Tuesday, July 02, 2024

regreSSion: A High-Severity OpenSSH Vulnerability (CVE-2024-6387)

What is CVE-2024-6387?

CVE-2024-6387, also nicknamed "regreSSion," is a critical vulnerability in OpenSSH's server software (sshd) that allows for remote unauthenticated code execution (RCE) on affected systems. This means an attacker could potentially take complete control of your machine without ever needing valid login credentials.

The vulnerability stems from a signal handler race condition within OpenSSH. When a client fails to authenticate within a specific timeframe, the server triggers a signal handler. Crucially, some functions called during this process are not designed to handle interruptions and can lead to unexpected behavior. In certain glibc-based Linux systems, this can be exploited for RCE.

Who discovered it?

The Qualys Threat Research Unit (TRU) is credited with discovering CVE-2024-6387. Their research indicates this vulnerability has the potential to affect millions of servers.


How can I find out if I'm vulnerable?

There are two main ways to check if your system is vulnerable to CVE-2024-6387:

  1. Check your OpenSSH version: Vulnerable systems will be running OpenSSH versions earlier than 4.4p1 or 8.5p1, up to but not including 9.8p1. You can check your version by running the following command in your terminal:
        ssh -V
  1. Consult your Linux distribution's security resources: Most Linux distributions have released advisories regarding CVE-2024-6387. These advisories will detail the specific versions affected and any available patches.


Open Source Tools and Patches

The good news is that patches are readily available to address CVE-2024-6387. It's crucial to update your OpenSSH server to a patched version as soon as possible. You can find the update procedure specific to your Linux distribution through their official channels.

Here are some additional resources:

Sunday, May 19, 2024

Form Follows Function: A Timeless Principle for Design and Architecture

In the world of design, there are a few phrases that hold immense weight. "Form follows function" is one such concept that has transcended disciplines and time. Coined by renowned architect Louis Sullivan in 1896, this principle emphasizes that the design of an object should be driven by its purpose. In simpler terms, the way something looks should be a direct result of what it's meant to do.

This philosophy stands in stark contrast to the idea of aesthetics solely dictating design. Imagine a building adorned with intricate carvings and superfluous ornamentation – while it might be visually appealing, it goes against the "form follows function" grain if these embellishments don't contribute to the building's functionality in some way.

While Sullivan's initial focus was on architectural design, the "form follows function" principle has far-reaching implications. It can be effectively applied in various fields, including software engineering and enterprise architecture, as we shall explore further.


Applying "Form Follows Function" in Software Engineering

In the realm of software engineering, "form follows function" translates to designing software that prioritizes usability and functionality over superficial aesthetics. Here's how this principle plays out:

  • User-centered design: The core functionality of any software should cater to the needs of its users. User interfaces should be intuitive and easy to navigate, allowing users to achieve their goals efficiently.
  • Clean code: Well-written code is not just about functionality but also readability and maintainability. Clean code adheres to coding standards and best practices, making it easier for developers to understand, modify, and extend the software in the future.
  • Focus on user experience (UX): A positive UX goes hand-in-hand with good design. Software that adheres to "form follows function" should prioritize a seamless and enjoyable user experience.


"Form Follows Function" in Enterprise Architecture

Enterprise architecture deals with the design and implementation of an organization's IT infrastructure. Here's how "form follows function" applies in this context:

  • Business-driven IT solutions: The IT infrastructure should be designed to support the core business processes of the organization. There should be a clear alignment between the business goals and the technological solutions implemented.
  • Scalability and flexibility: IT systems should be designed to accommodate future growth and changing business needs. A rigid and inflexible architecture can hinder an organization's ability to adapt and thrive.
  • Integration and interoperability: Different IT systems within an organization should be able to communicate and exchange data seamlessly. This ensures a smooth flow of information and avoids data silos.

By adhering to the "form follows function" principle, software engineers and enterprise architects can create solutions that are not only aesthetically pleasing but also functional, efficient, and scalable. This approach ensures that technology serves a purpose and provides real value to the users and the organization.



Thursday, April 11, 2024

The Doctor, the Data, and the Deadly Secret: The Semmelweis Reflex and the Power of Data Storytelling

Imagine a world where a simple yet revolutionary idea is rejected, not because of a lack of evidence, but because it challenges the status quo. This is the cautionary tale of the Semmelweis reflex, named after Ignaz Semmelweis, a Hungarian physician who dared to question prevailing medical beliefs in 19th century Vienna.

Back then, childbirth was a terrifying ordeal. A significant number of women died from a mysterious illness known as childbed fever. The medical community, however, clung to the theory that the disease arose from emotional distress or miasma (polluted air).

Enter Semmelweis. He noticed a disturbing trend. The First Maternity Ward, staffed by doctors who routinely delivered babies after performing autopsies, had a much higher mortality rate than the Second Ward, staffed by midwives. Data, in the form of these drastically different mortality rates, was staring him in the face.

Through careful observation, Semmelweis discovered the culprit: invisible particles transmitted from contaminated hands during examinations. He implemented a mandatory handwashing protocol with a chlorine solution – a radical idea at the time. The results were astonishing. Childbed fever deaths in the First Ward plummeted.

Semmelweis' story is a powerful example of data-driven decision making. He didn't just collect information; he told a compelling story with his data, highlighting the stark contrast between the wards. This narrative, built on evidence, exposed a deadly flaw in accepted medical practices.

The Semmelweis reflex serves as a warning against clinging to comfortable but potentially harmful beliefs. It also underscores the importance of effective data storytelling. By presenting data in a clear, compelling way, we can challenge assumptions, inspire action, and ultimately, save lives.


Now, let's unlock the power within your data

Semmelweis didn't just present dry numbers; he painted a picture with his data. He showed the human cost of inaction and the life-saving potential of his idea. This is the essence of data storytelling: transforming raw information into a captivating narrative that resonates with your audience.

 Source: https://en.wikipedia.org/wiki/Ignaz_Semmelweis


Here are some key ingredients for effective data storytelling:

  1. Focus on the "why": Don't just present findings; explain their significance. What problem are you trying to solve?
  2. Know your audience: Tailor your language and visuals to their level of understanding.
  3. Embrace visuals: Charts, graphs, and even infographics can make complex data easier to digest.
  4. Keep it concise: Avoid information overload. Highlight the most impactful pieces of data.
  5. Weave a narrative: Frame your data as a journey with a clear beginning, middle, and end.

By following these tips, you can transform your data from a collection of numbers into a powerful tool for persuasion and positive change. So, unlock the stories hidden within your data, craft compelling narratives, and inspire action!

Monday, April 01, 2024

Hidden in Plain Sight: Why Freeloading On Open Source Can Cripple Your Business


The "Free" in Free and Open Source Software (FOSS) stands for "Freedom"; Not "Free, as in Beer"!

The free and open-source software (FOSS) revolution has transformed how businesses operate. From Linux powering your servers to web frameworks building your applications, FOSS offers a robust, cost-effective foundation. But for many for-profit entities, the relationship with open source is one-sided: they leverage the benefits without giving back.

This approach might seem harmless, but a recent security concept throws a wrench into that complacency: hypocrite commits. These are seemingly innocuous code changes submitted to open-source projects that hold the potential for future exploitation.

Here's why for-profit entities ignoring open source should be deeply worried about hypocrite commits:

A Trojan Horse in the Codebase

Imagine a seemingly harmless code tweak slipped into a critical open-source library. Months later, a follow-up commit unlocks the hidden vulnerability, potentially compromising countless systems built on that library. Your infrastructure, heavily reliant on open source, could be left exposed.


Case in point

In March 2024, a backdoor was discovered in versions 5.6. of the XZ Utils, a widely used compression library for Linux distributions (CVE-2024-3094). This backdoor, if exploited, could have allowed attackers to gain unauthorized access to systems. The malicious code was cleverly hidden and only triggered during the build process, highlighting the potential for sophisticated attacks leveraging seemingly harmless commits.

Even more concerning are vulnerabilities that go undetected for years. In 2014, the infamous Heartbleed bug (CVE-2014-0160) was discovered in OpenSSL, a critical cryptographic library used in countless applications, including the popular SSH protocol. This vulnerability allowed attackers to steal sensitive information transmitted over supposedly secure connections. The potential impact was massive, and it served as a wake-up call for the importance of ongoing security audits in open-source projects.


Open Season on Vulnerabilities

Open-source projects, while championed by passionate developers, often lack the resources for constant security audits. Hypocrite commits exploit this gap. By not contributing back, you weaken the very tools your business depends on, making them easier targets for attackers.

This isn't just a hypothetical scenario. In recent years, several critical vulnerabilities (CVEs) have been discovered in popular open-source projects, including CVE-2019-5736 in Runc, a container runtime tool essential for containerized applications. This vulnerability could have allowed attackers to escalate privileges and gain control of containerized systems. By not contributing back, you essentially free ride on the efforts of others while leaving yourself exposed.


The Ethical Cost

Beyond the security risk, there's a moral dimension. Open source thrives on collaboration. By solely taking without giving back, you freeload on the efforts of countless developers who dedicate their time and expertise to maintaining the software you rely on.

So, how can you mitigate this risk and build a sustainable relationship with open source?

  • Become a Contributor: The best defense is a good offense. Participate in open-source projects by reporting bugs, fixing issues, and even contributing code. This strengthens the codebase and fosters a sense of community.

  • Support Open Source Foundations: Many open-source projects rely on foundations for financial and logistical support. Consider donating or sponsoring these organizations to ensure the continued health of the software you depend on.

  • Embrace Open Source Security Audits: Regularly audit your open-source dependencies for vulnerabilities. This proactive approach can identify potential issues before they become critical.


By actively contributing to the open-source ecosystem, you not only safeguard your own infrastructure but also ensure the continued success of the very tools that power your business. Remember, open source isn't just free software; it's a collaborative effort. 

It's time for for-profit entities to step up and become responsible participants in this vital digital landscape.

PS: Here's a popular open-source project calling out a for-profit entity for freeloading off the work of volunteers (dated April 1st 2024).

Friday, March 29, 2024

The Great Debate: Unveiling the Similarities and Differences Between SysAdmins and Software Engineers

Note: This topic has been bubbling away in my head for a while. However, since it's a controversial issue and I might have my own perspective, I decided to take a lighter approach using humor. So, I created two fictional characters, one representing each profession, to have a fun debate.

 Code Warriors at War: SysAdmins vs. Software Engineers


Part 1 -  SysAdmins vs. Software Engineers

Moderator: Welcome everyone! Today's debate is a hot topic in the IT world: can system administrators (SysAdmins) truly be considered software engineers? We have two esteemed professionals here to argue their cases. In the blue corner, we have Shawn, a seasoned SysAdmin with years of experience keeping the lights on. And in the red corner, we have Nadia, a brilliant software engineer who builds the applications that run on those lights. Let's get started!

Shawn (SysAdmin): Thanks for having me. In my view, the answer is a resounding yes! SysAdmins are constantly writing code – scripts, automation tools, configuration files. We may not be building the next Facebook, but we're the ones behind the scenes making sure it runs smoothly. We understand the infrastructure, the operating systems, the intricate dance of all the software. That kind of deep knowledge is crucial for any engineer.

Nadia (Software Engineer): I appreciate Shawn's point, but there's a difference between coding and software engineering. Sure, SysAdmins write scripts, but they're typically one-off solutions for specific tasks. Software engineers design, develop, and test complex systems with scalability, maintainability, and security in mind. We follow best practices, write clean code, and collaborate with teams to build features and functionalities.

Shawn: Hold on, Nadia. Many SysAdmins today are heavily involved in cloud deployments, containerization, infrastructure as code. These tasks require a deep understanding of software development principles. And let's not forget troubleshooting! We diagnose complex system issues, often by diving into code and finding the root cause.

Nadia: Absolutely, troubleshooting skills are valuable. But SysAdmins typically work within existing frameworks and tools. Software engineers, on the other hand, create those frameworks and tools! We work with algorithms, data structures, design patterns – the very building blocks of software.


Part 2 - The Automation & AI Factor

Moderator: Welcome back everyone! Buckle up, because this part of the debate is a bit spicier! We're tackling the hot topic: can system administrators (SysAdmins) truly be considered software engineers? And with the rise of automation and AI, is one role more at risk of being replaced than the other? In the blue corner, we have Shawn, our battle-tested SysAdmin. And in the red corner, the brilliant software engineer, Nadia. Let's get ready to rumble!

Shawn (SysAdmin): Thanks! Now, listen, I love Nadia's passion for building complex applications, but let's be honest. Many SysAdmin tasks are ripe for automation. Scripting, configuration management, even basic troubleshooting – AI is getting scary good at that stuff. Software engineers, on the other hand, deal with the creative aspects – designing new functionalities, solving unique problems. That kind of ingenuity can't be easily replicated by machines... yet.

Nadia (Software Engineer): Hold your horses, Shawn. While some SysAdmin tasks can be automated, AI still struggles with the unexpected. A good SysAdmin understands the intricate dance of all the systems and can think on their feet to fix critical issues. AI isn't there yet. Now, software development is constantly evolving too. New tools and frameworks emerge all the time, but the core principles of problem-solving, algorithmic thinking – those are human skills that AI won't replace anytime soon.

Moderator: Spicy indeed! Perhaps there's a middle ground here?

Shawn: Absolutely. Automation can free up SysAdmins to focus on more strategic tasks – security automation, cloud optimization, even dipping their toes into some software development.

Nadia: Exactly! And as AI evolves, software engineers will need to adapt too. We'll partner with AI to automate tedious testing or code generation, allowing us to focus on the cutting-edge stuff.


Moderator: Sounds like both roles need to embrace change to stay relevant. So, the question isn't which role will be replaced, but rather how both can evolve alongside automation and AI?


~ The End ~


Thursday, March 28, 2024

Demystifying ArchiMate: A Powerful Modeling Language for Enterprise Solution Architects

As an Enterprise Solutions Architect, I recently had the opportunity to revisit the world of ArchiMate while tackling a complex system architecture project.

In this post, I'll share what ArchiMate is and how it empowers us to visualize, analyze, and design enterprise architectures. I'll also discuss my experience choosing the right ArchiMate tool for the project.


What is ArchiMate?

Developed by The Open Group, ArchiMate is a standardized modeling language specifically designed for the field of Enterprise Architecture (EA). It provides a visual language with clear notations to describe, analyze, and communicate the intricate relationships between various aspects of an enterprise, including:

  • Business Layer: This layer focuses on business processes, capabilities, and the organization structure.
  • Application Layer: Here, we delve into applications, services, and data components.
  • Technology Layer: This layer represents the underlying technology infrastructure, such as networks and hardware.

Source: https://www.archimetric.com

The Power of ArchiMate

By offering a common language, ArchiMate bridges the gap between different stakeholders within an organization. Here are some key capabilities that make it so valuable:

  • Clear Communication: ArchiMate's visual models provide a clear and unambiguous way to represent complex systems. This fosters better communication and collaboration between business analysts, IT professionals, and executives.
  • Enhanced Decision-Making: Visualizing the current state architecture and potential future states allows for informed decision-making. You can analyze the impact of changes on different aspects of the enterprise before implementation.
  • Effective Gap Analysis: Identify gaps between the current state and the desired target state architecture. This helps in planning and designing solutions to bridge those gaps.
  • Improved Documentation: ArchiMate models serve as well-documented blueprints of the enterprise architecture, promoting understanding and knowledge transfer.


My Experience with ArchiMate

In my recent project, ArchiMate proved invaluable in modeling the current state of a complex system. It helped us clearly identify inefficiencies and bottlenecks. We then leveraged the language to design a target state architecture that addressed these issues and aligned with the organization's strategic goals. The visual models facilitated communication across different teams, ensuring everyone was on the same page.


Choosing the Right ArchiMate Tool

One of the challenges I encountered while working with ArchiMate was selecting the optimal modeling tool. In our case, the client had approved two options Archi and BizDesign Horizon:

Benefits of BizDesign Horizon

I'm started preferring BizDesign Horizon because its collaborative modeling capabilities were crucial for our team. The ability to record life cycle metadata against technology and application components allowed for a more comprehensive understanding of our system. Additionally, the robust version control features ensured we maintained a clear history of changes, and the model component reuse functionality promoted efficiency across the enterprise.

Here's a deeper dive into the specific features of BizDesign Horizon that proved valuable:

  • Collaborative Modeling: Our team members could work on the model simultaneously, fostering better communication and faster iteration cycles.
  • Life Cycle Metadata: Recording metadata for technology and application components provided valuable insights into their lifespans and potential upgrade needs.
  • Version Control: BizDesign Horizon's built-in version control ensured we could easily track changes and revert to previous versions if necessary.
  • Model Component Reuse: The ability to reuse model components across the enterprise saved time and ensured consistency throughout the architecture.

Overall, choosing BizDesign Horizon as our ArchiMate modeling tool proved to be a wise decision. It significantly enhanced our team's collaboration, provided valuable data insights, and streamlined the overall architecture development process.



If you're an Enterprise Architect or someone involved in designing and managing complex IT systems, ArchiMate is definitely worth exploring. Its standardized approach and visual representation make it a powerful tool for clear communication, efficient analysis, and effective decision-making within the ever-evolving world of enterprise architecture.


Think Different: How First Principles Thinking Unlocks Innovation (Even in Software Engineering)

Imagine you're building a house. Most people would look at existing blueprints and adapt them. First principles thinking flips that script. It's about going back to the basics, the fundamental truths (the first principles) of physics and materials, and then reasoning up from there to design the most efficient house possible.


In this blog post, we'll break down what first principles thinking is, why it's so powerful, and how you can start using it to tackle problems in your own life, including designing innovative software architectures.


What is First Principles Thinking?

Here's another way to think about it: First principles thinking is like questioning every assumption. Instead of relying on how things have always been done or what everyone else thinks, you break down the problem into its most basic parts and then rebuild it using logic and reason.


Why is First Principles Thinking Powerful?

There are several reasons why this approach is so valuable:

  • Unleashes Creativity: By questioning assumptions, you open yourself up to entirely new possibilities. You're not limited by what's already been done.
  • Better Problem Solving: First principles thinking allows you to analyze problems from the ground up, potentially revealing weaknesses in traditional approaches.
  • Promotes Independent Thinking: It encourages you to think for yourself and not blindly follow the crowd.


How to Use First Principles Thinking

Here's a simple 3-step process you can follow:

  1. Identify the Core Problem: What are you trying to achieve? What obstacle are you facing?
  2. Break it Down: What are the fundamental truths or laws that apply to this situation?
  3. Rebuild from Scratch: Using your understanding of the core principles, design a new solution or approach.


Real-World Examples

Here are a couple of famous examples of first principles thinking in action:

  • Elon Musk and SpaceX: Instead of accepting the high cost of rockets, Musk reasoned from first principles (materials, physics) and built SpaceX to manufacture rockets in-house at a fraction of the traditional cost.
  • The Wright Brothers and Flight: They didn't just copy existing gliders; they studied the principles of lift and drag to design their own flying machine.


First Principles Thinking in Software Architecture

Software architecture is all about designing the blueprint for your software. Traditionally, architects rely on established patterns and best practices. While these are valuable, first principles thinking can take your architecture to a whole new level.

Here's how:

  • Questioning Assumptions: Don't blindly accept that a monolithic architecture is the only way to go for your project. Ask yourself: what are the core functionalities? Can they be broken down into smaller, independent services? This could lead to a microservices architecture that's more scalable and maintainable.
  • Focusing on Fundamentals: Instead of just picking a fancy framework, think about the core principles you need, like data persistence, security, and communication. Then, evaluate different solutions based on how well they address those principles.
  • Building for the Future: Don't just design for today's needs. Consider how the software might evolve in the future. By thinking about core principles like scalability and maintainability, you can build an architecture that can adapt to changing requirements.


Benefits of First Principles Thinking in Architecture

  • More Innovative Solutions: You're not limited by existing patterns and can come up with architectures specifically tailored to your project's needs.
  • Future-Proof Designs: Architectures built on first principles are more adaptable and can handle unforeseen changes.
  • Deeper Understanding: By questioning assumptions, architects gain a deeper understanding of the core functionalities and trade-offs involved.


Remember: First principles thinking isn't about throwing away all established practices. It's about using them as a foundation while also being open to exploring new possibilities.

Unleash the Power of Generative AI: Get Started with AWS Samples

Stuck on that first step with Generative AI? Don't worry, Amazon has you covered! The genai-quickstart-pocs repository on GitHub provides a treasure trove of sample code to jump-start your journey. It's definitely worth your star. 

This developer-friendly repository offers a collection of projects, each focusing on a specific use case for Generative AI and Amazon Bedrock. No more sifting through extensive documentation – each project is a dedicated directory with its own codebase, making it easy to understand and implement.

But wait, there's more! To streamline the development process, the repository includes a basic Streamlit frontend. This user-friendly interface allows you to quickly set up a proof-of-concept (POC) and experiment with the capabilities of Generative AI.

Here's a glimpse of what you can achieve with these samples (at the time of writing):

  1. Amazon-Bedrock-Summarization-Long-Document-POC This sample demonstrates using Amazon Bedrock and Generative AI to implement a long document summarization use case. Users can upload large PDF documents, which are chunked and summarized using Amazon Bedrock.

  2. Amazon-Bedrock-RAG-OpenSearchServerless-POC This sample demonstrates creating custom embeddings stored in Amazon OpenSearch Serverless, and answering questions against the indexed embeddings using a Retrieval-Augmented Generation (RAG) architecture with Amazon Bedrock.

  3. Amazon-Bedrock-RAG-Kendra-POC This sample implements a RAG-based architecture with Amazon Kendra, allowing users to ask questions against documents stored in an Amazon Kendra index using Amazon Bedrock.

  4. Amazon-Bedrock-Image-Generation-POC This sample demonstrates using Amazon Bedrock and Generative AI to generate images based on text input requests.

  5. Amazon-Bedrock-GenAI-Dynamic-Prompting-Explained-POC This sample provides a hands-on explanation of how dynamic prompting works in relation to Generative AI, using Amazon Bedrock.

  6. Amazon-Bedrock-Document-Generator This sample demonstrates using Amazon Bedrock and Generative AI to perform document generation based on a document template and user-provided details.

  7. Amazon-Bedrock-Document-Comparison-POC This sample allows users to upload two PDF documents and get a list of all changes between them using Amazon Bedrock and Generative AI.

  8. Amazon-Bedrock-Claude3-Multi-Modal-Sample This sample showcases the multi-modal capabilities of Amazon Bedrock (specifically Anthropic Claude 3), allowing users to input text questions, images, or both to get comprehensive descriptions or answers.

  9. Amazon-Bedrock-Chat-POC This sample provides a ChatGPT alternative using Amazon Bedrock and Generative AI, allowing users to ask zero-shot questions and receive responses.

  10. Amazon-Bedrock-Amazon-Redshift-POC This sample demonstrates using Amazon Bedrock and Generative AI to ask natural language questions and transform them into SQL queries against Amazon Redshift databases.

  11. Amazon-Bedrock-Amazon-RDS-POC This sample allows users to ask natural language questions and transform them into SQL queries against Amazon RDS databases using Amazon Bedrock and Generative AI.

  12. Amazon-Bedrock-Amazon-Athena-POC This sample demonstrates using Amazon Bedrock and Generative AI to ask natural language questions and transform them into SQL queries against Amazon Athena databases.


Wednesday, March 13, 2024

The 2023 Gartner Hype Cycle for Artificial Intelligence


Source: Gartner

The very first time someone introduced me to the Gartner Hype Cycle was back in 2004 at the Virtusa R&D Lab. It remains a reliable resource for assessing the investment potential of new technologies at the time the graph was created.

It's unsurprising that Generative AI currently finds itself at the Peak of Inflated Expectations, with an estimated 5-10 year horizon before achieving widespread utility and adoption within enterprises. In my view, investing more in Computer Vision would be prudent, given its already demonstrated usefulness and the controversies it has sparked. For instance, my local supermarket chain employs a Computer Vision-based solution at self-checkouts to identify potential instances of theft.

The Secret Weapon for Cloud Cost Reduction? It's in Your Code

Let's start with a broken record I've been playing over the past decade or so, since "Cloud" became a thing;

Lifting and shifting a poorly designed codebase or system directly onto the cloud can significantly inflate cloud costs. Your "Platform Engineering" can't save you from that. Only "Software Engineering" can.

Here's why:

  • Inefficient resource allocation: Cloud resources are billed based on usage. Lifting an unoptimized codebase onto the cloud replicates its inefficiencies, leading to excessive resource consumption (CPU, memory, storage) and higher bills.

  • Lack of cloud-native features: Cloud platforms offer features like auto-scaling and serverless functions that optimize resource allocation based on demand. A poorly architected system might not leverage these features, resulting in unnecessary resource usage and ongoing costs.

  • Hidden costs: Cloud services often have additional charges for data transfer, egress fees, and API calls. Lifting an inefficient system amplifies these costs as it likely transfers and processes excessive data.

Overall, migrating a poorly designed system to the cloud without addressing its underlying issues replicates its inefficiencies in the cloud environment, leading to inflated cloud expenditures. Investing in platform engineering will never solve this problem. Because platform engineering and software engineering focus on different aspects. 

You can automate your deployments all you want. It just increases the speed you are deploying inefficient code to production. Your deployment speed will be 10x. So will be your cloud bill. And your cloud bill will not stop 10x-ing.

In today's cloud-driven world, understanding how your code impacts your bottom line is crucial. My blog post here was inspired by Erik Peterson's recent talk, Million Dollar Lines of Code: an Engineering Perspective on Cloud Cost Optimization. His talk dives into the importance of cloud cost optimization and explores a concept called the Cloud Efficiency Rate (CER) to help you make informed decisions.


The High Cost of Inefficiency

Erik Peterson, a cloud engineer with extensive experience, highlights several examples of seemingly small coding choices that resulted in significant financial repercussions. These situations emphasize that every line of code carries an associated cost, and neglecting optimization can lead to substantial financial burdens.


Thinking Beyond the Cloud

As it turns out, as compute costs became cheaper over the past few decades, cost-efficiency has ceased to be a primary concern for software engineers. However, the cloud introduces a pay-as-you-go model, for Compute and other resources supporting your application  such as Storage and Network Bandwidth making it essential to be mindful of resource utilization.


Introducing the Cloud Efficiency Rate (CER)

Peterson proposes the CER as a metric to gauge how effectively your cloud resources are being used. It's a simple formula:

    CER = (Revenue - Cloud Costs) / Revenue


Interpreting the CER:

  • 80%: Ideal target, indicating a healthy balance between revenue and cloud expenditure.
  • Negative (R&D phase): Acceptable during the initial development stage.
  • 0-25% (MVP): Focus on achieving product-market fit.
  • 25-50% (Growth): Optimize as your product gains traction.
  • 50-80% (Scaling): Demonstrate a path to healthy profit margins.


CER for Non-Profits and Government Agencies

For non-profit organizations, Peterson suggests using their budget or fundraising goals as a substitute for revenue in the CER calculation. Government entities, aiming to fully utilize their allocated budget, might need to reverse the equation to target their budget amount precisely.


Key Takeaways:

  • Every line of code you write represents a buying decision that impacts your organization's finances.
  • Cloud cost optimization is essential in today's pay-as-you-go cloud environment.
  • The CER provides a valuable metric for measuring cloud resource efficiency.
  • Continuously monitor and optimize your cloud usage to avoid hidden costs.


Call to Action:

  • Integrate cost awareness into your software development process.
  • Utilize the CER to set and track your cloud efficiency goals.
  • Be mindful of the long-term implications of your coding decisions.


By following these principles, you can make informed choices when working with cloud resources and ensure your organization gets the most value out of its investment.