S4 E23 - Tracy Ragan - Tackling DevOps, AI, and Women in Tech

In this episode, I invite Tracy Ragan, CEO of DeployHub, on the podcast for an in-depth discussion on the evolution of DevOps, the complexities of modern software systems, and the cultural challenges women face in technology. Tracy's rich history in software development, from working on mainframes in the late 1980s to spearheading DevOps advancements, provides a fascinating lens through which to examine the industry.

Key Topics Discussed:

1. The Historical Context of DevOps: Tracy recounts the industry's shift from mainframe to distributed systems and the lessons learned (and forgotten) along the way. She highlights the recurring mistakes in adopting "shiny new objects" without addressing foundational issues, such as dependency chaos and scripting overuse.

2. AI and Long-Tail Productivity: Tracy and John explore AI's transformative potential, emphasizing that its real impact lies in long-term gains rather than short-term ROI. Tracy draws parallels to past transitions, like the adoption of relational databases, arguing that AI's value will be fully realized only with improved system architectures.

3. The Persistent Challenge of Women in Tech: Tracy candidly discusses her experiences as a woman in a male-dominated industry, noting a regression in gender diversity, particularly post-COVID. She highlights systemic issues, including exclusion from key networking opportunities and persistent biases, advocating for cultural shifts to empower women in tech.

4. DeployHub’s Role in Tackling DevOps Complexity: Tracy introduces DeployHub's innovative approach to managing software supply chains and SBOMs (Software Bill of Materials). By mapping dependencies and automating vulnerability remediation, DeployHub aims to reduce the time and complexity of patch management, addressing critical gaps in modern software pipelines.

Transcript:

John Willis: [00:00:00] Hey, it's John Wills again. This is the profound podcast. Got another great guest Tracy Reagan. In fact, we kind of got to know each other because we do the tech strong Friday. We seem to be the two that show up on Fridays and we have great conversations about a lot of AI stuff and stuff like that.

Hey, Tracy, it's great to get you on the show.

Tracy Ragan: Thank you, John. It's a pleasure to be here.

John Willis: Cool. So tell me a little about your background, you know, I, I think I do remember having a short conversation with you One of the swamp ups a few years back and, you know, and then I realized that you had a lot of experience.

You're just based on the conversation. I will. I'll say I'm old. I won't say anybody else is old, but, but but it just seemed like your background. Seemed to map a little bit. You know, we, we listen to these young people and they come in and, and God bless 'em, and they want to change the world, and, but then it's kind of refreshing to sort of meet somebody who has a [00:01:00] little bit more history on things like that.

So, tell, tell, tell us about your background.

Tracy Ragan: Yeah. I've been doing, so I've been, you know, I Forrest gumped my way into the software world. After graduating from, you know, university, I went to Cal Poly Pomona. I took some business logic classes, which required us to do some programming on a, a Systems 36.

Actually, there was a mainframe too, and I had to use Roscoe. So it gave me a little taste of it. And I went out into the world after university, living in California. There was not a lot of tech jobs, to be honest. I went to work for a little company that was selling Levi's at their warehouse, and I was working in their HR department, and they had a problem with what they called shrinkage.

Not the jeans shrinking, but the inventory. So I said, well, let's write, I can write a little program just to start tracking some of, you know, just start looking at some of the numbers and where the shrinkage might come from. So I started writing code. Nobody hired me to do [00:02:00] that. It was there, and the data was there, and I started playing on it, and I ended up moving to New York during the I would say the great migration from mainframes to the the distributive platform.

And I did first get my first job in New York on a mainframe which was kind of fun. I was working down on Wall Street writing actually we were a service company. We wrote software for all the banks and all of the everything that's happening on, in the Wall Street area. All their code, this company was used by a lot of other companies.

John Willis: What year was that if you don't mind me asking?

Tracy Ragan: Goodness, I'd have to it'd be in the early 90s. I guess you'd have to or late 80s.

John Willis: That's funny. I

I sold my my first software company was a mainframe based and we we had a couple of large we had a couple of large, financial institutions that were using it So it's just yet again, it's kind of fun that you we were doing some same things at the same time

Tracy Ragan: And you know why that expert that experience was important of how my [00:03:00] career took off It's because we were doing we were delivering software to like, you know, the J.

P. Morgans of the world. We had to start using Endeavor.

Oh, wow. As I tell people, Endeavor stands for environment for developers and operations. It's the first DevOps tool and they wanted really clear automated, what they called ACM reports, automated configuration management, because they wanted to know what was changed before they would install it.

And also they wanted high frequency updates. So Endeavor was being used. We were, you know, at one point in my life, I would stand up and announce The whole office that I was going to do a new copy. But we stopped doing that. We stopped doing new copies, you know, in the middle of the day. And a new copy basically refreshes a green screen.

So, I learned a lot about the importance of being accountable to customers through the software factory [00:04:00] floor. What we now talk about as DevOps. There wasn't a lot of security at the time, we didn't have to worry about it. But I ventured off and I ended up getting a job with IBM Global Services. And I started working on the DB2 OS2 DB2 platform.

I was the first to implement a OS2 database manager and DB2 integration for IBM at UPS, which, where we built this massive logistics application. And I ended up going you know, I did a little work, I did quite a bit of work for global, global services, and I ended up in LA working on a.

Since they were like, well, Tracy will take on any crazy software, let's give her, let's give her tiers. And now I don't remember what tier stands for, but it was the, one of the first AI, it was the first time I ever even heard the idea of pulling in AI. And it was where I was working for [00:05:00] so what they wanted was like, they wanted their actuaries to be more automated And TIRS was sort of a rule based, knowledge based system, and we started to build rules around, you know, if you're 17 and you drive a Volkswagen, you know, your insurance is going to be higher than a person who is 55 and driving a Lincoln Town Car.

And what we learned was there wasn't enough, there wasn't enough processing power to actually compete with the actuary humans. But it gave me an introduction into AI. I had a really early period of time, and I started really getting fascinated about, by, about architecture, and what do we need to do in architecture to make this better?

So I ended up going back, working in Chicago for a while, and it is there that we, I, I've started my first company around the build management But, you know, there's, I've watched this [00:06:00] industry change and grow and chase shiny new objects so much that I realize is nothing ever changes really.

It all is exactly the

. There's nothing new under the sun. There's just maybe new ideas and how to do it, but we're still doing the same thing.

John Willis: That's what sort of concerns me about, like, the mistakes, you know, that we just, you know, like, seem to make. I think there's two, you know, I love your background because there's so many overlaps.

I mean, I, One of the first software companies I worked for was a company called Mix, which I think ultimately became Duquesne Software, which became, somehow is, there was something with Endeavor, I can't, I don't know if they merged, I was trying to figure out, but There was there was definitely some connection there, and I don't think the history, the Wikipedia history is not accurate enough at this point, so but then, you know, OS2, sure, I mean, like, we lived through that, and then DV2 early on, so I love all [00:07:00] that, and but I think the thing that, I think we, like, your background, again, a lot of overlap for me, that we just see It's just, I guess at some point you get frustrated that we just see the same.

Every time we think you say shiny new object, right? Shiny object, the, the, the bias becomes it's all new. And then we just start making the same mistakes over and over again. And it just, it just seems a pathology.

Tracy Ragan: We do make this, this, this, we, what we, so for example, and I often equate what we're seeing in the AI world to the, when we went from flat files to DB two.

And the way I, the reason why I say that is because I was a contractor in New York and I was being brought on to, you know, redevelop applications to take them, basically take them off of the mainframe, put them on a distributed system and put a relational database on the back end of them. We didn't really improve anything.

We didn't [00:08:00] change the software from a user perspective. Maybe it was faster. Maybe it was greater to use a mouse, which I still have my disagreements on, because sometimes not touching a mouse is a beautiful thing. But we didn't deliver new features and services. Now, maybe down the road we did. You know, maybe if years, years later, because we have those platforms now in a relational model, we could do more things with them.

And I'm not disagreeing with that. But many of those applications that I worked on were retired. Even after we modernize them. So did we, was the money spent in the right place? Right? Where is the, you know, when do we say, maybe we just keep running this application as it is, and then really understand how to rebuild the platform in a new way and solve problems in a new way.

And I didn't see that, and I don't see it now with AI. I feel like we're doing a lot of the same things.

John Willis: You know, I and there's a bunch of other things I definitely want to talk to you about, but we can anchor this maybe for later in this podcast, or [00:09:00] maybe another podcast. But, like, I just wrote an article called the the paradox, the the productivity paradox.

And it, it, it sort of talked, so you raised a good question. Like, we're all, what's going to relational database? I mean, today in the rearview mirror you'd say, of course, right? We have highly transactional systems. But initially you're right. It was a lot of toil, mistakes, you know, moving over. And then we sort of, you know, as like the, ah, we did it, you know, like, okay, well, what did we really do?

Tracy Ragan: Yeah,

John Willis: yeah, no. And I, I totally agree with that. So then the question that becomes a, how do we think about improvement? Right. And unfortunately I think more often than And to your point about AI right now is that most Leaders today are looking for these sort of our big R. O. I. Games. And so what I tried to point out is, you know, there's this sort of paradox of like looking at it as a long [00:10:00] tail, but we just don't do that.

Like, in other words, I guess here's the thing I was saying in the article, which is I was talking to a couple of C. I. O. S. who talked about really the reason they're going all in. I. A. I. Is for talent and innovation transformation. Thank you. In other words, they believe there's going to have to be a talent shift in their organization to use these.

Like, in other words, these technologies, we're not turning back, right? So now, how do they get shifts, sort of old school, you know, mentalities, and how do you shift the way you think about innovation? Now again, we can have a lot of debates about, like, we can unpeel that for an hour, but, but the point is, that I think was what the point I was trying to make in the.

The productivity paradox, which is if you look at it as a transition state for certain things. Like, I think back then, back in the day when everybody was [00:11:00] declaring to go to DB2, right, and then Oracle, right? And what did we get if we looked at surface value and, wow, that was a lot of work. What did we actually get over time?

And I think, I think very few people looked at it as a sort of long tail. These are fundamental shift change. Does that make sense? Or

Tracy Ragan: it absolutely doesn't. I do believe that AI is a long tail game. It's not something that's going to, we're not going to see immediate huge ROIs from the software that we're delivering now.

And, and, you know, as we've spoken about in, in Techstrong gang in the past, you know, you, you, because you're speaking to folks like a Caterpillar, I think you mentioned, you might see in the, it was John Deere. You might, you might be seeing changes in productivity in the work space that I don't see, but I don't see, I don't see that unicorn.

Maybe chat GPT is a unicorn, but you're putting, they're putting a lot of money into it. That really impacts everyday people in their lives. You know, every, [00:12:00] this, it could, it could definitely change the way we live. Self driving cars, maybe they're safer. Healthcare, and for goodness sakes, please the U.

S. government, just do my taxes for me. I mean, you know what they're supposed to be, that's why you can audit me if I get it wrong. So just do it for me.

John Willis: You know where

I spent the morning, this morning? I spent

the morning at my local social security office, because if you do Medicare online, it is a debacle.

It breaks things, it loses data and so the only way I had to sit in a social security, so yeah, please, yeah, tech, all the AI, all the technology, I literally spent the whole morning with with a glass window, you know, you know, basically having to prove that I actually did submit my forms properly 6 months ago.

So, yeah, no, I,

Tracy Ragan: yes, we haven't seen that moment yet. And I believe it's yours. It's years off before we [00:13:00] really start every, the rest of us, maybe at the, maybe on a factory floor, maybe at a John Deere, maybe even in banks in the backend, there probably are benefiting from the productivity and certainly in software development, there's going to be some productivity gains, but there may be some losses too.

So I let's, let's think about, let's go back into history and because history teaches us so much. When we went from, The mainframe and green screens and flat files to distributed platforms. We, everybody was doing windows. We had new ways to develop software instead of me using Endeavor. We were writing, everybody was writing their own compile scripts.

Everybody was doing their own production releases. And that process on the distributed side probably maintained a pretty fast pace until I would say around 97, [00:14:00] 95 to 97. That's when my, we first started our first company, OpenMake Software. People started asking the question, how can we streamline all of this development?

Now I was working for a financial company. I won't say who it is because the story is embarrassing. And at the time they were pushing distributed applications. They wanted to get completely off the mainframe. And there was probably 15 teams all rewriting mainframe code, and much of it had to talk to each other.

Because it was sharing data, mortgage applications had to see different loan data and customer applications and credit cards. What they couldn't do though, was to write common code that remained common. And when we talk about like object oriented programming, we're still doing it. Object oriented programming, the idea of writing a reusable libraries that everybody can use across the organization.

It's a great concept. But what happened was, [00:15:00] because we had the pain of moving from something like Endeavor, which took care of all of that for us, it was very easy to use, to a distributed platform that didn't have those kinds of tools, everybody started fixing it with scripts and doing things on their own.

We've never really grown out of that, to be quite honest. Certainly Jenkins changed the way we think about running a job. It's a job, Jenkins is just a job scheduler that calls the scripts that developers write. Everybody is still writing their own scripts. And when you do that, it's hard to enforce things like where are you going to pull common code?

Where are you going to find open source software? Are Sonatype repo or a JFrog artifact? These are the problems that we have created for ourselves since that time that we moved off the mainframe, that we really haven't quite resolved. And now we're in the, we're looking over an edge, and that edge has two [00:16:00] giant, you know, it's, it, there's two things facing us.

One is software security, and the change to AI. And we have yet to figure out either one of those well, and we still don't have a really solid factory floor. That's really maintaining objects that are flowing through our software supply chain. So I believe that over the course of the next 10 years, we're going to have a lot of, we're going to create a big mess, which is going to provide some opportunities for companies like mine.

John Willis: Yeah, yeah, yeah, no doubt. Yeah. No, I, so there's a lot to unravel here. So I guess the question I would have, there's two questions I have on this, on what you just said, and I love what you just said, by the way. Because we don't have a factory, right?

Like, , it's still a mess. The dependency, you know, the dependency map is, Beyond human comprehension, and I don't believe I didn't. Yeah. And I, I think there's there's order of magnitudes problem coming with just all the new AI library sets that have been unvetted. [00:17:00] Right? Like, so, yeah, this is this is chaos.

But so I guess the 2 questions I have is 1 it seems to me, I'd like to know what you thought about like DevOps as it seemed, you know, I know a lot of people, I wasn't really release engineering.

That wasn't my background. I was operations, you know, whatever that meant. I spent many years in the Tivoli portfolio before distribute, you know, as distributed computing came out, you know, a lot of this sort of how you do sort of infrastructure at scale. Right? And, yeah. And I, you know, there's some great people in our community, our DevOps community, who really sort of were, before DevOps, they were DevOps, right?

And it sounds like you were one of those people, right? And so my first, which I'd like to answer second, which is you know, what did you think about the DevOps movement when you sort of first heard it and saw it? Is it, sort of, was it, and, and, like, totally be transparent, because I think at this point your background is vetted, and, and so, like, it was like, hey, duh thanks for noticing, or you know, and then [00:18:00] the one that I think is fundamental, though, is why haven't we solved this?

Because there's a lot of things, like, you know, again, this last 10 years hasn't been wasted time. You know, I mean, we've done some significant. So they say DevOps. The first meeting about DevOps was 15 years ago in Antwerp, right? And so let's say it's somewhere between 10 and 15 years old. And I know as my experience of helping, being involved in it, not just because it's sort of my, part of my moniker, I know we've done good work, but why are we, and I agree with you, we are still a friggin mess.

So I guess there's a, there's a lot there, but.

Tracy Ragan: Well, to be honest with a new term, DevOps I just rolled my eyes.

John Willis: How did I die? That's what it does. I thought you were going to say, thank you for

Tracy Ragan: doing it for so long.

John Willis: We

Tracy Ragan: would have been doing it for quite some time. I mean, we started open make software in 1995,

John Willis: right?

Tracy Ragan: And we, you know, the way I perceived the problem that we were solving [00:19:00] with our Meister product and with OpenMake software, which, by the way, is still installed in probably 200 large organizations. It's in its 30 years old. We realized that because of everybody cobbling their own shoes, right, that nothing could be easily integrated.

Right. So integration was an issue. Now, CI is continuous integration, right? Meaning that we change the way that we think. Now, long before DevOps was ever even brought up, there was other terms. There was configuration management, by the way, I still think is the proper term for it. There, it was application lifecycle management.

John Willis: Right.

Tracy Ragan: ALM and there were probably a few other terms that were used to describe it. But probably somewhere around the 1995 time frame, Microsoft, somebody wrote a book, and let me, let me see if I can find it, [00:20:00] called Microsoft Secrets, let me look for it really quick, Microsoft Secrets,

by Ruth Milkman. And Ruth hung out with the Microsoft development teams and operation teams and she defined how Microsoft manages their factory floor for their software. And it was so enlightening because it was exactly what I was thinking and what we were starting to do with OpenMake software and Meister.

And they talked about the need for not doing these long term, every two weeks, every three weeks, then do a build. Which I've been that person that had to do that build and you're sitting there going pulling your hair out because everybody's got stuff coming up from all these different directories and it could have been from different places in CVS.

It could have been, you know, I mean, we were, there was version control at the time, but that book defined DevOps. In a very, very clear way, and that was back in

[00:21:00] 95.

So, you know, maybe it looks like the book was written by, here's the one I read, was Michael Cusimano and Richard Cusimano.

John Willis: Really?

Tracy Ragan: Yes. Okay, it

John Willis: must be a different Cusimano, because Cusimano is actually a big MIT guy, but just probably same name.

Yeah, nevermind. It can't be. Could

Tracy Ragan: very well be. But, you know, it's, it's an interesting read because it's outdated now, but it's interesting because they clearly define the problems of just getting software delivered. Compiling it on a regular basis, integrating code to the right points, understanding what libraries you're pulling the code into.

Now, this may seem like an old topic, but in terms of what we're facing with the supply chain. Of course, that's another new term. Sometimes people say DevOps is now software supply chain. I don't care what they call it. I don't care if they call it the blue fairy. [00:22:00] It's the same thing. What we're trying to do is we're trying to manage.

Chaos around the consumption of packages that are now coming from more than just internally. They're coming from, you know, externally from hundreds of locations and countries in through the software supply chain, automate the compiling and creation of containers and now managing massive dependencies in the runtime environment.

So, these problems may seem, if you look at them in a silo, new. But if you step back and you look at them as a process, they're all the same problem. It's the ability to manage many, many components, like a massive puzzle, and understand what the box cover looks like. And in many times, everybody's managing a certain section and they don't know what the end, the end, the, the, the cover of the box of the puzzle looks like they don't know what [00:23:00] they're actually creating.

They only know that they have their own pieces and they have problems in their own pieces. So DevOps never solved it. So software supply chain never solved it. ALM never solved it. And the reason why on the distributed side, we struggle so much, in my opinion, is because of all of the scripting we do.

John Willis: Yeah, and we still do a ton of scripting, right?

Like that.

Tracy Ragan: A ton of scripting.

John Willis: It is, it's such a dirty little sort of secret, right? Like, I mean, like, people brag about, like, oh, we've, you know, we've got, you know, we're using Terraform now, and, like, it's, I don't know, there's, say, hundreds of thousands of Terraform, you know what I mean? Or, or, you know, like, even your configuration as code is, is just A lot of scripting.

The did you get involved? This is sort of my own sort of overlapping history stuff so that, you know you know, I got involved with I met Luke Knies in probably 2008 ish [00:24:00] 2009, right? I saw his presentation. I was doing what I called first generation configuration management, which probably doesn't jive with your history.

But, you know, basically what Tivoli was doing. Yeah. It was more about configuring servers, right? It was very stanza based, right? They had no sort of, there was no intelligence in the process. And I saw what Luke was doing with Puppet. Ultimately, I've come to learn that a lot of that came from Mark Burgess.

You know, with his original sort of CF engine. And then you got Chef and all that, right? But I took that ride. But as I've dug into the little history there, before I got involved, there are a lot of wars between, I think, something called BCG, BCGF or, you know, and, and a lot of sort of, like, people trying to automate make.

Was there you involved in any of that, or was yours more? We,

Tracy Ragan: OpenMake Software, automated the generation of cross platform make files.

John Willis: Okay.

Tracy Ragan: That is exactly what we did. And we, and we built a [00:25:00] build audit snapshot as well. So we audited builds creating S bombs back before we knew what S bombs were. So, yes, we, we were very, very much involved in that.

And it was critical because at the time we were working on that, there were a lot of cross platform applications, mainframe to, to distribute it to sides. That was the most common. We, we had. One of the companies we were working for probably had, they had AIX, they had Sequence, they had Windows, they had OSDUO.

John Willis: Yeah, yeah, sure, sure.

Tracy Ragan: So, and they were trying to standardize on where code was going to come from. So, Meister generates about two, supports about 200 different languages. And generates what we call a build control file. And it enforces a dependency directory. So you literally have to get the dependency directory approved before you can add it to your build.

[00:26:00] Now, why did we do that? We did that to force people to standardize on common code in the same way as we do now with something like an artifactory that says standardized on this repo.

John Willis: Right.

Tracy Ragan: So we were trying to control the chaos with that and we did a pretty good job of it. For highly regulated companies.

How

John Willis: did we, I mean, so like, I mean, not sort of day one, but like day five and like maybe five is a five year spectrum or a 10 year spectrum, but day four or five, we started enforcing, not enforcing, but sort of like talking about the importance of artifactory, you know, artifact management as part of the cycle.

So like, it sounds like we missed the boat in two ways. One, short term, we missed the boat about the enforcing artifact Some type of dependency artifact management from sort of day one and like you and I'm saying so you

Tracy Ragan: can't you can't enforce it as somebody's writing a script because they can pull it from anywhere.

They're

John Willis: okay. You just like loaded my second question, which [00:27:00] is the script I was going to say. So, like, like, it's scripting, you know, the fact that we sort of let everybody sort of free world, the whole scripting model in the. It's, it's coding for operations, Monica, like we got away with the mess, right? So you're confirming what I was going to ask you, basically.

That's

Tracy Ragan: exactly what happens. I mean, and in many cases, what then happens is because not everybody is good at, you know, creating Helm scripts. Now, for example, they'll borrow a Helm script, right? And they'll try to add what they want in their names to try to make it work. So then they might even be bringing in more pieces that they don't need.

And they may completely bypass anything like a Nexus Repo or an Artifactory. Do

John Willis: you remember that? There's

Tracy Ragan: no way to

John Willis: enforce it. No, and like, that's why I made a joke, and I'll make the joke as much as I need. Like, I know last week everybody was at KubeCon, but to me, you know, on our last TechStrong, I said, Alan was, Alan Schimel, who owns TechStrong, [00:28:00] said, said, we're going to KubeCon next week.

I said, isn't that the place where, I didn't know, it got up to 15, 000 people. But 15, 000 people learn how to put colons and semicolons. But yeah, I mean, we're like, it's like, I mean, these scripts are code. I mean, I don't know if you remember, it was about four or five years ago, the, the, the creator of Spring, I think Rod Johnson wrote an article in Defense of YAML.

And what he was really, it was a play on a title, which means that when you have 5, 000 Lines, YAML scripts that make inline code calls, you know, to scripts like, like this is not the way it's supposed to be, you know, so like, in other words, it's

Tracy Ragan: not, it's not the way even worse with all

John Willis: this configuration stuff, because it's, it's worse code, really, to be honest with you.

Tracy Ragan: And it's a cultural, the whole idea of scripting your stuff is very cultural within the development community. When we were bringing you know, Meister to market, the highly regulated industries we're good with saying, no, we are going to use Meister so we [00:29:00] can enforce these locations. But the ones that weren't highly regulated, they tend to say, let the, especially in the early two thousands, let the developer create their make script, their end script.

Okay. Let them worry about the production releases. We're and we'll call them if we have a problem and the production team will just approve it and know that it's coming. Right, and so much was given to the developers to do and we still have that culture and it's a there's a you know I hate to call it a it's a like a it's a balance of power where who is accountable for what step in the process and Oftentimes a lot of it stays in the hands of developers and they'd like to tinker they like to script And it to me is baffling.

Well, you know,

John Willis: I mean, this is like a little bit cathartic to me, cathartic to me, because you know, I think about, like, as we sort of, you know, I'm old. Infrastructure operations person right now. I remember first meeting Luke Kines and [00:30:00] him saying that, you know, by the way, John, you know, all, you know, operations people are gonna have to learn how to code.

They're gonna have to learn how to use. It was pre Git. We git wasn't even popular when we had that first conversation, but, you know and I was like, wow, this kid is out of his mind, you know, and, but, but he, he was right. Well, well, I mean, that's what happened, right? In fact, you know, like. You know, a few years ago, when I'm trying to tell developers, you should put a little more focus on operations.

You know, they'll say, yeah, well, don't they just rack and stack? I'm like, yeah, actually it's harder to get a job in infrastructure and operations in your coding tests than it is to become a Java developer at JPMorgan Chase, in other words. Like, but I mean, we sort of created this, I mean, and I don't, I'm not fully like turning, being a turncoat on my sort of my, my tribe, but, but in a sense we created this problem by not only sort of like, even through the interview process.

We're hiring you as a coder, but I'm operations, [00:31:00] yeah, but you, you're going to have to know how to code, like, here's the languages I need, you need, don't go, you need to know this, you know, and like, we literally sort of created our own, what do we call it, primrose path, or it's, right, so. And it's going

Tracy Ragan: to be hard to get out of that culture.

It's going to be very difficult. So I feel like scripts are here to stay, unfortunately. And the other problem that this creates, this is where we find ourselves now in the DevOps space. When we have so much data that's being generated by scripts that's possibly kept in a log file, or worse off, not kept at all, that when we look at new technology that could get us out of this, this problem.

Like a Gentic AI that could actually make decisions for us. We're not, we're not gathering any of the data. All the scripts are everywhere. We don't even know where they're running, right? And, you know, we could say, there's a lot of it that comes from the Jenkins workflow. This is what we're focused on.

Deployable is focused on grabbing that information. [00:32:00] But there's a lot that's not in the, in the workflow. There's a lot that's just being executed by, you know, I don't know. Just a, just a regular old command that says, run this at certain times of the day. Right?

John Willis: Yeah, yeah. No, no. Yeah. I mean like, yeah. I mean, how many times have you gone and I've gone in where they're still in large, large banks, large retail, like, you look, can I see a crown tab,

You know?

Tracy Ragan: Exactly. Yeah.

John Willis: Yeah. So, yeah, yeah. No, there's no, there's

Tracy Ragan: at commands everywhere, right?

John Willis: Yeah. Yeah. Definitely . So. You know, we've got, we can go up to, I think, the hour, but, and, and I think, but I do want to get this one in, and then I do want to, I want to tell us about what you're doing today, Deploy Hub, and, and like how, how you address this, but one of the things I, I feel like doesn't get discussed enough, you know, we think, Okay, good.

Like, I think a lot of people think, Oh, that's, is that really a problem anymore? You know, women in tech, I mean, like, and you know, and then we have the Palo Alto scenario and we don't have to over rotate on that one, but I, I kind of wanted to ask you, you know, I, I'll give you the short, some [00:33:00] people have heard my bio on this, I think the early days of DevOps, when we were trying to do, you know, we were selecting speakers and I got to sort of invite some amazing women into some of the Things we were doing and then just heard their, you know, they confided in me and, and I mean a little extended version is I wrote an article about burnout and it made me seem vulnerable to a lot of people and I had a lot of young women tell me some terrifying stories of their career in IT.

And do we still suck at women in IT?

Tracy Ragan: Unfortunately, you're, we're going backwards.

John Willis: Really?

Tracy Ragan: The. You know, there was a point in time in my career that I would go to conferences and not go to the evening events because it was just so many guys there. And that sort of shifted I would say around 2005 to 2010, it was a lot more fun.

There was seem like there was more women, but over the [00:34:00] last five years, maybe three years maybe, you know, I don't know when I, when I saw the shift. It has gotten, I think it's gotten worse. Actually, according to one of the women that we interviewed for a text on women, and I cannot think of her name right now, but she worked she was one of the C levels at Manpower.

She said that during COVID, women lost more ground in technology than any other any other occupation because they stayed home to be the teacher and They they were, they were not able to do, you know, do remote work because they were working during the day with their kids on online. And they never went back into the business because they got so far behind on the skills and they just never returned.

And the habit of hiring women never returned. It did not return at the rate that they were hoping at manpower, that women [00:35:00] were, really qualified women would, you know, would stand up and not looked at. So we've gone backwards in a very in a, in a very sad, sad direction. And I've, you know, it kind of aligns with the current climate we find ourselves in politics as well.

You know, this has always been technology. Well, that's not completely true. I was going to say it's always been a good old boys club, but that's not true. Women dominated when I was, when I first started, I had a lot of women that I worked with in, in Wall Street. Many of them were DBAs. Oh my God. The number of women that were DBAs was outstanding and network engineers.

Many of them were network engineers and they all disappeared over the course of my the lifetime of my career. They have literally disappeared and it's become even a more good old boys club than I've ever seen before. And in fact, there have been meetings that I went to at an open source summit.

There were a couple of meetings that I [00:36:00] felt like I was not wanted there. Like I walked back to my team and said, I want to go home. And that is, and that was just last year. And that's where I am a hardened woman in software.

John Willis: Yeah, no doubt. Yeah. It spun me

Tracy Ragan: around. It spun me around to the point. I basically said, you know what?

I think I just want to go home.

John Willis: That's, that's terrible. I mean, that is absolutely, you know, so my, I'm going to tell you my quick story, which was Bridget Cronkite, who was like, ran, you know, she was, she, we, I remember inviting her, I saw her, she did a Ignite talk at Tablet Stays New York, I think 2013 or 2012, I don't know, and we were trying to figure out the first, one of the big Silicon Valley ones, and I was like, I got a great, great speaker, and she came, and she spoke, and she knocked it out of the park.

It was like 2014, I don't know, really early. And I remember it was great, you know, and, and I remember, you know, and she's operations, like, ops, you know, and, and and about a week after [00:37:00] the thing, she wrote this article about how she felt like she didn't, like what you just said, and because at the conference, she was having a great time interacting people like your, your presentation is, You know, she was working at a video startup and like, her stuff was spot on on people.

Everybody was trying to figure out how do you sort of manage what tools you use, what open source and she crushed it. And and her article was at the end, they were all standing around as all guys. And they said, Hey, why don't ops guys go out for dinner? And you know, and like the old me be like, come on, really?

Like, but she felt. And I, I, I knew her. It wasn't like a complaining. It wasn't like, you know, well, I'll get, you know, like, I know that just, she just felt, she said in this article, it's still out there, that she just wasn't sure if she was invited. And that changed everything for me because I thought, you know, my whole thing was what do I say that would basically make Bridget feel like shit?[00:38:00]

And how do I say it? And I know that's just a minor part, but we, we, like, you know, like, we need to, us, the men in this community, we don't want to chase people like Tracy and Bridget off. The

Tracy Ragan: truth is, John, she wasn't invited. Not truly they did not want her there.

John Willis: Yeah,

Tracy Ragan: because I know that my from my own experience You know if you're the only woman in the room and they're all gonna go off to the bar You know that you're not invited that nobody is making turning around and making sure and saying Tracy come come with us We really really want you there So it's and this this happens to this this is such a problem and I'm so glad you shared her story Because it, business deals, you know, funding going out and selling your software all requires that that woman feels comfortable going to [00:39:00] dinner or going to the bar.

And as long as we don't, we will not succeed in changing the, in fixing this problem. We're still going to be looking at all of investment and all of industries goes to less than 2 percent goes to women. That is ridiculous. Please less than 2%.

John Willis: It's just

Tracy Ragan: stupid, ridiculous. But why does that happen? Because women don't feel invited to go to that next level.

They don't know when, it's hard to say, hey, am I invited? Hey.

John Willis: Right, right. And that's

Tracy Ragan: what we have to start doing, but younger women in particular won't.

John Willis: Yeah. Yeah. No, no, I mean again, that's why I do you know, I'm, I'm 65 now, we were just talking about it and Medicare, like, you know, and I just think about like the, the damage we do to our, you know, to, you know, what, what is a beautiful industry.

I mean, I, I, look, I, you know, like the old, you know, Lou Gehrig, baseball's been very, very good to me. I think IT [00:40:00] has been very, very good, and, and the thought that it, it, it can't be good, like, it, it, it annoys me but, I love this industry too because it's the one industry that I never have to, I never stop learning.

Tracy Ragan: I'm always challenged to learn something else and I absolutely love it and the women that I know in it are amazing. But do we get the proper credit? Do we get will we be sitting on those boards? Will we be getting funded? I don't think so. Not anytime soon. And it's just going to get worse for women overall.

We're going to face a time right now that women are going to be challenged and it's going to get, it's going to hurt. It's really going to hurt. And I think that those who have the ability to lift women up whether it be looking at a young woman coming out of the coming out of Harvard that has some amazing ideas or somebody my age that has a lot of experience and says, Hey, we can solve this.

I hope that they start looking at us from a different [00:41:00] perspective.

John Willis: Yeah. For me, I think I kept thinking like, is there a question to ask you to tell these, you know, sort of idiotic men in this industry. But I think for me, like, I guess I would say is, you know, find your Bridget and then realize like, like, like find your Tracy, find your Bridget and like, what would I do that would make her feel like crap and just don't do it?

I mean, you know what I mean?

Tracy Ragan: Or what can I do to help her in these male dominant areas to, you know, have her back and make sure. Right, that she's invited. Hey, they're going out. You're coming with me.

John Willis: I

Tracy Ragan: got your back. Yeah, I got your back. That is important because being out there alone is hard. But if you know that there's a guy standing in the room that's looking at you and going, come with us, you're coming with us.

I have your back. And if men will stand up when women are being treated poorly and say something, and this has [00:42:00] to do with all, I mean, misogyny and fascism, the only way we stop it. is by saying something. I recently had that experience. I won't use all the words that I told the person, but they asked me what business I was in.

And this was like at a venture, kind of a venture fundraiser or venture meet and greet. And I said, I was doing cybersecurity. And the person looked at me and said, he goes, yeah, but that's really hard. And I said, okay, I'm going to call BS on you right now. And two people from MITRE were sitting at the table.

And then I called them up. Then I said a few, use the F word on them a few times. And I said, the problem is you would have never said that to a man. And if you say that to a young woman, she may never try again. And that is not fair because you would never say that to a man ever, ever, you would never say that.

And then he apologized. And you know what I said to him? I said, I don't want you to be sorry. I want you to change. So we have to speak up.

John Willis: I, you know, I'll tell [00:43:00] one more story. And again, I'm not trying to make it sound like I'm some kind of saint, cause I ain't, I'm lazy. I'm disorganized. I, you know and the score, their dog and the squirrel squirrel squirrel.

I have a different idea every day, but we were at this open source conference and I was with Mark Miller and he had something going on with sonotype and all day DevOps, and he invited me to, it was in London and this young man, young woman, both work same company. And they were all excited about like they were at a startup doing development.

And they told the woman, the young woman said to me at some point, yeah, she said, I was in this crowd of these guys. And they said, what do you do? And she said, I'm a developer. And the guy said, that's hot. I said, we're going to find the organizers. We literally, I went around this, unfortunately, this is one of those conferences, unlike DevOps days, because DevOps days, you will have a colored person you can go to if that thing happens.

And it's your responsibility to take and find the person who said that and make sure they get, I wouldn't say kicked out of the conference, but [00:44:00] yeah, but we looked, we looked all over for about a half an hour, I looked around, I wanted to find an organizer to say we need to go talk to that man, and that is not the way you treat people at a conference.

Tracy Ragan: Isn't that a weird thing to say, right?

John Willis: It was just like, and this young woman was so like, she was so proud that she was a developer and like, and she wasn't even complaining when she, she was like perplexed that that was their response. Like, it was just, you know, so anyway, you know, in other words, she wasn't even sitting there going, this is terrible.

This place is horrible. She was like, yeah, and I got this weird response from one of the older guys, you know, and like, she's, you know, it's sort of embarrassing, but all right, let's, let's finish up on deploy hub. Tell, tell me what you're doing and, and, and like what, how, you know, what are the kind of things you're doing that sort of, sort of help with this mess we've got?

Tracy Ragan: Yeah. So, you know, DeployHub has had a very interesting journey. We, so we bought the technology of DeployHub when we were still OpenMake [00:45:00] software.

John Willis: Okay.

Tracy Ragan: Because we had so many people using our Meister product to do deployments. And it never, never was intended for us. And we found this company out of out of Edinburgh and they had built a versioning engine and taken a lot of time to build a versioning engine around managing the configurations of deployments, including doing the deployment, which actually is the easy part because they were trying to move away from, from deployed from scripted deployments.

And it was agentless, so it didn't require an agent running everywhere. Well, we, I was pretty interested in the configuration management part of it. And so we brought it on, didn't do much with it because Meister was still kind of pushing everybody's envelope, and we were, you know, pretty busy with that, and we started developing on it, and we were way too late to the market.

We had some of our customers started using it as a deployment engine [00:46:00] and managing the configuration of deployments. Now, a configuration of deployments can get pretty complicated. We're talking about managing key value pairs and you know, where, where scripts are coming from, if they're using scripts, just tracking the data about deployment.

So you have insights of what's happened. We separated deploy hub from open make software back in, I guess it would have been 28, maybe 2018. And we were going to go, we were going to take it to market 2019 into 2019. We had COVID and we, I just pretty much shut it all down. I said, we're not going to, I'm not going to do anything.

But what I did do was I spent the first two years of COVID actually the first, all of pretty much 2020 doing LinkedIn interviews with people and trying to find out what their problems were in the area of DevOps. And most of them would say that they are struggling with managing all of the different pieces and components.

Now, this is what microservices were just starting. Some companies would say they were getting [00:47:00] confused about 20 microservices, much less, you know, 500 microservices, what they're doing now. And what the configuration management engine and that versioning engine did really well was to map dependencies.

Okay, now fast forward to where we are today with it, which, but we never changed the name. What we realized was that we had the perfect solution for tracking S bombs, vulnerable packages to endpoints, right? Because we track where, we track, we track the component, who created the component, where the build was, and we track where it got deployed to, regardless if it gets deployed out to, I don't care, you know, 10 different environments and 70 different namespaces and, you know, multiple, multiple instances everywhere, because that's what happens to these containers that are widely shared.

So now what we're able to do is we take an SBOM [00:48:00] and we version that, right? Because every time you create a new, every time something runs through your pipeline, a new component gets created. Every single application that consumes that component has a new version.

John Willis: Okay, right.

Tracy Ragan: And a new and guess what? A new S bomb.

John Willis: Right. Right.

Tracy Ragan: So we, we, we snapshot that. And when we do so, what we're creating is the ability to map a vulnerability all the way to its end point. Without having to have any agents opening up a container, you know, from your discussions with me on tech strong game. You know what a fan I am of agents,

John Willis: but

Tracy Ragan: you don't have to have an agent running in your production, opening up your containers and scanning them from vulnerabilities because it's already in that we already have the information of the DevOps pipeline.

So we're gathering that. So right now we really have kind of pivoted around. That ability and taking that configuration management and versioning feature to show at any point you could do a, you could [00:49:00] run, you know, give me a search on spring 5. 0. 7 and it would show every single location is running. Now, why is that important?

It's important because that's where it needs to be repaired and patched if it's a high risk vulnerability. And what we want to do with the data, what we're, you know, I'm going to start looking at funding in 2025, what we want to do with that. As we want to now automate the, the, the package remediation, we want to be able to, we know there's a vulnerability.

We know where it's running out in the production environment. What we want to be able to do is automatically go locate the patch, update the helm chart, and create a pull request for every application team and every component that is consuming that. And in doing so, we won't have a 227 day response time to updating our vulnerability, our patches for our vulnerabilities.

We're not trying to do the remediation, the code remediation. Somebody else can do [00:50:00] that. Right, right, totally, of course, yeah. We want to do the DevOps part, but we want to be able once there is a problem found, we want to be able to notify every application team that's consuming that and every developer who created that component by creating a pull request and notifying the application teams that there's a problem.

John Willis: It sounds like a no brainer. You know, I mean, this

Tracy Ragan: is,

John Willis: I mean, it's funny, you know, it's you know, there was a while when I was doing a lot of these, what I called a qualitative analysis for digital transformation. It's a fancy way to do a lot of interviews, but I was doing a true qualitative analysis.

I had learned enough about the, you know, not the sort of the PhD version, but But enough, and they'll go into large corporations and, and, you know, one of the things I'd ask, and, and, and like, I, I, I haven't done this for a few years, but I'm certain I could go into any company and ask the same question, get the same answer is I put a bunch of people in a room.

I did that. I do. It's been like a month with a company and just interview anywhere from 100 to 500 people, right? [00:51:00] And. I, each team, I'd ask things like, I'd say, Hey, you know, on that last, like, I was like, I'll say struts two or something like that. How did you know where you needed to remediate? And then the answer is, because I always say, I'd never asked a question.

I'm smart enough not to ask question. How, how good is your CMDB? Right? Because. Oh, it's fine. Don't worry about it. Right? Like, you can't ask it that way. You gotta find, you gotta get them to tell you the, the truth and the lies, right? And so I'd say, you know how, and then one person say, well, you know, I got a spreadsheet.

Another person would say, I, I, well, I, I'll go to, you know you know, to the the, the load bouncers and, and the f fives, you know, because they'll. Dump me a bunch of XML or, you know, and I, like, I let him go through all this. And, and, and I, for me, cause I was just getting the answer. I wanted to prove to CIO that your CMDB is just nonsense.

Like you're wasting money. You are just, it's, it's like theater. And but the, the, the, the, the result of all that Q and a was how terrible. [00:52:00] We are at that exact answer of when you have a struts to vulnerability and you've got to remediate it. How do you find all the systems and like I don't, you know, other than the closest I've seen is, I don't know if you ever looked at habitat from chef, but I don't know that that was the right answer either.

But to me, that was the closest answer of, you know, root definition of, like, what the application is going to have from the library level. And at least now we know where it went. Right. And so when, when you.

Tracy Ragan: And the crime of that is we have all of that data. It's not creating that data. We're just grabbing it at the point in time.

Things happen on the CD pipeline. If a Helm chart executes, we already have that information. We just store it.

John Willis: Yeah, no, no, it may now

Tracy Ragan: we're able to take all of that package information coming from the S bomb. And version that. As well, so we could actually go all the way down to the package and map it and this is what you just described is the biggest problem people have is knowing where these [00:53:00] pieces are.

They

John Willis: just don't know. They just don't know. They just don't know.

Tracy Ragan: And, and it's, it's, it, it is a no brainer if all you do is, if, if, if we're actually starting to manage it on a regular basis, pull this data up, right? In a federated location, nobody can see it without having to install agents everywhere, which is not my, my, you know, the agent thing makes me so crazy because all we're doing is adding to the stack.

I didn't get it.

John Willis: Yeah, we keep adding

Tracy Ragan: more problems to our, you know, we have all the data yet. Somehow we have to have an agent out there to go find it. It just proves that we are messy at what we do.

John Willis: Oh, yeah, we are totally. All right. So how do people, you know what, what I mean it probably deploy hub.com, but I mean, what, where do people find out more about you?

Yes.

Tracy Ragan: Deploy hub.com. And we do have an open source product that's incubating at the Continuous Delivery Foundation. Okay. Okay. And it's called orus. Okay. Named after Abraham Orus, who created the first world atlas. Oh, and it's [00:54:00] tius.io. And if anybody's interested in this space and would like to contr help contribute and solve the automation of, of, you know, patch remediation.

I don't wanna call it code remediation. We wanna re-mediate the patch. Got it. Please consider joining the team. We have a fund team and we're, we're unique because we don't have a giant, we don't have an IBM or a Google behind us. We are, we are a real open source community. There you

John Willis: go. There you go. Real

Tracy Ragan: developers doing open source development.

John Willis: Get me into the CNCF discussion. You know, the one thing we didn't cover and maybe, maybe we can sort of schedule this early next year. The I, I definitely wanted to talk to you about CDF and open SSF, but, you know, and, and like really, you know, how you're involved in that and involvement in what, why it's, why it's important.

We about. I would love to have it.

Tracy Ragan: Yeah, I would love to have another discussion on that. I am currently serving on the Technology Oversight committee for the CD foundation. I have been on the governing board for the open SSF. I've put my name in the hat for war next year. We'll see if [00:55:00] it happens.

John Willis: Okay.

Tracy Ragan: But unfortunately, the open SSF has gotten there's a lot of men running that show and women have been kind of losing their place. Jamie Thomas used to be the chair of the open SSF board, and she's from IBM, and she. Was amazing. I miss her. I think that they should bring her back, but it probably was a lot of work for her.

John Willis: Not that I get the vote, but you get my vote. So

Tracy Ragan: thank you.

John Willis: There's been great.

Tracy Ragan: There's a lot to talk about with those 2. Yeah, no, I think that's I

John Willis: mean, I think we cover some really good stuff. I love going back in history. You know, and then, you know, certainly the women in tech were I thought, you know, I, I, I sort of, I feel like that's going to be an important part of this particular podcast.

And then I wanted to really, I wanted to better, better understand what the Deployhub did. So, but we'll come back. We'll definitely schedule that. And I hope you had as much fun as I did.

Tracy Ragan: I did. It was a pleasure. I always enjoy talking to you, John.

John Willis: All right. Sounds good.