040 --> 09:49.040]  Regulations but also internal
[09:49.040 --> 09:51.040]  Yeah i know
[09:51.040 --> 09:53.040]  The thing is i'm in a
[09:53.040 --> 09:55.040]  Research department
[09:55.040 --> 09:57.040]  And not in the production
[09:57.040 --> 09:59.040]  Things and we have got four
[09:59.040 --> 10:01.040]  Production things going from
[10:01.040 --> 10:03.040]  Network infrastructure to
[10:03.040 --> 10:05.040]  Some other things and so on
[10:05.040 --> 10:07.040]  They have something in place
[10:07.040 --> 10:09.040]  For sure but i don't know what
[10:09.040 --> 10:11.040]  They are doing
[10:11.040 --> 10:13.040]  So do they focus on
[10:13.040 --> 10:15.040]  Or not focus
[10:15.040 --> 10:17.040]  But does their checks
[10:17.040 --> 10:19.040]  Include infrastructure
[10:19.040 --> 10:21.040]  Compliance as well
[10:21.040 --> 10:23.040]  So infrastructure would
[10:23.040 --> 10:25.040]  Would be something like
[10:25.040 --> 10:27.040]  Some properties of the operating
[10:27.040 --> 10:29.040]  System for example
[10:29.040 --> 10:31.040]  It's not the software itself
[10:31.040 --> 10:33.040]  But
[10:33.040 --> 10:35.040]  Yeah
[10:35.040 --> 10:37.040]  Since they
[10:37.040 --> 10:39.040]  They provide
[10:39.040 --> 10:41.040]  Edge cloud as a service
[10:41.040 --> 10:43.040]  Meaning that they sell
[10:43.040 --> 10:45.040]  Edge cloud boxes
[10:45.040 --> 10:47.040]  Complete appliance
[10:47.040 --> 10:49.040]  On the factory for example
[10:49.040 --> 10:51.040]  In the [redacted]
[10:51.040 --> 10:53.040]  [redacted]
[10:53.040 --> 10:55.040]  [redacted]
[10:55.040 --> 10:57.040]  Point is from [redacted]
[10:57.040 --> 10:59.040]  And this is the black box
[10:59.040 --> 11:01.040]  So i would bet that they
[11:01.040 --> 11:03.040]  Are the services on the infrastructure
[11:03.040 --> 11:05.040]  And they really check
[11:05.040 --> 11:07.040]  Okay so it's like
[11:07.040 --> 11:09.040]  Also physical infrastructure
[11:09.040 --> 11:11.040]  Not only like virtualized
[11:11.040 --> 11:13.040]  Infrastructure
[11:13.040 --> 11:15.040]  This is because we sell from
[11:15.040 --> 11:17.040]  To as like
[11:17.040 --> 11:19.040]  From bare
[11:19.040 --> 11:21.040]  Enriched bare metal
[11:21.040 --> 11:23.040]  To
[11:23.040 --> 11:25.040]  To some cloud services
[11:25.040 --> 11:27.040]  Where you can buy
[11:27.040 --> 11:29.040]  An analytics
[11:29.040 --> 11:31.040]  For your industrial
[11:31.040 --> 11:35.040]  Application
[11:35.040 --> 11:37.040]  Okay
[11:37.040 --> 11:39.040]  Okay so
[11:39.040 --> 11:41.040]  Yeah
[11:41.040 --> 11:43.040]  I guess you
[11:43.040 --> 11:45.040]  Will need to
[11:45.040 --> 11:47.040]  Kind of assess
[11:47.040 --> 11:49.040]  The answer
[11:49.040 --> 11:51.040]  Based on
[11:51.040 --> 11:53.040]  How you expect the
[11:53.040 --> 11:55.040]  Access
[11:55.040 --> 11:57.040]  So for seven maybe
[11:57.040 --> 11:59.040]  Also
[11:59.040 --> 12:01.040]  Don't know
[12:01.040 --> 12:03.040]  So do you use well-defined models
[12:03.040 --> 12:05.040]  For compliance rules
[12:05.040 --> 12:07.040]  In the company
[12:07.040 --> 12:09.040]  I
[12:09.040 --> 12:11.040]  You know i
[12:11.040 --> 12:13.040]  Haven't seen any
[12:13.040 --> 12:15.040]  And i would guess
[12:15.040 --> 12:17.040]  No i would guess
[12:17.040 --> 12:19.040]  These are just simple scripts
[12:19.040 --> 12:21.040]  Or simple python things
[12:21.040 --> 12:23.040]  And like a
[12:23.040 --> 12:25.040]  See i pipeline
[12:25.040 --> 12:27.040]  I would assume it happens in
[12:27.040 --> 12:29.040]  Some ci checks
[12:29.040 --> 12:31.040]  Yeah but that's
[12:31.040 --> 12:33.040]  Also some sort of automation
[12:33.040 --> 12:35.040]  Yeah so for the
[12:35.040 --> 12:37.040]  Guys we talked with so far
[12:37.040 --> 12:39.040]  Their compliance
[12:39.040 --> 12:41.040]  Rules are not modelled
[12:41.040 --> 12:43.040]  They are just like files
[12:43.040 --> 12:45.040]  In the best case
[12:45.040 --> 12:47.040]  Some excel files
[12:47.040 --> 12:49.040]  With like lists of
[12:49.040 --> 12:51.040]  They need to remember to check
[12:51.040 --> 12:53.040]  So that's the model
[12:53.040 --> 12:55.040]  It's just text
[12:55.040 --> 12:57.040]  a line in an excel sheet
[12:57.040 --> 12:59.040]  Yeah i would
[12:59.040 --> 13:01.040]  I would bet it's more like
[13:01.040 --> 13:03.040]  This really
[13:03.040 --> 13:05.040]  Scripts because we've got
[13:05.040 --> 13:07.040]  Dozens of security experts
[13:07.040 --> 13:09.040]  And also then
[13:09.040 --> 13:11.040]  Putting focus on automation
[13:11.040 --> 13:13.040]  We even have a security expert
[13:13.040 --> 13:15.040]  In new research
[13:15.040 --> 13:17.040]  So that each research is
[13:17.040 --> 13:19.040]  Below some rules there
[13:19.040 --> 13:27.040]  And when maybe maybe i can look
[13:27.040 --> 13:29.040]  Something up
[13:29.040 --> 13:33.040]  And then it's about
[13:33.040 --> 13:37.040]  It's about security
[13:37.040 --> 13:45.040]  Yeah
[13:46.040 --> 13:48.040]  Yeah but more i don't know
[13:48.040 --> 13:49.040]  Because the checklist
[13:49.040 --> 13:51.040]  I just opened was just a
[13:51.040 --> 13:53.040]  Simple checklist
[13:53.040 --> 13:55.040]  Okay
[13:55.040 --> 13:57.040]  Okay so
[13:57.040 --> 13:59.040]  I won't wait but this is
[13:59.040 --> 14:01.040]  This is the answer
[14:01.040 --> 14:03.040]  So the one script and second
[14:03.040 --> 14:05.040]  This is excel sheet
[14:05.040 --> 14:07.040]  Okay
[14:07.040 --> 14:11.040]  There is a
[14:11.040 --> 14:13.040]  Jira ticketing system
[14:13.040 --> 14:15.040]  Where
[14:15.040 --> 14:19.040]  The checks of the system are
[14:19.040 --> 14:21.040]  Inside here
[14:21.040 --> 14:23.040]  And then if you work in a new
[14:23.040 --> 14:25.040]  System you just copy the
[14:25.040 --> 14:27.040]  Jira tickets and then you have to
[14:27.040 --> 14:29.040]  Check that
[14:29.040 --> 14:31.040]  At the end all tickets are resolved
[14:31.040 --> 14:33.040]  And you know that you have
[14:33.040 --> 14:35.040]  Done each of them
[14:35.040 --> 14:37.040]  But build plain text
[14:37.040 --> 14:39.040]  In that case
[14:39.040 --> 14:41.040]  Yeah okay
[14:41.040 --> 14:43.040]  So it's like
[14:43.040 --> 14:45.040]  There's a tool to assist you
[14:45.040 --> 14:47.040]  To kind of
[14:47.040 --> 14:49.040]  Remember the checks but
[14:49.040 --> 14:51.040]  Actually they are still
[14:51.040 --> 14:53.040]  They need to be understood by you
[14:53.040 --> 14:55.040]  Like you need to read them
[14:55.040 --> 14:57.040]  I don't know the thing about it
[14:57.040 --> 14:59.040]  But it's so superficial
[14:59.040 --> 15:01.040]  That the things
[15:01.040 --> 15:03.040]  Like they're not that
[15:03.040 --> 15:05.040]  Concrete
[15:05.040 --> 15:07.040]  But we have to really
[15:07.040 --> 15:09.040]  Was not a department like
[15:09.040 --> 15:11.040]  Network infrastructure was like
[15:11.040 --> 15:13.040]  Not a department so it ranges from
[15:13.040 --> 15:15.040]  Department to department
[15:15.040 --> 15:17.040]  Yeah I think it's
[15:17.040 --> 15:19.040]  It's also one thing
[15:19.040 --> 15:21.040]  We advocate
[15:21.040 --> 15:23.040]  In our tool like
[15:23.040 --> 15:27.040]  If you have centralized repositories
[15:27.040 --> 15:29.040]  For compliance rules and plugins
[15:29.040 --> 15:31.040]  Then you have one tool
[15:31.040 --> 15:35.040]  That many departments can use
[15:35.040 --> 15:37.040]  If we are facing like a large
[15:37.040 --> 15:39.040]  Enterprise
[15:39.040 --> 15:41.040]  Okay so in the following
[15:41.040 --> 15:43.040]  When I say complexity
[15:43.040 --> 15:45.040]  This means that yeah you need
[15:45.040 --> 15:47.040]  Someone with experience or
[15:47.040 --> 15:49.040]  Yeah
[15:49.040 --> 15:51.040]  An expert to do something
[15:51.040 --> 15:53.040]  This is like if something
[15:53.040 --> 15:55.040]  Is complex that's what I mean
[15:55.040 --> 15:57.040]  It needs someone with experience to do it
[15:57.040 --> 15:59.040]  If I say effort
[15:59.040 --> 16:01.040]  I mean
[16:01.040 --> 16:03.040]  It needs time regardless
[16:03.040 --> 16:05.040]  Of the degree of experience
[16:05.040 --> 16:07.040]  Okay
[16:07.040 --> 16:09.040]  So do you think having a
[16:09.040 --> 16:11.040]  Well-defined and machine-readable
[16:11.040 --> 16:13.040]  Format for compliance rules
[16:13.040 --> 16:15.040]  Reduces the complexity
[16:15.040 --> 16:17.040]  Associated with checking them
[16:17.040 --> 16:19.040]  Yes
[16:19.040 --> 16:21.040]  Sure
[16:21.040 --> 16:23.040]  Okay
[16:23.040 --> 16:25.040]  Also about
[16:25.040 --> 16:27.040]  Having machine-readable
[16:27.040 --> 16:29.040]  And well-defined compliance rules
[16:29.040 --> 16:31.040]  Do you think having such things
[16:31.040 --> 16:33.040]  Could reduce the uncertainty
[16:33.040 --> 16:35.040]  Associated with interpreting them
[16:35.040 --> 16:37.040]  So the guy
[16:37.040 --> 16:39.040]  That needs to
[16:39.040 --> 16:41.040]  Like actually perform the compliance checks
[16:41.040 --> 16:43.040]  He or she needs to
[16:43.040 --> 16:45.040]  Understand the rules
[16:45.040 --> 16:47.040]  So
[16:47.040 --> 16:49.040]  There might be some uncertainty
[16:49.040 --> 16:51.040]  In interpreting the rules
[16:51.040 --> 16:53.040]  Yeah yeah I would say partially
[16:53.040 --> 16:55.040]  How do I know that
[16:55.040 --> 16:57.040]  The script written there is correct
[16:57.040 --> 16:59.040]  So how do I
[16:59.040 --> 17:01.040]  Check the compliance rules for quality
[17:01.040 --> 17:03.040]  Quality meaning
[17:03.040 --> 17:05.040]  Also meaning being correct
[17:05.040 --> 17:07.040]  With respect
[17:07.040 --> 17:09.040]  To the
[17:09.040 --> 17:11.040]  We requirement
[17:11.040 --> 17:15.040]  If you are kind of unsure
[17:15.040 --> 17:19.040]  You might like question the compliance rule itself
[17:19.040 --> 17:21.040]  Yeah I did the spell out from
[17:21.040 --> 17:23.040]  Because I would say if you say
[17:23.040 --> 17:25.040]  The check
[17:25.040 --> 17:27.040]  Or
[17:27.040 --> 17:31.040]  Leave now
[17:31.040 --> 17:33.040]  Partly is a good
[17:33.040 --> 17:35.040]  Occased thing because
[17:35.040 --> 17:37.040]  The thing will fail if the user
[17:37.040 --> 17:39.040]  The standard user name is changed
[17:39.040 --> 17:41.040]  Because I would assume there is a compliance rule
[17:41.040 --> 17:43.040]  Not having "ubuntu" as logged-in user
[17:43.040 --> 17:45.040]  The username should be generated
[17:45.040 --> 17:47.040]  So that there is nothing happening
[17:47.040 --> 17:49.040]  Or even SHA
[17:49.040 --> 17:51.040]  Only login is there
[17:51.040 --> 17:53.040]  But then the rule
[17:53.040 --> 17:55.040]  Would fail
[17:55.040 --> 17:57.040]  The execution
[17:57.040 --> 17:59.040]  That would be okay
[17:59.040 --> 18:01.040]  But I am thinking
[18:01.040 --> 18:03.040]  Ah
[18:03.040 --> 18:05.040]  But can it be with
[18:05.040 --> 18:07.040]  Your MySQL example
[18:07.040 --> 18:09.040]  That the MySQL system is
[18:09.040 --> 18:11.040]  Configured
[18:11.040 --> 18:13.040]  Strangely so that the rule says
[18:13.040 --> 18:15.040]  Everything is okay but this is
[18:15.040 --> 18:17.040]  Maybe some other MySQL instance
[18:17.040 --> 18:19.040]  Maybe if the machine is
[18:19.040 --> 18:21.040]  Two databases running in different ports
[18:21.040 --> 18:23.040]  The same machine because
[18:23.040 --> 18:25.040]  There is something
[18:25.040 --> 18:27.040]  And they say I host a version 1
[18:27.040 --> 18:29.040]  And the user port
[18:29.040 --> 18:31.040]  And the different port and the compliance rule
[18:31.040 --> 18:33.040]  Comes in and checks version 1 only
[18:33.040 --> 18:35.040]  And does not check
[18:35.040 --> 18:37.040]  That system is out of my preconditions correct
[18:37.040 --> 18:39.040]  That is only one instance of my sql
[18:39.040 --> 18:41.040]  On the same machine or something
[18:41.040 --> 18:43.040]  I was like
[18:43.040 --> 18:45.040]  Can I be certain that
[18:45.040 --> 18:47.040]  Checking
[18:47.040 --> 18:49.040]  That is everything
[18:49.040 --> 18:51.040]  Yeah, so when you have machine readable rules
[18:51.040 --> 18:53.040]  You are a bit more technical
[18:53.040 --> 18:55.040]  So true
[18:55.040 --> 18:57.040]  The rule itself might include
[18:57.040 --> 18:59.040]  Two detailed things like a specific port
[18:59.040 --> 19:01.040]  And then if the rule is
[19:01.040 --> 19:03.040]  That detailed
[19:03.040 --> 19:05.040]  Yes, and you have some customized
[19:05.040 --> 19:07.040]  System
[19:07.040 --> 19:09.040]  Yeah, you might miss things
[19:09.040 --> 19:11.040]  And then you say as a checker
[19:11.040 --> 19:13.040]  You are not certain that this is
[19:13.040 --> 19:15.040]  Really checking enough
[19:15.040 --> 19:17.040]  But it is better than nothing
[19:17.040 --> 19:19.040]  Therefore I say partially
[19:19.040 --> 19:21.040]  But this is
[19:21.040 --> 19:23.040]  I can maybe also trust the automatic
[19:23.040 --> 19:25.040]  The car was more than a manual assessment
[19:25.040 --> 19:29.040]  But I can't be sure that I hit 100%
[19:29.040 --> 19:33.040]  Yeah, fair answer
[19:33.040 --> 19:35.040]  Okay
[19:35.040 --> 19:37.040]  Yeah, if you know, how often
[19:37.040 --> 19:39.040]  Do you have to deal with new compliance rules?
[19:39.040 --> 19:49.040]  As I, for me personally
[19:49.040 --> 19:53.040]  Let me think
[19:53.040 --> 19:55.040]  Let me think
[20:03.040 --> 20:05.040]  Ah
[20:11.040 --> 20:13.040]  I don't know
[20:13.040 --> 20:15.040]  What
[20:15.040 --> 20:21.040]  Let's keep, I don't know
[20:21.040 --> 20:23.040]  Okay
[20:23.040 --> 20:25.040]  Yeah, because we can all
[20:25.040 --> 20:27.040]  Got a bunch of rules
[20:27.040 --> 20:29.040]  Which you copy and paste
[20:29.040 --> 20:31.040]  And then rephrased
[20:31.040 --> 20:33.040]  But
[20:33.040 --> 20:35.040]  At all tell you okay
[20:35.040 --> 20:37.040]  We need to update these rules
[20:37.040 --> 20:39.040]  Like add something to them
[20:39.040 --> 20:43.040]  Yeah, we
[20:43.040 --> 20:45.040]  We now had a team in terms of
[20:45.040 --> 20:47.040]  Discussions evaluating all the rules
[20:47.040 --> 20:49.040]  So it was more like the ones in the
[20:50.040 --> 20:52.040]  And we are just in the beginning
[20:52.040 --> 20:54.040]  Of the process defining the rule
[20:54.040 --> 20:55.040]  Okay, yeah
[20:55.040 --> 20:57.040]  Oh, this is not
[20:57.040 --> 20:59.040]  It's just in flux somehow
[20:59.040 --> 21:01.040]  I can't say each week there's something
[21:01.040 --> 21:03.040]  Or each year because both answers
[21:03.040 --> 21:05.040]  Would be wrong in two months
[21:05.040 --> 21:07.040]  Yeah
[21:07.040 --> 21:09.040]  Yeah, you need like to
[21:09.040 --> 21:11.040]  Be doing that for a long time to
[21:11.040 --> 21:13.040]  Estimate how often, right?
[21:13.040 --> 21:15.040]  Yeah, that's fair
[21:15.040 --> 21:17.040]  Okay, so now
[21:17.040 --> 21:19.040]  We have similar questions, but we try to get
[21:19.040 --> 21:21.040]  Some numerical estimation
[21:21.040 --> 21:23.040]  Yeah
[21:23.040 --> 21:25.040]  So I'll say sentences
[21:25.040 --> 21:27.040]  And you tell me how much you agree
[21:27.040 --> 21:29.040]  With them, so five means, totally
[21:29.040 --> 21:31.040]  Agree
[21:31.040 --> 21:33.040]  Using the framework, IACMF
[21:33.040 --> 21:35.040]  Reduces the effort associated
[21:35.040 --> 21:37.040]  With defining and
[21:37.040 --> 21:39.040]  Checking compliance rules
[21:39.040 --> 21:41.040]  Defining
[21:41.040 --> 21:43.040]  Yeah, these are two things
[21:43.040 --> 21:45.040]  Effort means a lot of time
[21:45.040 --> 21:47.040]  For defining
[21:47.040 --> 21:49.040]  And for actually checking the rules
[21:49.040 --> 21:51.040]  You can answer like separately
[21:51.040 --> 21:53.040]  If you want
[21:55.040 --> 21:57.040]  Okay, yeah, but
[21:57.040 --> 21:59.040]  This for defining is
[21:59.040 --> 22:01.040]  It's
[22:01.040 --> 22:03.040]  I
[22:03.040 --> 22:05.040]  I
[22:05.040 --> 22:07.040]  I did depending on the quality measure
[22:07.040 --> 22:09.040]  Or what the company has for the
[22:09.040 --> 22:11.040]  For compliance rules because sometimes it's like
[22:11.040 --> 22:13.040]  Like you had
[22:13.040 --> 22:15.040]  On your video at the beginning
[22:15.040 --> 22:17.040]  There are some text being there
[22:17.040 --> 22:19.040]  Which is then, say, and defining
[22:19.040 --> 22:21.040]  Could be in a novel workflow
[22:21.040 --> 22:23.040]  Use that rule, end of story
[22:23.040 --> 22:25.040]  And this is a very easy thing, and if I now
[22:25.040 --> 22:27.040]  Use IACMF, then
[22:27.040 --> 22:29.040]  It's like
[22:29.040 --> 22:31.040]  Effort without end
[22:31.040 --> 22:33.040]  I really think how does framework
[22:33.040 --> 22:35.040]  And if I do it and then really need to do
[22:35.040 --> 22:37.040]  How
[22:37.040 --> 22:39.040]  Can I do my application structure so
[22:39.040 --> 22:41.040]  I would disagree
[22:41.040 --> 22:43.040]  There
[22:43.040 --> 22:45.040]  For checking for sure
[22:45.040 --> 22:47.040]  The
[22:47.040 --> 22:49.040]  Automation
[22:49.040 --> 22:51.040]  Is great and also
[22:51.040 --> 22:53.040]  The topology reading because if I spend
[22:53.040 --> 22:55.040]  Effort in the thing and I've got
[22:55.040 --> 22:57.040]  Hundreds of applications
[22:57.040 --> 22:59.040]  As a security engine
[22:59.040 --> 23:01.040]  Maybe security officer
[23:01.040 --> 23:03.040]  Or whatever
[23:03.040 --> 23:05.040]  When my developers do hundreds of applications
[23:05.040 --> 23:07.040]  And I've got a
[23:07.040 --> 23:09.040]  Nice overview, okay, in that area
[23:09.040 --> 23:11.040]  There are more red flags
[23:11.040 --> 23:13.040]  Like the same approach
[23:13.040 --> 23:15.040]  Like one uses
[23:15.040 --> 23:17.040]  Source codes
[23:17.040 --> 23:19.040]  Quality checks
[23:19.040 --> 23:21.040]  With SonarQube or
[23:21.040 --> 23:23.040]  (?) and friends and they also say
[23:23.040 --> 23:25.040]  Okay, this is a red area here
[23:25.040 --> 23:27.040]  And there's something
[23:27.040 --> 23:29.040]  Something wrong
[23:29.040 --> 23:31.040]  You can then drill into
[23:31.040 --> 23:33.040]  Automation helps
[23:33.040 --> 23:35.040]  So I would put up four
[23:35.040 --> 23:37.040]  Okay
[23:37.040 --> 23:39.040]  And now the same thing for complexity
[23:39.040 --> 23:41.040]  So do you think using the framework
[23:41.040 --> 23:43.040]  Reduces the complexity associated
[23:43.040 --> 23:45.040]  With defining and checking compliance rules
[23:45.040 --> 23:47.040]  So do you need
[23:47.040 --> 23:49.040]  Does this reduce the need for
[23:49.040 --> 23:51.040]  An expert?
[23:51.040 --> 23:53.040]  For defining and for checking
[23:53.040 --> 23:55.040]  Ah, whoa, whoa, whoa
[23:55.040 --> 23:57.040]  I didn't (?) expert
[23:57.040 --> 23:59.040]  You need different
[23:59.040 --> 24:01.040]  Experts because learning this graphical thing
[24:01.040 --> 24:03.040]  And trust, trusting
[24:03.040 --> 24:05.040]  Is
[24:05.040 --> 24:07.040]  Also a thing
[24:07.040 --> 24:09.040]  How much do you agree with
[24:09.040 --> 24:11.040]  The complexity of defining and checking
[24:11.040 --> 24:13.040]  You know, in an ideal world
[24:13.040 --> 24:15.040]  One writes Python scripts or Bash scripts
[24:15.040 --> 24:17.040]  And then fires them them up
[24:17.040 --> 24:19.040]  And it has a self-made pipeline
[24:19.040 --> 24:21.040]  Maybe with some output
[24:21.040 --> 24:23.040]  And everything works
[24:23.040 --> 24:25.040]  And then defining
[24:25.040 --> 24:27.040]  The guys code in their Python language
[24:27.040 --> 24:29.040]  and their weird thing
[24:29.040 --> 24:33.040]  And put in favorite frameworks
[24:33.040 --> 24:37.040]  What is still possible with
[24:37.040 --> 24:39.040]  Your framework
[24:39.040 --> 24:41.040]  Because I can stick in arbitrary
[24:41.040 --> 24:43.040]  Bash scripts and kind of stick in arbitrary things
[24:43.040 --> 24:45.040]  And I've got some
[24:45.040 --> 24:47.040]  Structuring on my rules
[24:47.040 --> 24:49.040]  Because this strengthens the structures
[24:49.040 --> 24:51.040]  And guides, and so I've got
[24:51.040 --> 24:53.040]  Not some wild west growing
[24:53.040 --> 24:55.040]  But the framework gives a structure
[24:55.040 --> 24:57.040]  Which reduces complexity
[24:57.040 --> 24:59.040]  Okay, and
[24:59.040 --> 25:03.040]  I'm deciding between three and four
[25:03.040 --> 25:05.040]  So
[25:05.040 --> 25:09.040]  I gave it
[25:09.040 --> 25:11.040]  I gave it a three
[25:11.040 --> 25:13.040]  Okay
[25:13.040 --> 25:15.040]  And now
[25:15.040 --> 25:17.040]  I hope it doesn't destroy your paper
[25:17.040 --> 25:19.040]  I don't know
[25:19.040 --> 25:23.040]  What helps is not to get the same answer from everyone
[25:23.040 --> 25:25.040]  It sounds like made up
[25:25.040 --> 25:27.040]  So that's good
[25:27.040 --> 25:29.040]  Okay
[25:31.040 --> 25:33.040]  Okay, so
[25:33.040 --> 25:35.040]  And now about uncertainty
[25:35.040 --> 25:37.040]  So using
[25:37.040 --> 25:39.040]  Well-defined models
[25:39.040 --> 25:41.040]  Of compliance rules
[25:41.040 --> 25:43.040]  Reduces the uncertainty associated
[25:43.040 --> 25:45.040]  With interpreting them
[25:45.040 --> 25:47.040]  You answered that before but now
[25:47.040 --> 25:49.040]  Like a numerical estimation
[25:49.040 --> 25:51.040]  How much do you think
[25:51.040 --> 25:53.040]  you said partially
[25:53.040 --> 25:55.040]  Yeah
[25:55.040 --> 25:57.040]  But the questions are a bit different
[25:57.040 --> 25:59.040]  Here
[25:59.040 --> 26:01.040]  Now we can discuss what means
[26:01.040 --> 26:03.040]  Well-defined
[26:03.040 --> 26:05.040]  As well-defined also include
[26:05.040 --> 26:09.040]  That they had quality checks running
[26:09.040 --> 26:11.040]  And there's some rating on the rules
[26:11.040 --> 26:13.040]  And some discussions
[26:13.040 --> 26:15.040]  So I know these rules are in place
[26:15.040 --> 26:17.040]  At 500 checks and all of
[26:17.040 --> 26:19.040]  The guys
[26:19.040 --> 26:21.040]  Applying them are satisfied with that
[26:21.040 --> 26:23.040]  Or is it just like a repo
[26:23.040 --> 26:25.040]  And I don't know what happens with the rules
[26:25.040 --> 26:27.040]  And if well-defined
[26:27.040 --> 26:29.040]  Is only syntactically well-defined
[26:29.040 --> 26:31.040]  Without any
[26:31.040 --> 26:33.040]  Quality check around
[26:33.040 --> 26:35.040]  Then it's like
[26:35.040 --> 26:37.040]  Three or four
[26:37.040 --> 26:39.040]  So you say what's important
[26:39.040 --> 26:41.040]  Is not only
[26:41.040 --> 26:43.040]  That the rule is well-defined
[26:43.040 --> 26:45.040]  But also how you come up with the rule
[26:45.040 --> 26:47.040]  The process
[26:47.040 --> 26:49.040]  And then also the feedback
[26:49.040 --> 26:51.040]  Like the guy can
[26:51.040 --> 26:55.040]  Improve the rule somehow
[26:55.040 --> 26:57.040]  That's really
[26:57.040 --> 26:59.040]  Nice feedback for us
[26:59.040 --> 27:01.040]  We will certainly report this
[27:01.040 --> 27:03.040]  In the paper
[27:03.040 --> 27:05.040]  And then let's give a three
[27:05.040 --> 27:07.040]  Just be honest
[27:07.040 --> 27:09.040]  Partially is three
[27:09.040 --> 27:11.040]  Okay
[27:13.040 --> 27:15.040]  But yeah
[27:15.040 --> 27:17.040]  Now
[27:17.040 --> 27:19.040]  How do you
[27:19.040 --> 27:21.040]  Reconstruct the architecture of application instances that 
[27:21.040 --> 27:23.040]  you need to understand?
[27:23.040 --> 27:25.040]  Yeah, so
[27:25.040 --> 27:27.040]  This is like imaginary scenario
[27:27.040 --> 27:29.040]  Like imagine you have some
[27:29.040 --> 27:31.040]  Running application which is defined
[27:31.040 --> 27:33.040]  Using some IaC script
[27:33.040 --> 27:35.040]  Also this could be like
[27:35.040 --> 27:37.040]  TOSCA
[27:37.040 --> 27:39.040]  And you want to understand
[27:39.040 --> 27:41.040]  This application
[27:41.040 --> 27:43.040]  The structure, the architecture
[27:43.040 --> 27:45.040]  Of this application
[27:45.040 --> 27:47.040]  What would you do to do that?
[27:47.040 --> 27:49.040]  Yeah
[27:49.040 --> 27:51.040]  Pen and paper
[27:51.040 --> 27:53.040]  And some manual
[27:53.040 --> 27:55.040]  Investigation
[27:55.040 --> 27:57.040]  And calling to colleagues
[27:57.040 --> 27:59.040]  Okay, so
[27:59.040 --> 28:01.040]  Apart from calling to colleagues
[28:01.040 --> 28:05.040]  How would you do that manually?
[28:05.040 --> 28:07.040]  It depends on the thing
[28:07.040 --> 28:09.040]  I'm just having this scenario in mind
[28:09.040 --> 28:11.040]  That I've got an arbitrary
[28:11.040 --> 28:13.040]  Application found in our company
[28:13.040 --> 28:15.040]  And I need to work with it
[28:15.040 --> 28:17.040]  I did not set it up myself
[28:17.040 --> 28:19.040]  So I don't
[28:19.040 --> 28:21.040]  So I just have here
[28:21.040 --> 28:23.040]  A backstage could be an example
[28:23.040 --> 28:25.040]  Like Spotify Backstage
[28:25.040 --> 28:27.040]  instance running
[28:27.040 --> 28:29.040]  And now I want to know
[28:29.040 --> 28:31.040]  What is the database and so on
[28:31.040 --> 28:33.040]  And now I need to know
[28:33.040 --> 28:35.040]  What is the database and so on
[28:35.040 --> 28:37.040]  And now I need to go
[28:37.040 --> 28:39.040]  And it's like
[28:39.040 --> 28:41.040]  Checking
[28:41.040 --> 28:43.040]  Manual checking of the CI scripts
[28:43.040 --> 28:45.040]  Manual checking
[28:45.040 --> 28:49.040]  Of the running instance
[28:49.040 --> 28:51.040]  If I get the SSH key
[28:51.040 --> 28:53.040]  To go there and so on
[28:53.040 --> 28:55.040]  Yeah, okay
[28:55.040 --> 28:57.040]  That's what I expected
[28:57.040 --> 28:59.040]  This also happened
[28:59.040 --> 29:01.040]  For me last time in the last
[29:01.040 --> 29:03.040]  That was learning
[29:03.040 --> 29:05.040]  GitLab CI scripts there
[29:05.040 --> 29:07.040]  And it was horrible
[29:07.040 --> 29:09.040]  To understand the whole thing
[29:09.040 --> 29:11.040]  So would you use any
[29:11.040 --> 29:13.040]  Automated or semi-automated tools
[29:13.040 --> 29:15.040]  To assist you doing this?
[29:15.040 --> 29:17.040]  As I don't
[29:17.040 --> 29:19.040]  Use any because I'm not
[29:19.040 --> 29:21.040]  A rare
[29:21.040 --> 29:23.040]  Because I think the effort of running
[29:23.040 --> 29:25.040]  Finding and running those tools
[29:25.040 --> 29:27.040]  Is not worth it but
[29:27.040 --> 29:29.040]  But I would try if you say
[29:29.040 --> 29:31.040]  Here is my thing
[29:31.040 --> 29:33.040]  To Crawl, like Tobias Binz's crawler in a new version
[29:33.040 --> 29:35.040]  Sure
[29:35.040 --> 29:37.040]  But I don't currently
[29:37.040 --> 29:39.040]  Okay, so that's actually
[29:39.040 --> 29:41.040]  What the framework does
[29:41.040 --> 29:43.040]  So we use an approach
[29:43.040 --> 29:45.040]  From Lukas Harzenetter
[29:45.040 --> 29:47.040]  Which is already a new version
[29:47.040 --> 29:49.040]  From Tobias Binz's
[29:49.040 --> 29:51.040]  Crawler
[29:51.040 --> 29:53.040]  So
[29:53.040 --> 29:55.040]  Do you think that using this approach
[29:55.040 --> 29:57.040]  Which is part now
[29:57.040 --> 29:59.040]  Of the framework, does this reduce
[29:59.040 --> 30:01.040]  The effort associated with
[30:01.040 --> 30:03.040]  Reconstructing the architecture?
[30:03.040 --> 30:05.040]  You can assume that
[30:05.040 --> 30:07.040]  You already have the plugins
[30:07.040 --> 30:09.040]  Or that you don't have the plugins
[30:09.040 --> 30:11.040]  You can answer in both cases
[30:11.040 --> 30:13.040]  So if you don't have the plugins
[30:13.040 --> 30:15.040]  This means you or someone
[30:15.040 --> 30:17.040]  Else in the company needs to
[30:17.040 --> 30:19.040]  Like implement them
[30:21.040 --> 30:23.040]  Yeah, what did I see you?
[30:23.040 --> 30:25.040]  You got the manual thing, the
[30:25.040 --> 30:27.040]  OpenTOSCA and some Kubernetes thing
[30:27.040 --> 30:29.040]  Yeah, so far
[30:29.040 --> 30:31.040]  Three that can
[30:31.040 --> 30:33.040]  Create an initial
[30:33.040 --> 30:35.040]  Model
[30:35.040 --> 30:37.040]  And three that can
[30:37.040 --> 30:39.040]  Refine the model
[30:39.040 --> 30:41.040]  If you already have an initial model
[30:41.040 --> 30:43.040]  You can also get extra information
[30:43.040 --> 30:45.040]  About certain nodes
[30:45.040 --> 30:47.040]  Using these refinement steps
[30:47.040 --> 30:49.040]  So we have three that can create
[30:49.040 --> 30:51.040]  The whole model and three that can
[30:51.040 --> 30:53.040]  Refine individual components
[30:53.040 --> 30:55.040]  Yeah, that's
[30:55.040 --> 30:57.040]  Probably not enough
[30:57.040 --> 30:59.040]  In the current state
[30:59.040 --> 31:01.040]  Maybe one needs to
[31:01.040 --> 31:03.040]  Code some more plugins
[31:03.040 --> 31:05.040]  But even though the question is
[31:05.040 --> 31:07.040]  Reducing, so having nothing
[31:07.040 --> 31:09.040]  Compared to having something
[31:09.040 --> 31:13.040]  It reduces the effort
[31:13.040 --> 31:15.040]  However
[31:15.040 --> 31:19.040]  The architecture of running
[31:19.040 --> 31:21.040]  Application instances
[31:23.040 --> 31:25.040]  So the now I need
[31:25.040 --> 31:27.040]  Need to be nitpicky
[31:27.040 --> 31:29.040]  What does application instances mean?
[31:29.040 --> 31:31.040]  Is it one million instances
[31:31.040 --> 31:33.040]  And on that rate
[31:33.040 --> 31:35.040]  And then it's totally agree
[31:35.040 --> 31:37.040]  But if it's more realistic
[31:37.040 --> 31:39.040]  Let's imagine your company
[31:39.040 --> 31:41.040]  Yeah, like the whole company
[31:41.040 --> 31:43.040]  Yeah, then it
[31:43.040 --> 31:45.040]  Then it's
[31:45.040 --> 31:47.040]  Then wait wait
[31:47.040 --> 31:49.040]  It reduces the effort
[31:49.040 --> 31:53.040]  So then
[31:53.040 --> 31:55.040]  I want to be critical somehow
[31:55.040 --> 32:01.040]  Application instances
[32:05.040 --> 32:07.040]  It uses just
[32:07.040 --> 32:09.040]  The architecture
[32:09.040 --> 32:11.040]  Okay, the things
[32:11.040 --> 32:13.040]  what I had in mind if I have
[32:13.040 --> 32:15.040]  Thousands of instances
[32:15.040 --> 32:17.040]  Are they merged together
[32:17.040 --> 32:19.040]  So maybe I can see
[32:19.040 --> 32:21.040]  What are the differences and commonalities
[32:21.040 --> 32:23.040]  because if I've got thousands
[32:23.040 --> 32:25.040]  Of separate things
[32:25.040 --> 32:27.040]  Only being different
[32:27.040 --> 32:29.040]  In the IP address of the host
[32:29.040 --> 32:31.040]  What does that help me?
[32:31.040 --> 32:33.040]  It helps me seeing the single
[32:33.040 --> 32:35.040]  Instances, so for the question itself
[32:35.040 --> 32:37.040]  It will be five
[32:37.040 --> 32:39.040]  But it doesn't help me in a post
[32:39.040 --> 32:41.040]  Processing
[32:41.040 --> 32:43.040]  It's like because I would like to know
[32:43.040 --> 32:45.040]  Okay, I've got now this thousand
[32:45.040 --> 32:47.040]  Instances of my thing
[32:47.040 --> 32:49.040]  Like my edge computing appliance
[32:49.040 --> 32:51.040]  Being out there
[32:51.040 --> 32:53.040]  But I want to know the difference
[32:53.040 --> 32:55.040]  As I want to group the thing
[32:55.040 --> 32:57.040]  These three products are similar
[32:57.040 --> 32:59.040]  But this one
[32:59.040 --> 33:01.040]  Is totally different
[33:01.040 --> 33:03.040]  And even inside the other differences
[33:03.040 --> 33:05.040]  And one should look into
[33:05.040 --> 33:07.040]  Why is there something different
[33:07.040 --> 33:09.040]  And
[33:09.040 --> 33:11.040]  Also like a normal code
[33:11.040 --> 33:11.040]  Quality check
[33:11.040 --> 33:13.040]  Okay, I checked the difference
[33:13.040 --> 33:15.040]  It's okay here
[33:15.040 --> 33:17.040]  But only say, okay
[33:17.040 --> 33:19.040]  If another run is running, then
[33:19.040 --> 33:21.040]  I know these are different from these
[33:21.040 --> 33:23.040]  But this is okay
[33:23.040 --> 33:25.040]  But now you need to focus on these ones
[33:25.040 --> 33:27.040]  Why they are different somehow
[33:27.040 --> 33:29.040]  So do you think that such
[33:29.040 --> 33:31.040]  A check is
[33:31.040 --> 33:33.040]  Kind of a compliance rule
[33:33.040 --> 33:35.040]  That can be a compliance rule
[33:35.040 --> 33:37.040]  Sure
[33:37.040 --> 33:39.040]  There could be a case in which
[33:39.040 --> 33:41.040]  A compliance rule
[33:41.040 --> 33:43.040]  Is not related to one instance
[33:43.040 --> 33:45.040]  But to multiple instance at the same time
[33:45.040 --> 33:47.040]  Sure, sure
[33:47.040 --> 33:49.040]  Okay, yeah, that's also interesting
[33:49.040 --> 33:51.040]  The thing is probably what I missed
[33:51.040 --> 33:53.040]  In a presentation, it's like
[33:53.040 --> 33:55.040]  There can be the compliance
[33:55.040 --> 33:57.040]  Or the execution can fail
[33:57.040 --> 34:01.040]  Or the check
[34:01.040 --> 34:03.040]  Fails
[34:03.040 --> 34:05.040]  And you cannot be repaired
[34:05.040 --> 34:07.040]  And then what do you show the screen
[34:07.040 --> 34:09.040]  That the check fails
[34:09.040 --> 34:11.040]  But the repair is in green
[34:11.040 --> 34:13.040]  And I think
[34:13.040 --> 34:15.040]  Because I would bet there
[34:15.040 --> 34:17.040]  There are sometimes cases where you
[34:17.040 --> 34:19.040]  Where you can check for compliance,
[34:19.040 --> 34:23.040]  Oh god, failure
[34:23.040 --> 34:25.040]  But cannot
[34:25.040 --> 34:27.040]  Repair the thing
[34:27.040 --> 34:29.040]  Yeah, this is
[34:29.040 --> 34:31.040]  I mean, I didn't show such a case
[34:31.040 --> 34:33.040]  But this is possible, yeah
[34:33.040 --> 34:35.040]  You can basically design your
[34:35.040 --> 34:37.040]  Your compliance job in a way
[34:37.040 --> 34:39.040]  That only checks but then
[34:39.040 --> 34:41.040]  Skips the fixing part
[34:41.040 --> 34:43.040]  And only report
[34:43.040 --> 34:45.040]  Like only send an email to someone
[34:45.040 --> 34:47.040]  Or maybe forward it
[34:47.040 --> 34:49.040]  To another system
[34:49.040 --> 34:51.040]  That can do
[34:51.040 --> 34:53.040]  And then we can come back
[34:53.040 --> 34:55.040]  To the after processing
[34:55.040 --> 34:57.040]  The one feature
[34:57.040 --> 34:59.040]  Which would be this
[34:59.040 --> 35:01.040]  Okay, this compliance mismatch
[35:01.040 --> 35:03.040]  That can say, okay, please don't
[35:03.040 --> 35:05.040]  Report
[35:05.040 --> 35:07.040]  And the second thing would be like
[35:07.040 --> 35:09.040]  The normal
[35:09.040 --> 35:11.040]  GitHub
[35:11.040 --> 35:13.040]  Issue comment action
[35:13.040 --> 35:15.040]  So that if I run
[35:15.040 --> 35:17.040]  This checker out today and tomorrow
[35:17.040 --> 35:19.040]  And it should not
[35:19.040 --> 35:21.040]  Report the whole thing
[35:21.040 --> 35:23.040]  It should only report the deltas
[35:23.040 --> 35:27.040]  Yeah, I would imagine like
[35:27.040 --> 35:29.040]  A reporting plugin
[35:29.040 --> 35:31.040]  Would be able to do that
[35:31.040 --> 35:33.040]  Yeah, especially designed
[35:33.040 --> 35:35.040]  Reporting plugin, yeah
[35:35.040 --> 35:37.040]  Okay
[35:37.040 --> 35:39.040]  Maybe as simple as
[35:39.040 --> 35:41.040]  Seeing the list of reports
[35:41.040 --> 35:43.040]  Making a git diff and then
[35:43.040 --> 35:45.040]  Basing the git diff
[35:45.040 --> 35:47.040]  Reporting something and then it's done
[35:47.040 --> 35:49.040]  In case the reports are
[35:49.040 --> 35:51.040]  Tech spaced and so on
[35:51.040 --> 35:53.040]  Yeah, that's a good idea
[35:53.040 --> 35:55.040]  Okay
[35:55.040 --> 35:57.040]  Okay, so
[35:57.040 --> 35:59.040]  We are about to be done
[35:59.040 --> 36:01.040]  Okay
[36:01.040 --> 36:03.040]  Now
[36:03.040 --> 36:05.040]  You started talking about it
[36:05.040 --> 36:07.040]  The fixing part
[36:07.040 --> 36:09.040]  Yeah, so what would you do
[36:09.040 --> 36:11.040]  If you find out that some
[36:11.040 --> 36:13.040]  Application instance that
[36:13.040 --> 36:15.040]  You manage or you're responsible
[36:15.040 --> 36:17.040]  For violates some
[36:17.040 --> 36:19.040]  Compliance rule
[36:19.040 --> 36:21.040]  So an instance means it's running now
[36:21.040 --> 36:23.040]  But it violates some compliance rule
[36:23.040 --> 36:25.040]  Yeah, it could be in the infrastructure
[36:25.040 --> 36:27.040]  Or like in the database
[36:27.040 --> 36:29.040]  Is on whatever part of the
[36:29.040 --> 36:31.040]  Architecture
[36:31.040 --> 36:33.040]  What would you do?
[36:33.040 --> 36:35.040]  As a question as you
[36:35.040 --> 36:37.040]  Which is me as a person
[36:37.040 --> 36:39.040]  So
[36:39.040 --> 36:41.040]  Yeah, and manual
[36:41.040 --> 36:43.040]  Manually going there
[36:43.040 --> 36:45.040]  And I don't use any scripts
[36:45.040 --> 36:47.040]  Wait, wait, wait, wait, wait
[36:47.040 --> 36:49.040]  It depends for sure
[36:49.040 --> 36:51.040]  Because if the compliance rule is like "the version is outdated",
[36:51.040 --> 36:53.040]  Then
[36:53.040 --> 36:55.040]  And then I'm thinking of the application
[36:55.040 --> 36:57.040]  Which is built using docker
[36:57.040 --> 36:59.040]  And I just would update the version
[36:59.040 --> 37:01.040]  In docker and then say we
[37:01.040 --> 37:03.040]  Deploy and then it's done
[37:03.040 --> 37:05.040]  But for updating the docker
[37:05.040 --> 37:09.040]  In the case of
[37:09.040 --> 37:11.040]  [redacted]
[37:11.040 --> 37:13.040]  I don't have any automatic tools
[37:13.040 --> 37:15.040]  Okay
[37:15.040 --> 37:17.040]  Okay
[37:17.040 --> 37:19.040]  Okay, so this answer is 18
[37:19.040 --> 37:21.040]  As well
[37:21.040 --> 37:23.040]  Now
[37:23.040 --> 37:25.040]  Like some numerical estimation
[37:25.040 --> 37:27.040]  Of the following
[37:27.040 --> 37:29.040]  How much agree with the following statement:
[37:29.040 --> 37:31.040]  Using the framework reduces the effort
[37:31.040 --> 37:33.040]  Associated with fixing compliance
[37:33.040 --> 37:35.040]  Violations
[37:35.040 --> 37:37.040]  The things
[37:37.040 --> 37:39.040]  The demo showed some
[37:39.040 --> 37:41.040]  Really code-near things
[37:41.040 --> 37:45.040]  But if the compliance rule is like
[37:45.040 --> 37:47.040]  You need to have
[37:47.040 --> 37:49.040]  Two factor authentication
[37:49.040 --> 37:51.040]  From next year on
[37:51.040 --> 37:53.040]  This is a complete rewrite
[37:53.040 --> 37:55.040]  Of the user login thing
[37:55.040 --> 37:57.040]  And then thinking
[37:57.040 --> 37:59.040]  How are tokens are sent to the mobile
[37:59.040 --> 38:01.040]  Phone and which app and this is a
[38:01.040 --> 38:03.040]  Really architectural thing
[38:03.040 --> 38:05.040]  And one needs to do much things
[38:05.040 --> 38:07.040]  So the framework doesn't have
[38:07.040 --> 38:09.040]  At all
[38:09.040 --> 38:11.040]  In that case because there's no
[38:11.040 --> 38:13.040]  Way yet
[38:13.040 --> 38:15.040]  But for the simple rules
[38:15.040 --> 38:17.040]  As you showed like
[38:17.040 --> 38:19.040]  Don't have an admin login running
[38:19.040 --> 38:21.040]  There for the production system
[38:21.040 --> 38:23.040]  Or for the testing
[38:23.040 --> 38:25.040]  Or for the integration
[38:25.040 --> 38:27.040]  Then it's great, great stuff
[38:27.040 --> 38:29.040]  So I would stick with it partially
[38:29.040 --> 38:31.040]  Because it depends on the rule
[38:31.040 --> 38:35.040]  Very good answer as well
[38:35.040 --> 38:37.040]  We will report your answers
[38:37.040 --> 38:39.040]  Often in the paper
[38:39.040 --> 38:41.040]  Okay
[38:41.040 --> 38:43.040]  So
[38:43.040 --> 38:45.040]  The next statement
[38:45.040 --> 38:47.040]  Having well-defined models
[38:47.040 --> 38:49.040]  For the compliance jobs
[38:49.040 --> 38:51.040]  So a compliance job is not the rule
[38:51.040 --> 38:53.040]  A job is like which rules
[38:53.040 --> 38:55.040]  Are applied to which
[38:55.040 --> 38:57.040]  Application instances
[38:57.040 --> 38:59.040]  And what to do when some rule is
[38:59.040 --> 39:01.040]  Violated
[39:01.040 --> 39:03.040]  This whole thing is called the compliance job
[39:03.040 --> 39:05.040]  Having well-defined models for compliance
[39:05.040 --> 39:07.040]  Jobs reduces the uncertainty
[39:07.040 --> 39:09.040]  Associated with handling
[39:09.040 --> 39:11.040]  Compliance violations
[39:11.040 --> 39:13.040]  Now what to do when
[39:13.040 --> 39:15.040]  You find a violation
[39:15.040 --> 39:17.040]  Do you think having a well-modeled
[39:17.040 --> 39:19.040]  Compliance job reduces
[39:19.040 --> 39:21.040]  The uncertainty of what to do
[39:35.040 --> 39:37.040]  So let's say you know what to do
[39:37.040 --> 39:39.040]  When some new guy comes
[39:39.040 --> 39:41.040]  And he finds out
[39:41.040 --> 39:43.040]  Or she finds out that
[39:43.040 --> 39:45.040]  There is a violation
[39:45.040 --> 39:47.040]  And then do you think that if
[39:47.040 --> 39:49.040]  You have the job
[39:49.040 --> 39:51.040]  Modeled in a well-defined manner
[39:51.040 --> 39:53.040]  Would this reduce
[39:53.040 --> 39:57.040]  His or her uncertainty
[40:03.040 --> 40:05.040]  The job is some configuration of the rule
[40:05.040 --> 40:07.040]  Like applying like what you shown
[40:07.040 --> 40:09.040]  With the
[40:09.040 --> 40:11.040]  The visual interpretation
[40:11.040 --> 40:13.040]  I mean below that it's
[40:13.040 --> 40:15.040]  A model of course
[40:17.040 --> 40:19.040]  Yeah, but you can assume that
[40:19.040 --> 40:21.040]  This guy looks at the framework
[40:21.040 --> 40:23.040]  And looks at the configuration
[40:23.040 --> 40:25.040]  Of the compliance job
[40:25.040 --> 40:27.040]  I would put a four
[40:27.040 --> 40:29.040]  I would put a four
[40:29.040 --> 40:31.040]  Why not a five
[40:31.040 --> 40:33.040]  Because (?)
[40:33.040 --> 40:35.040]  (?)
[40:37.040 --> 40:39.040]  Because there are
[40:39.040 --> 40:41.040]  Besides the uncertainty of the
[40:41.040 --> 40:43.040]  Of the fixing itself
[40:43.040 --> 40:45.040]  There's the uncertainty
[40:45.040 --> 40:47.040]  Of
[40:47.040 --> 40:49.040]  Is this model
[40:49.040 --> 40:51.040]  Correctly done
[40:51.040 --> 40:53.040]  You know, if I have 1000 checks
[40:53.040 --> 40:55.040]  There, how can I be sure the
[40:55.040 --> 40:57.040]  The whole thing
[40:57.040 --> 40:59.040]  Is correct
[40:59.040 --> 41:01.040]  And it covers all
[41:01.040 --> 41:03.040]  Cases, right?
[41:03.040 --> 41:05.040]  The same thing as
[41:05.040 --> 41:07.040]  Before
[41:07.040 --> 41:09.040]  But nevertheless
[41:09.040 --> 41:11.040]  Because this brings
[41:11.040 --> 41:13.040]  In the uncertainty of the compliance
[41:13.040 --> 41:15.040]  With them
[41:15.040 --> 41:17.040]  But it provides
[41:17.040 --> 41:19.040]  Structure because like
[41:19.040 --> 41:21.040]  It provides a set of
[41:21.040 --> 41:23.040]  Interrelated compliance rules
[41:23.040 --> 41:25.040]  With the relation comes because
[41:25.040 --> 41:27.040]  It's in the same application
[41:27.040 --> 41:29.040]  One has some
[41:29.040 --> 41:33.040]  Like feeling of the
[41:33.040 --> 41:35.040]  Of the application
[41:35.040 --> 41:37.040]  So I think that it's a four
[41:37.040 --> 41:39.040]  Yeah, it's good
[41:39.040 --> 41:41.040]  Okay
[41:41.040 --> 41:43.040]  But it gets complex somehow
[41:43.040 --> 41:45.040]  Another difference
[41:45.040 --> 41:47.040]  Oh
[41:47.040 --> 41:49.040]  Okay, there's a thing
[41:49.040 --> 41:51.040]  What I do know is
[41:51.040 --> 41:53.040]  The this Github
[41:53.040 --> 41:55.040]  Dependabot thing
[41:55.040 --> 41:57.040]  Like I was taking the new thing
[41:57.040 --> 41:59.040]  And I was checking SonarQube, which also could be
[41:59.040 --> 42:01.040]  Some things, but here we are
[42:01.040 --> 42:03.040]  Talking about
[42:07.040 --> 42:09.040]  Applications. The thing is
[42:09.040 --> 42:11.040]  I got one question of the year was
[42:11.040 --> 42:13.040]  We related work, so
[42:13.040 --> 42:15.040]  Because I'm curious what related work is doing
[42:15.040 --> 42:17.040]  Now I need to guess what related work is
[42:17.040 --> 42:19.040]  Best
[42:19.040 --> 42:21.040]  It's to the best of
[42:21.040 --> 42:23.040]  You knowledge, of course
[42:23.040 --> 42:25.040]  And then I also saw
[42:25.040 --> 42:27.040]  This penetration test
[42:27.040 --> 42:29.040]  And so on
[42:29.040 --> 42:31.040]  But what I did not see
[42:31.040 --> 42:33.040]  Or stumble over
[42:33.040 --> 42:35.040]  A framework
[42:35.040 --> 42:37.040]  Combining all of these things
[42:37.040 --> 42:39.040]  Because the cool thing of the framework is
[42:39.040 --> 42:41.040]  Okay, I can be at the lowest level
[42:41.040 --> 42:43.040]  And at the highest level and
[42:43.040 --> 42:45.040]  I could do anything
[42:45.040 --> 42:47.040]  But I've got a defined pipeline
[42:47.040 --> 42:49.040]  And the defined reporting structure
[42:49.040 --> 42:51.040]  Being domain specific for compliance checks
[42:51.040 --> 42:53.040]  Even though I said at the beginning
[42:53.040 --> 42:55.040]  That there could be some
[42:55.040 --> 42:57.040]  CI checks running and so on
[42:57.040 --> 42:59.040]  But this is the most possible
[42:59.040 --> 43:01.040]  General framework and it's like
[43:01.040 --> 43:03.040]  I have to have the mental
[43:03.040 --> 43:05.040]  Mapping from the
[43:05.040 --> 43:07.040]  CI checks to the compliance rules somehow
[43:07.040 --> 43:09.040]  With some things and this
[43:09.040 --> 43:11.040]  And the framework does that
[43:11.040 --> 43:13.040]  For me, and then I can also
[43:13.040 --> 43:15.040]  Have
[43:15.040 --> 43:17.040]  More coding-far-out
[43:17.040 --> 43:19.040]  People
[43:19.040 --> 43:21.040]  Using this framework
[43:21.040 --> 43:23.040]  Like knowing security
[43:23.040 --> 43:25.040]  Very well and then
[43:25.040 --> 43:27.040]  These persons can sit together with experts
[43:27.040 --> 43:29.040]  Coding the rules, but the security experts
[43:29.040 --> 43:31.040]  Can read the thing without
[43:31.040 --> 43:32.040]  Calling an expert
[43:32.040 --> 43:34.040]  Hey, what does the CI thing mean?
[43:34.040 --> 43:35.040]  Because the UI is
[43:35.040 --> 43:37.040]  Frankly
[43:37.040 --> 43:39.040]  And so
[43:39.040 --> 43:41.040]  Okay, how do we
[43:41.040 --> 43:43.040]  Ask, there's no scale from one to five
[43:43.040 --> 43:45.040]  Because I would need
[43:45.040 --> 43:47.040]  An extensibility
[43:47.040 --> 43:49.040]  I had some previous
[43:49.040 --> 43:51.040]  Interesting answers
[43:51.040 --> 43:53.040]  So some guys said okay
[43:53.040 --> 43:55.040]  Extensibility altogether is useless
[43:55.040 --> 43:57.040]  So first, do you think
[43:57.040 --> 43:59.040]  Extensibility is useful
[43:59.040 --> 44:01.040]  And second, do you think
[44:01.040 --> 44:03.040]  That the framework supports it
[44:03.040 --> 44:05.040]  Extensibility of the framework
[44:05.040 --> 44:07.040]  Meaning also adding your compliance rules?
[44:07.040 --> 44:09.040]  Yeah, I would say so
[44:09.040 --> 44:11.040]  Extensibility in terms of rules
[44:11.040 --> 44:13.040]  And the plugins
[44:13.040 --> 44:15.040]  This is
[44:15.040 --> 44:17.040]  The core
[44:17.040 --> 44:19.040]  Idea of the framework and the core
[44:19.040 --> 44:21.040]  Achievement
[44:21.040 --> 44:23.040]  And I think it's
[44:23.040 --> 44:27.040]  What I did see here was great
[44:27.040 --> 44:29.040]  Okay
[44:29.040 --> 44:31.040]  As it was like
[44:31.040 --> 44:33.040]  The framework of
[44:33.040 --> 44:35.040]  Some
[44:35.040 --> 44:37.040]  There was a property base checking
[44:37.040 --> 44:39.040]  My first comment was like
[44:39.040 --> 44:41.040]  Why isn't there
[44:41.040 --> 44:43.040]  The framework
[44:43.040 --> 44:45.040]  Puts in a graphical
[44:45.040 --> 44:49.040]  Box for the component
[44:49.040 --> 44:51.040]  Where I can fill in the property
[44:51.040 --> 44:53.040]  So I need
[44:53.040 --> 44:55.040]  And I thought
[44:55.040 --> 44:57.040]  What the hell
[44:57.040 --> 44:59.040]  I want to write some
[44:59.040 --> 45:01.040]  Expression
[45:01.040 --> 45:03.040]  But then I also thought no
[45:03.040 --> 45:05.040]  It's great because I've got
[45:05.040 --> 45:07.040]  Some directions
[45:07.040 --> 45:09.040]  Where to put the rules
[45:09.040 --> 45:11.040]  And only the expression for that
[45:11.040 --> 45:13.040]  Specific property is complicated
[45:13.040 --> 45:15.040]  But even that I can have a cheat sheet
[45:15.040 --> 45:17.040]  Like what which properties
[45:17.040 --> 45:19.040]  I can give in
[45:19.040 --> 45:21.040]  And I can
[45:21.040 --> 45:23.040]  Extend that because this is open source
[45:23.040 --> 45:25.040]  And I can extend some new rules
[45:25.040 --> 45:27.040]  If
[45:27.040 --> 45:29.040]  Neither
[45:29.040 --> 45:31.040]  But even with the existing rules
[45:31.040 --> 45:33.040]  I think this is great stuff
[45:33.040 --> 45:37.040]  You can also change the whole
[45:37.040 --> 45:39.040]  Checking method
[45:39.040 --> 45:41.040]  You can
[45:41.040 --> 45:43.040]  Replace this visual
[45:43.040 --> 45:45.040]  Tool with something else
[45:45.040 --> 45:47.040]  Totally
[45:47.040 --> 45:49.040]  Even checking is pluggable
[45:49.040 --> 45:51.040]  Okay great
[45:51.040 --> 45:53.040]  Yeah
[45:53.040 --> 45:55.040]  I don't know if you
[45:55.040 --> 45:57.040]  Remember Karoline had a paper
[45:57.040 --> 45:59.040]  That uses
[45:59.040 --> 46:01.040]  A Prolog
[46:01.040 --> 46:03.040]  For kind of compliance
[46:03.040 --> 46:05.040]  Checking
[46:05.040 --> 46:07.040]  And it's useful for
[46:07.040 --> 46:09.040]  Certain types of compliance rules
[46:09.040 --> 46:11.040]  Useful means
[46:11.040 --> 46:13.040]  You need less effort
[46:13.040 --> 46:15.040]  To produce the rule itself
[46:15.040 --> 46:17.040]  This also could be an option
[46:17.040 --> 46:19.040]  Some rules are
[46:19.040 --> 46:21.040]  This is very often
[46:21.040 --> 46:23.040]  The case in literature
[46:23.040 --> 46:25.040]  Rules that are based on
[46:25.040 --> 46:27.040]  So metrics
[46:27.040 --> 46:29.040]  That look at the
[46:29.040 --> 46:31.040]  Architecture of the application
[46:31.040 --> 46:33.040]  And based on the relationship
[46:33.040 --> 46:35.040]  Between nodes and edges and so on, it
[46:35.040 --> 46:37.040]  Counts and creates a formula
[46:37.040 --> 46:39.040]  And then tells you
[46:39.040 --> 46:41.040]  Okay, you probably have a problem
[46:41.040 --> 46:43.040]  Of this type
[46:43.040 --> 46:45.040]  These are also kind of compliance rules
[46:45.040 --> 46:47.040]  And their checking is different
[46:47.040 --> 46:49.040]  So there could be
[46:49.040 --> 46:51.040]  Even a plugin for
[46:51.040 --> 46:53.040]  Checking that type of compliance rules
[46:53.040 --> 46:55.040]  Yeah
[46:55.040 --> 46:57.040]  Good thing I didn't see
[46:57.040 --> 46:59.040]  How to do that and how
[46:59.040 --> 47:01.040]  How does that
[47:01.040 --> 47:03.040]  Yeah, the video is limited
[47:03.040 --> 47:05.040]  Yeah, although it's half an hour
[47:05.040 --> 47:07.040]  But still
[47:07.040 --> 47:09.040]  Yeah, yeah sure
[47:09.040 --> 47:11.040]  Yeah, therefore
[47:11.040 --> 47:13.040]  That's a good good thing
[47:13.040 --> 47:15.040]  Okay, so
[47:15.040 --> 47:17.040]  Hypothetically, would you use the
[47:17.040 --> 47:19.040]  framework in your work?
[47:19.040 --> 47:21.040]  Yeah, I would try
[47:21.040 --> 47:23.040]  Try it out
[47:23.040 --> 47:25.040]  And I would be
[47:25.040 --> 47:27.040]  Be curious
[47:27.040 --> 47:29.040]  What are the limitations
[47:29.040 --> 47:31.040]  Of the rules itself
[47:31.040 --> 47:33.040]  So it are
[47:33.040 --> 47:35.040]  The extreme could be that
[47:35.040 --> 47:37.040]  99% of the rules
[47:37.040 --> 47:39.040]  Are really very specific
[47:39.040 --> 47:41.040]  And there's no general solution
[47:41.040 --> 47:43.040]  Like the thing with the
[47:43.040 --> 47:45.040]  Ubuntu I had as example
[47:45.040 --> 47:47.040]  Assuming that ubuntu is always the user
[47:47.040 --> 47:49.040]  And what if there's some other
[47:49.040 --> 47:51.040]  Other rule and also
[47:51.040 --> 47:53.040]  I was like
[47:53.040 --> 47:55.040]  Are there other security measures
[47:55.040 --> 47:57.040]  In place so that I even
[47:57.040 --> 47:59.040]  Cannot go to the database system
[47:59.040 --> 48:01.040]  Somehow like the thing
[48:01.040 --> 48:03.040]  And do I need to
[48:03.040 --> 48:05.040]  Even invent some more penetration
[48:05.040 --> 48:07.040]  Things
[48:07.040 --> 48:11.040]  Can the framework do like
[48:11.040 --> 48:13.040]  If this rule fails, try that rule
[48:21.040 --> 48:23.040]  I don't think that this is
[48:23.040 --> 48:25.040]  Possible with the plugin
[48:25.040 --> 48:27.040]  If the if a rule fails
[48:27.040 --> 48:29.040]  It will report
[48:29.040 --> 48:33.040]  Yeah, so it will try to fix it if you
[48:33.040 --> 48:35.040]  Have configured fixing
[48:35.040 --> 48:37.040]  And then it will report
[48:37.040 --> 48:39.040]  Yeah, it will be more
[48:39.040 --> 48:41.040]  But I would need a slight
[48:41.040 --> 48:43.040]  Or else
[48:43.040 --> 48:45.040]  Training
[48:45.040 --> 48:47.040]  Like try the basic
[48:47.040 --> 48:49.040]  Check for the MySQL
[48:49.040 --> 48:51.040]  You use the names and if that fails
[48:51.040 --> 48:53.040]  Try
[48:53.040 --> 48:55.040]  The more complex
[48:55.040 --> 48:57.040]  Thing
[48:57.040 --> 48:59.040]  I see
[48:59.040 --> 49:01.040]  Yeah, so you need
[49:01.040 --> 49:03.040]  Kind of a
[49:03.040 --> 49:05.040]  Control flow
[49:05.040 --> 49:07.040]  The way to define
[49:07.040 --> 49:09.040]  Kind of a control flow
[49:09.040 --> 49:11.040]  Or let's say a structure
[49:11.040 --> 49:13.040]  Set of structured compliance
[49:13.040 --> 49:15.040]  Rules in the same compliance job
[49:15.040 --> 49:17.040]  Right, right
[49:17.040 --> 49:19.040]  Just
[49:19.040 --> 49:21.040]  Thinking more carefully
[49:22.040 --> 49:24.040]  It could be like a high-level
[49:24.040 --> 49:25.040]  Compliance rules there
[49:25.040 --> 49:27.040]  There must not be any admin login
[49:27.040 --> 49:29.040]  On any node in the edge production
[49:29.040 --> 49:31.040]  Like for banking areas
[49:31.040 --> 49:33.040]  And then this
[49:33.040 --> 49:35.040]  For windows to that
[49:35.040 --> 49:37.040]  For windows to that
[49:37.040 --> 49:39.040]  And for
[49:39.040 --> 49:43.040]  Maybe for
[49:43.040 --> 49:45.040]  Yeah, but yeah
[49:45.040 --> 49:47.040]  And then it could be hard to write
[49:47.040 --> 49:49.040]  This login checking
[49:49.040 --> 49:50.040]  Thing but I think it's
[49:50.040 --> 49:51.040]  Commas separated values
[49:51.040 --> 49:53.040]  Which is okay, which would be one rule
[49:53.040 --> 49:55.040]  But for
[49:55.040 --> 49:57.040]  Or would it could be
[49:57.040 --> 49:59.040]  The username login check
[49:59.040 --> 50:01.040]  And the SSH key
[50:01.040 --> 50:03.040]  So I would say
[50:03.040 --> 50:05.040]  There are two compliance rules because
[50:05.040 --> 50:07.040]  SSH login is different
[50:07.040 --> 50:09.040]  Because this SSH needs to have
[50:09.040 --> 50:11.040]  The private keys of the admins
[50:11.040 --> 50:13.040]  Inside, which are very different
[50:13.040 --> 50:15.040]  From admin user names, so there are two rules
[50:15.040 --> 50:17.040]  And this would be no form
[50:17.040 --> 50:19.040]  So logically it's the same rule
[50:19.040 --> 50:21.040]  But like the implementation
[50:21.040 --> 50:23.040]  Is different
[50:23.040 --> 50:25.040]  Yeah, yeah
[50:25.040 --> 50:27.040]  And because it's so different
[50:27.040 --> 50:29.040]  I would see it as separate
[50:29.040 --> 50:31.040]  Unit to implement and check
[50:31.040 --> 50:33.040]  The implementation of the
[50:33.040 --> 50:35.040]  Oblig compliance rule
[50:35.040 --> 50:37.040]  Okay, yeah, that makes sense
[50:37.040 --> 50:39.040]  Yeah
[50:39.040 --> 50:41.040]  Okay
[50:41.040 --> 50:43.040]  But the question is if so
[50:43.040 --> 50:45.040]  In which areas
[50:46.040 --> 50:48.040]  Poor
[50:48.040 --> 50:51.040]  So, yeah, I mean
[50:51.040 --> 50:53.040]  You can use it for architectural reconstruction
[50:53.040 --> 50:55.040]  And that's it, like not check rules
[50:55.040 --> 50:57.040]  You can just check
[50:57.040 --> 50:59.040]  And not try to fix anything
[50:59.040 --> 51:01.040]  Because you don't trust that it can fix things
[51:01.040 --> 51:03.040]  Or you can try the whole package
[51:03.040 --> 51:07.040]  I would do for me
[51:07.040 --> 51:09.040]  If I
[51:09.040 --> 51:11.040]  Got
[51:11.040 --> 51:13.040]  For this meta architecture
[51:13.040 --> 51:15.040]  Or this meta architecture
[51:15.040 --> 51:17.040]  I would include the framework in the meta architecture
[51:17.040 --> 51:19.040]  And use it as one check
[51:19.040 --> 51:21.040]  That the architecture is good
[51:21.040 --> 51:23.040]  So like if someone starts coding
[51:23.040 --> 51:25.040]  And implementing things
[51:25.040 --> 51:31.040]  And then the framework
[51:31.040 --> 51:33.040]  Should report our old rules held
[51:33.040 --> 51:35.040]  And so on
[51:35.040 --> 51:37.040]  Like it has to do in the development
[51:37.040 --> 51:39.040]  But on a high architecture level
[51:39.040 --> 51:41.040]  More like
[51:41.040 --> 51:43.040]  And I would use the framework as
[51:43.040 --> 51:45.040]  Test to in the development thing
[51:45.040 --> 51:47.040]  And therefore
[51:47.040 --> 51:49.040]  Not fixing one
[51:49.040 --> 51:51.040]  Because it's in the dev setting
[51:51.040 --> 51:53.040]  It's not in the production
[51:53.040 --> 51:55.040]  Because your thing
[51:55.040 --> 51:57.040]  Sounded more like I fix the prod system
[51:57.040 --> 51:59.040]  But I would use the framework more
[51:59.040 --> 52:01.040]  In the dev setting and say
[52:01.040 --> 52:03.040]  Okay, how can I ensure the development
[52:03.040 --> 52:05.040]  Everything is smooth
[52:05.040 --> 52:07.040]  And then
[52:07.040 --> 52:09.040]  Therefore only check and not fix
[52:09.040 --> 52:11.040]  Because it's not
[52:11.040 --> 52:13.040]  It should not be in after fix
[52:13.040 --> 52:15.040]  I should not use the check-off to fix something
[52:15.040 --> 52:17.040]  Which was wrong in the development
[52:17.040 --> 52:19.040]  I need to go back to the development
[52:19.040 --> 52:21.040]  And then how the script
[52:21.040 --> 52:23.040]  Should be fixed
[52:23.040 --> 52:25.040]  Producing that kind of infrastructure
[52:25.040 --> 52:29.040]  Okay
[52:29.040 --> 52:31.040]  So yeah
[52:31.040 --> 52:33.040]  If you want, you can answer 24
[52:33.040 --> 52:35.040]  If you feel you have already answered it
[52:35.040 --> 52:37.040]  Then you don't need to do that again
[52:37.040 --> 52:39.040]  So what's your general impression?
[52:39.040 --> 52:43.040]  Okay
[52:43.040 --> 52:51.040]  As a good
[52:51.040 --> 52:55.040]  I think it's a good
[52:55.040 --> 52:57.040]  The meta model is
[52:57.040 --> 52:59.040]  Good to read
[52:59.040 --> 53:01.040]  Like how to collect rules
[53:01.040 --> 53:03.040]  And the jobs and the fixing
[53:03.040 --> 53:05.040]  And also the architecture
[53:05.040 --> 53:07.040]  And also the
[53:07.040 --> 53:09.040]  Plugability of the
[53:09.040 --> 53:11.040]  Of the importers
[53:11.040 --> 53:13.040]  They do not rely on TOSCA
[53:13.040 --> 53:15.040]  You're relying on anything
[53:15.040 --> 53:17.040]  You just have to have some importer
[53:17.040 --> 53:21.040]  But in the details we see
[53:21.040 --> 53:25.040]  That its a research prototype
[53:25.040 --> 53:29.040]  Like choosing this output value
[53:29.040 --> 53:31.040]  Yeah, you have one to three
[53:31.040 --> 53:33.040]  And then you need to enter the text
[53:33.040 --> 53:35.040]  Why it's not a combo box
[53:35.040 --> 53:37.040]  Okay, I don't know
[53:37.040 --> 53:39.040]  Because the developer was too lazy at that point
[53:39.040 --> 53:41.040]  Which is okay for a research prototype
[53:41.040 --> 53:43.040]  And the other thing was comma-separate the values
[53:43.040 --> 53:45.040]  For things like
[53:45.040 --> 53:47.040]  Shouldn't a UI have been some selection box
[53:47.040 --> 53:49.040]  And you know like
[53:49.040 --> 53:51.040]  More proper UI thing
[53:51.040 --> 53:53.040]  You are usability
[53:53.040 --> 53:55.040]  That needs some enhancement
[53:55.040 --> 53:57.040]  Yeah, sure
[53:57.040 --> 53:59.040]  But the prototype was therefore
[53:59.040 --> 54:01.040]  Checking from the beginning
[54:01.040 --> 54:03.040]  To the end and also the things
[54:03.040 --> 54:05.040]  And this is a good thing
[54:05.040 --> 54:07.040]  I would need
[54:07.040 --> 54:09.040]  To really
[54:09.040 --> 54:11.040]  Think
[54:11.040 --> 54:13.040]  As you really think about the
[54:13.040 --> 54:15.040]  The applicability
[54:15.040 --> 54:17.040]  Like the Ubuntu case
[54:17.040 --> 54:19.040]  It's like
[54:19.040 --> 54:21.040]  But on the other hand
[54:21.040 --> 54:23.040]  This is
[54:23.040 --> 54:25.040]  Checking compliance rules
[54:25.040 --> 54:27.040]  This is always effort and it's always
[54:27.040 --> 54:29.040]  Work, it's not easy
[54:29.040 --> 54:31.040]  Like I spent 10 minutes to do something
[54:31.040 --> 54:33.040]  And then I'm complying now
[54:33.040 --> 54:35.040]  It's a huge work and your framework
[54:35.040 --> 54:37.040]  Reduces this work
[54:37.040 --> 54:39.040]  Especially by structuring things
[54:39.040 --> 54:41.040]  And being
[54:41.040 --> 54:43.040]  Having the filter
[54:43.040 --> 54:45.040]  It begins to say
[54:45.040 --> 54:47.040]  Okay, what components I
[54:47.040 --> 54:49.040]  I am filtering and then
[54:49.040 --> 54:51.040]  Like the text
[54:51.040 --> 54:53.040]  Also being available
[54:53.040 --> 54:55.040]  Also the good thing with fixing
[54:55.040 --> 54:57.040]  Which is okay for production systems
[54:57.040 --> 54:59.040]  Like I'm not thinking about banking
[54:59.040 --> 55:01.040]  Or automotive environment
[55:01.040 --> 55:03.040]  Or more like
[55:03.040 --> 55:05.040]  More
[55:05.040 --> 55:07.040]  More passing
[55:07.040 --> 55:09.040]  Like medium-sized companies
[55:09.040 --> 55:11.040]  Or small companies
[55:11.040 --> 55:13.040]  Bring out a new product
[55:13.040 --> 55:15.040]  And this is a great thing to check
[55:15.040 --> 55:17.040]  Okay, my live system
[55:17.040 --> 55:19.040]  Is there something going wrong
[55:19.040 --> 55:21.040]  Because I don't have this
[55:21.040 --> 55:23.040]  Fixing something important
[55:23.040 --> 55:25.040]  And I need to have a check
[55:25.040 --> 55:27.040]  They are running to be sure
[55:27.040 --> 55:29.040]  But they think
[55:29.040 --> 55:31.040]  It works fine in the framework
[55:31.040 --> 55:33.040]  I think it helps
[55:33.040 --> 55:35.040]  Yeah, we thought of such cases as well
[55:35.040 --> 55:39.040]  Like, yeah, you could have
[55:39.040 --> 55:41.040]  People or companies
[55:41.040 --> 55:43.040]  Without this whole
[55:43.040 --> 55:45.040]  CICD pipeline
[55:45.040 --> 55:47.040]  They might have a lot of
[55:47.040 --> 55:49.040]  Already existing production systems
[55:49.040 --> 55:51.040]  And they still need to
[55:51.040 --> 55:53.040]  I mean, eventually compliance
[55:53.040 --> 55:55.040]  Deals mostly with
[55:55.040 --> 55:57.040]  The running system
[55:57.040 --> 55:59.040]  Yeah, you can try to fix it
[55:59.040 --> 56:01.040]  In the dev, but eventually what
[56:01.040 --> 56:03.040]  Get you sued is the production system
[56:03.040 --> 56:05.040]  Yeah, sure
[56:05.040 --> 56:07.040]  Yeah, yeah
[56:07.040 --> 56:09.040]  Okay, yeah
[56:09.040 --> 56:11.040]  So I'll stop sharing
[56:11.040 --> 56:13.040]  And stop the audio recording now