Best of Codemotion 2022: Cloud Build & Deploy, Github Security and Digital Challenger

Codemotion’s first conference was held in 2006 under the name “JavaDay”. In 2011, it changed to Codemotion and has since scheduled many technical conferences covering a broad range of technologies. One of these conferences is usually held in Milan every year, lasting for two days. Speakers from different countries talk about various topics of interest to both technical and non-technical attendees.

The 2022 edition fell on October 18th and 19th in Milan, back as a physical event — or to join digitally. In this blog post, we’d like to shed some light on our most appreciated talks at Codemotion Milan Conference 2022. Lots of great speakers and topics took part this year, and we wanted to share a few of our favourites with you.

#1: CI/CD for ML with Cloud Build and Cloud deploy

The first talk we’d like to put stress on is Gioacchino Martino and Ivan Nardini’s “CI/CD for ML with Cloud Build and Cloud Deploy.” This talk will explore how to use Google Cloud Build and Cloud Deploy to implement a continuous integration and continuous delivery pipeline for a machine learning model.

Nowadays, many companies are working with machine learning models and finding a way to exploit MLOps practices to automate the models’ life cycle has become a crucial point. The data science team prepared the trained models, putting them into artifact storage, and then passing them to the IT team that will put them into production. Google Cloud removes the need for that slow and error-prone interaction, thanks to its Google Cloud Build and Google Cloud Deploy tools that allow data science teams to manage the whole model lifecycle on their own. The CI/CD pipeline that can be built through such tools allows testing, validating, and approving the model before it goes to production. In addition, it can monitor its performance to understand when it’s starting to underperform, and also managing all the versions uploaded.

Radicalbit’s Data for AI platform, Helicon, also employs continuous integration and continuous delivery pipeline for a machine learning model.

The ML section of Helicon makes available an easy UI that allows data science teams to handle in a codeless way the upload, deploy and use of a machine learning model. Through a couple of mouse clicks, a zip file containing an MLFlow machine learning model can be put online and then queried via the well-known HTTP API. This makes it possible for data science teams to quickly and easily deploy their machine learning models so that they can be used by other teams and systems.

#2 Effective DevSecOps with GitHub Advanced Security

In the second talk by Daniela Tomoiaga and Lorenzo Barbieri, “Effective DevSecOps with GitHub Advanced Security,” they discussed how developers can use GitHub to streamline their workflow and secure their code. The talk was well-received by the audience, who appreciated the insights into how to use GitHub more effectively.

It is well known that security is such a difficult goal to achieve, it requires skills that most of the time developers don’t have and having a security flaw can damage a company in a very bad way both economically and in its reputation. During the lockdown time, the situation went worse as people were forced to work out of the corporate environment.

As developers, we need to anticipate that problem. Security flaws have to be checked at build time and GitHub can help with that through GitHub Advanced Security. Let’s see which advantages developers can exploit with a such tool:

1. Code scanning: using CodeQL developers can check for anti-patterns and vulnerabilities like tokens left in the code.
2. Dependency review: the dependency graph of our project is analyzed to check for dependencies that have well-known security flaws and if any can be also checked if there are new versions of those libraries that had fixed those flaws.
3. Secret scanning: if developers left tokens or secrets in a public repository, this tool will send an alert to the partner to let him know that someone has leaked their credentials. This is important to know for the partner because this kind of leek could allow exploiting someone else’s privileges in a malicious way.

#3 Transforming a large bank in a digital challenger

The last talk we’d like to highlight is by Head of IT Architecture at Intesa Sanpaolo, Claudio Balbo, about transforming a large bank into a digital challenger. Intesa Sanpaolo went through the challenge of moving from a monolithic proprietary approach to a more microservices/open-source technological stack. This transformation required years and had to be done gradually.

The first step was moving from proprietary tools (e.g. Oracle and IBM) to some open-source tools (e.g. Kubernetes and Apache Kafka) allowing the bank to exploit fluid interactions that an open-source community can offer. If something went wrong with those tools or some features were required, talking to the community was much easier than talking to the corporation that developed the proprietary tool.

The second step was moving from a monolithic approach to microservices. This made it available to exploit all the scalability and reliability features that those architectures can offer. Then a hybrid cloud approach was embraced. That allowed them to partially rely on the vendor infrastructure for the scalability and reliability of their infrastructure. And last but not least; DevOps automation was exploited to have pipelines of operations that automatically deploy the software unit testing it while keeping the code quality high. The full list of operations done are: versioning, build and delivery, unit test, analysis smoke test, non-regression test (this is a quality gate before going to production), and delivery.

To optimise resources and needs, the infrastructure of Radicalbit’s Helicon includes microservices, too. The usefulness of microservices also allows us to manage and speed up the entire continuous deployment process from the starting development phase to the deployment of individual features. For the same reason, we use a micro-front-end architecture to implement user interfaces. The entire release process on each environment is automated via GitOps methodology that makes each step well-documented, reviewed and secure.

Conclusions

Improving security through tools such as GitHub Advanced Security or automating the MLOps flow by exploiting Google Cloud solutions (Google Cloud Build and Google Cloud Deploy) along with making smarter architectural decisions to improve scalability and reliability can bring important improvements to the quality of the product a company is developing. A lot of focus was given to automated solutions and the importance of the right architectural choice to have maintainable and security-flawless software in production. Finding the right tools to achieve some goal is often a game-changing moment.