how culture can improve engineering velocity, efficiency ... · bootcamp • “commit code on...
TRANSCRIPT
How culture can improve engineering velocity, efficiency, and quality
David Mercurio
Stripe - Payments Infrastructure Snapchat - Memories Backend
Facebook - Infrastructure, Platform, Personalized Videos
Efficiency is LeverageGetting a lot done with a little
Privacy Checks
Before
1. Define CanSee privacy check for node type
2. Load a bunch of data
3. Filter data that fails canSee() checks
After
1. Define a PrivacyPolicy for node type
2. Define a PrivacyRule list for that policy
3. Pass in $viewer when loading data
4. Every data load automatically executes the privacy rules
<?hh class PhotoPrivacyPolicy { public function rules(Photo $photo, Viewer $viewer): vec<PrivacyRule> { return [ AllowIfViewerIsOwner($viewer, $photo), DenyIfViewerIsBlocked($viewer, $photo->getOwner()), DenyIfViewerInHiddenList($viewer, $photo), ... AllowIfViewerIsFriendsWithOwner($viewer, $photo), DenyOtherwise(), ]; } }
AllowIfViewerCanSeeAllContent($viewer, $video)
uploads & downloads
metadata & signed urls
request
https://storage.example.com/bucket/video.mp4?Signature=4439b0b99c1a45b8c83331bcc0350241
Content-Length: 2411724Content-MD5: 7507d76ec916acf676af82d63a746641...
abstractions & decision logic
dumb (service-agnostic) client
request headers & signed urls
{ 'Content-Length': ‘2411724’, 'Content-MD5': ‘7507d76ec...’, <service-specific-headers>,}
Download Object • streaming • connection quality • object location
Upload Object • continuable • user location • uptime status
abstractions & decision logic
dumb (service-agnostic) client
PCI Compliance
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
PCI Compliance
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
apiori
token
token
Trust and AmplifyDevelop one another in the short and long term
Onboarding and Rotational Programs
Bootcamp
• “Commit code on your first day”
• Low urgency bug fixes, small features
• Early foundation for cultural values
• Prioritize productivity
• Shared ownership
• Team selection
Hackamonth
• Full engagement and disengagement (vs “20% time”)
• Bidirectional knowledge sharing
• Bus factor
• Retention
Onboarding and Rotational Programs
/dev/start
• Impactful, low-urgency, well-scoped group projects
• Second set of peers
• Mentorship opportunities - but also bottleneck
Rotations
• Bidirectional knowledge sharing
• Bus factor
• Retention
• New offices
• Knowledge and culture
• Seattle, Dublin, Singapore, Remote
• Leadership team too!
We Haven’t Won YetIdentifying and resolving unaddressed risks
Big Red Button
Review Process
• Blameless
• Identify potential remediations
• Code changes
• Process improvements
• Expose and rectify common issues
• Enable incident tracking and analysis
• Knowledge sharing
References
• Stripe • https://stripe.com/jobs/candidate-info • https://www.infoq.com/presentations/stripe-api-pci • https://speakerdeck.com/amyngyn/big-red-button-how-stripe-automates-incident-
management-sf-women-in-infrastructure • https://twitter.com/dps/status/1100072703007117313
• Facebook • https://www.infoq.com/presentations/Evolution-of-Code-Design-at-Facebook • https://code.fb.com/culture/bootcamp-growing-culture-at-facebook/ • https://code.fb.com/production-engineering/facebook-engineering-bootcamp/
• Snap • https://investor.snap.com/~/media/Files/S/Snap-IR/reports-and-presentations/snap-q4-and-
full-year-2017-earnings-transcript.pdf
Questions?