What do dependency resolution, situational awareness and superheroes have in common? Meet Chris Corriere, a DevOps/software engineer at Autotrader speaking on creative ways to maximize usage of all of the above. Mark Miller, community advocate and senior storyteller at Sonatype, caught up with Chris to learn more about what his team is up to.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Corriere: I’m Chris Corriere, and I’m a DevOps engineer at AutoTrader.

Miller: Can you give us an overview on how you’re using Nexus?

Corriere: We use Nexus for dependency resolution. Part of that is to insulate our enterprise infrastructure from general third-party dependencies. We’re able to filter that down with our internal repo and make sure that our developers are using things that are pre-approved, that we’re allowed to track and update. We also use it to move around internal projects that have cross-dependency between applications in-house.

Miller: How are you enforcing pre-approved dependencies?

Corriere: They are generally around who has access into Nexus and who is allowed to improve and pull things into Maven Central. But there are ways around that. There are ways to sneak things into builds. If a developer really wants to get something in then, sometimes when you’re troubleshooting, you find some of those clever solutions. There’s definitely an element of striking balance between that, of making sure they’re able to experiment and get the tools in they need to get their job done, but not exposing any liability or risk in the process by pulling something in that’s not trusted.

[soundcloud url=”https://api.soundcloud.com/tracks/270488651″ params=”auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true” width=”100%” height=”450″ iframe=”true” /]

Miller: If somebody isn’t using a binary repository, what could you tell them that would get them to use one?

Corriere: Consistency within the build environment is one of the main draws to me, that and reusability of code. I think that doubles back into situational awareness—depending on how they’re measuring their organization, what they’re looking for in terms of improvement, and where there’s room the optimize. There’s probably a lot of interruption in build, a lot of different permutations. I’ll say in different solutions, it could be more standardized and more consistent across teams. You can get by without it. But you’re probably doing a lot more work for the same end result. Without a repo, there’s a lot more drama, a lot more heartache involved.

—

“Without a repo, there’s a lot more drama, a lot more heartache involved.”

—

Miller: I would think that the more developers you had, the more you would actually have a real need for it.

Corriere: I would say the most creative solution I’ve seen is teams get pretty consistent results with using source control and builds at particular revisions. But in that instance you have to have the build to succeed. You have to get through the build, and that’s going to take time even if it doesn’t break. Your repository is putting everything after that step where it’s ready to go. You know it’s built. You know it’s safe. It didn’t get into the reboot. It didn’t make it through the filter.

Miller: Have you guys done anything cool with Nexus?

Corriere: I wouldn’t say anything too out of the ordinary. There’s some overlap into how we’re leveraging it that looks more like configuration management, which is unconventional. Depending on the project, you’re able to check some things from Nexus and how they will stand up [against] a lot of your environmental dependencies outside of just a job application. It can dip into the version of Java you’re running, different inch grips, and other things that nest into each other. That gets you to sort of square one to launch a lot of our standard internal apps. Again, back to the situational awareness, given some of the constraints of the teams we were working with, it’s something I ran across and it felt a little left handed at first. But when you stop and look at it, they were able to get the ball moved down the field within the constraints that they were given. At the end of the day, it works.

Miller: Are you using any continuous integration, continuous delivery?

Corriere: Yeah. I don’t think that’s a boolean of a value. We’ve got a lot of it end over life cycles, and we’re running continuous builds. We’ve got some in-house tooling around that, and we also run Jenkins. There’s always room to accelerate, improve and optimize it. We’re moving to more continuous delivery. We really want to start getting things out closer to prod. But you always start with the left side and move out from there, and try to debate quality from step one where there’s lower risk. I’ve seen AutoTrader make a lot of good strides in that over the past couple years.

—

“There’s always room to accelerate, improve, and optimize it. ”

—

Miller: Final question, if you were going to be a superhero, would it be in Dev, Ops or Sec?

Corriere: I’m going to go with security because I think there’s some development and operations involved in that if you’re doing it right. I don’t think you should be blue team or red team. I think team purple is where it’s at. You really got to come at it from both ways to get the job done today.

—

“I don’t think you should be blue team or red team … purple is where it’s at. You really got to come at it from both ways to get the job done today.”

—

Miller: Excellent. Thank you, Chris.

Corriere: My pleasure.

If you loved this interview and are looking for more great stuff on DevOps, I invite you to download the “Continuous Delivery and DevOps Reference Architectures,” highlighting real-world DevOps practices from organizations including PayPal, IBM, Adobe, USPTO and many more.