00:00:00.900
foreign
00:00:14.059
so uh hello uh this is as I said the
00:00:17.460
chime sponsor session uh more Engineers
00:00:19.560
more problems solutions for big teams
00:00:21.720
I'm going to welcome welcome you all
00:00:23.820
here and thank you for spending a slice
00:00:26.039
of your conference time with us at chime
00:00:29.820
um
00:00:31.019
my name is Noel Rappin I am a staff
00:00:33.180
engineer at time my team name is
00:00:35.399
literally I heart Ruby and I'm
00:00:37.680
responsible for some of the Ruby
00:00:39.059
practice and internal Ruby community
00:00:41.219
building and and some other
00:00:42.540
infrastructure within chime uh I did
00:00:45.239
want to call out so we have three we're
00:00:46.739
going to have we're hearing from Three
00:00:47.879
Time Engineers today but we have a bunch
00:00:49.260
of time engineers in the room so if the
00:00:51.300
other time all the time engineers in the
00:00:52.980
room here today could stand up just
00:00:54.719
quickly
00:00:56.100
we have uh there are more of us here
00:01:01.199
there are more of us here wearing chime
00:01:03.120
shirts but if you have questions about
00:01:04.440
time or time engineering and you see one
00:01:06.000
of us and there's another one in the
00:01:07.260
back walking in now uh hello everybody
00:01:10.320
uh
00:01:12.780
so I'm going to start this off by
00:01:15.360
sharing what I think of as being one of
00:01:17.220
the most terrifying Graphics that I know
00:01:20.400
of as somebody who cares about software
00:01:22.380
teams and how software gets built and it
00:01:24.659
is not a latency graph and it's not mean
00:01:28.020
time to failure and it's not even a big
00:01:30.360
huge well it's not even a a meantime a
00:01:33.780
list of our errors or anything like that
00:01:35.640
the the most terrifying graph that I
00:01:38.040
know of is simply this and this is just
00:01:40.680
a very abstract sort of network graph
00:01:43.079
you can think of the the vertices of
00:01:45.180
this as people for our purposes but you
00:01:46.979
can also think of them as systems and
00:01:48.960
what this shows here is that uh your
00:01:52.439
amount of possible communication paths
00:01:54.899
goes up super linearly as your team
00:01:57.780
grows so you start off with three people
00:01:59.460
and there's three potential lines of
00:02:01.020
communication by the time you get to 14
00:02:03.000
people there's 91 potential lines of
00:02:05.640
communication and this is sort of the
00:02:09.000
numerical proof of something that you
00:02:11.459
have probably all adult which is that as
00:02:15.360
you get big and as they get big fast the
00:02:18.180
amount of communication in your
00:02:19.440
organization gets bigger faster and it
00:02:22.560
always feels like you're catching up
00:02:24.420
did I just lose a mic okay it always
00:02:26.340
feels like you're catching up and so
00:02:28.080
that's what we're going to talk about
00:02:28.920
here in a related story chime
00:02:30.599
engineering more than tripled in size in
00:02:33.000
18 months from November 2020 to April
00:02:35.700
2022 and that came with it a set of
00:02:39.060
challenges that we are going to talk
00:02:41.099
about here today so I want to tell you a
00:02:43.319
little bit about chime and about time
00:02:44.580
engineering chime is a financial
00:02:47.340
technology company it is founded on the
00:02:49.680
premise that basic banking services
00:02:51.599
should be helpful easy and free it's
00:02:54.780
been very gratifying that some people at
00:02:56.519
the conference who are chime members or
00:02:58.140
even people the event staff where chai
00:02:59.879
members have been coming to our booth
00:03:01.319
today over the last couple days to tell
00:03:03.599
us how much they really appreciate and
00:03:05.760
enjoy our service
00:03:07.280
chime members get a a essentially a
00:03:12.060
transaction card a debit card that gives
00:03:13.739
them early access to their paycheck they
00:03:15.599
have accounts with no monthly fees
00:03:17.180
fee-free overdrafts no overdraft fees
00:03:19.620
and fee free overdrafts up to 200 and a
00:03:22.620
secured way to use a credit card card
00:03:24.720
that helps you build credit without
00:03:26.159
helping you without causing you to get
00:03:27.599
deeper into debt so helping our members
00:03:30.060
Achieve Financial Peace of Mind with the
00:03:32.580
simplest and low cost and most human
00:03:34.440
Financial products it's very important
00:03:36.180
to us that we profit with our members
00:03:38.400
when our members are successful not off
00:03:40.440
of our members chime is a I think a very
00:03:42.659
mission-driven uh team in that in that
00:03:45.480
respect
00:03:46.860
chime engineering has about 600
00:03:48.780
Engineers our main offices are San
00:03:51.659
Francisco Chicago Vancouver but we also
00:03:53.700
have a number of people who are
00:03:54.780
full-time remote including myself it is
00:03:57.180
mostly Ruby on the back end with a
00:03:58.799
little bit of go and our front end is
00:04:00.420
react and react native I wouldn't quite
00:04:03.299
call it a micro service architecture
00:04:05.040
maybe a macro Services architecture it
00:04:07.200
has a we have a number of different
00:04:08.459
internal Services many of which are
00:04:10.920
backend only and I communicate with the
00:04:12.659
other services via API and you can go to
00:04:15.979
careers.time.com to see a list of our
00:04:18.720
career openings
00:04:20.639
it is a great place to work it says that
00:04:22.740
we say we're a great place to work and
00:04:23.820
we really are a great place to work so I
00:04:25.199
hope that you will follow up with us
00:04:26.940
but I also want to talk I want to
00:04:28.800
introduce uh three people who are going
00:04:30.660
to be talking about some of our big team
00:04:32.520
challenges we have David Trejo who's
00:04:34.440
going to talk about how chime creating
00:04:36.000
creates a proactive security and
00:04:37.800
Engineering culture in the face of this
00:04:39.720
rapid growth Brian lesperance is going
00:04:42.180
to talk about observ observability which
00:04:45.180
is important on a complex multi-faceted
00:04:47.820
system and also using active support so
00:04:50.699
that each team doesn't have to rebuild
00:04:52.259
it doesn't have to reinvent the wheel
00:04:53.880
then Chris Chris Juan is going to talk
00:04:56.040
about our onboarding process and how we
00:04:58.320
use that to get have new developers
00:05:01.500
become familiar with Chimes process and
00:05:04.620
Chimes culture in particular are Ruby
00:05:06.360
culture so with that thank you all for
00:05:08.639
being here and I'm going to turn it over
00:05:09.840
to David
00:05:11.400
morning everyone
00:05:17.160
right so I'm David good to see you all
00:05:21.240
I am a security engineer on the security
00:05:23.759
engineering team I've been at chime for
00:05:26.820
about a year and
00:05:28.680
nine months or so and I've really been
00:05:31.560
enjoying it and I'm going to talk about
00:05:33.780
this rails app that we've been building
00:05:35.840
to help us scale our security
00:05:39.660
across all of our Production Services
00:05:44.460
um so to give you an example of some of
00:05:47.400
the challenges that we're seeing as a
00:05:49.560
security team
00:05:51.180
tell me if you've ever gotten a message
00:05:53.699
like this raise your hand
00:05:57.139
when you get a message like this it's
00:05:59.699
very emotional I think the security team
00:06:02.460
is really good at sending messages like
00:06:03.960
this and so is the HR team
00:06:06.720
um
00:06:07.740
so when you get a message like this you
00:06:09.300
think okay like am I in trouble
00:06:11.639
and then your next thought is like well
00:06:13.500
why didn't anybody tell me that I
00:06:15.539
shouldn't do this
00:06:17.100
um and then also how do I even resolve
00:06:20.039
these vulnerabilities
00:06:22.139
and generally that just makes you feel
00:06:24.780
kind of sad or stressed
00:06:28.319
so on the security team we wanted to
00:06:30.840
kind of break that Dynamic and so our
00:06:34.139
strategy is to
00:06:36.960
send a slack message to the team Channel
00:06:41.300
side note having a one-to-one mapping
00:06:45.000
between your team Channel sorry between
00:06:47.940
your repository like Production service
00:06:50.039
and your team channels and slack is
00:06:52.800
extremely helpful that way you don't
00:06:54.600
have to like go to an ownership Matrix
00:06:55.919
and come back but anyway what this
00:06:58.800
message is saying is hey like the
00:07:01.680
security score for your service is not
00:07:04.740
what we want it to be please do this and
00:07:07.380
this and get it back above a b
00:07:11.220
so a little bit of context about why we
00:07:14.699
need to do this as he said we're growing
00:07:17.699
a ton that means lots of new services
00:07:21.180
and the services have security gaps
00:07:24.180
which we need to fill
00:07:26.940
um
00:07:28.440
security is important for us because
00:07:31.639
people bank with us and it would be very
00:07:35.819
bad if we lost any of their data
00:07:39.780
so
00:07:41.400
uh kind of to sum up the problem space
00:07:44.060
if you're a leader engineering leader
00:07:46.819
you can't like see how is the security
00:07:50.220
doing
00:07:51.780
um and then as an engineer you just
00:07:53.699
don't know what to do to make the
00:07:55.319
security of your Production Service
00:07:56.819
better
00:07:58.020
so
00:07:59.340
we kind of set out to improve that
00:08:02.900
also as a security team you've got all
00:08:06.840
these different tools
00:08:08.400
that you buy and it's just too
00:08:11.880
overwhelming if as an engineer somebody
00:08:14.220
has to go look at each of those tools to
00:08:16.740
figure out how to improve their security
00:08:20.160
um then you've got the compliance angle
00:08:22.680
which is uh if you don't have a tool
00:08:25.979
then you've got an engineer going into
00:08:28.139
GitHub like okay does this repo have
00:08:30.419
Branch protection does this one and you
00:08:32.099
know that could spend like a whole year
00:08:34.339
uh checking those things across the
00:08:37.979
number of repos that you have
00:08:40.700
so we built this internal rails app to
00:08:44.459
help us with that
00:08:46.220
everyone's familiar with badges on their
00:08:49.019
repositories and gets good attention
00:08:53.160
um so every night we calculate a grade
00:08:56.220
for the repository a security grade and
00:08:59.760
then that badge shows that and if the
00:09:03.180
engineer wants to know how to make it go
00:09:04.620
up they can click through
00:09:06.779
and
00:09:08.839
they will see a list of different score
00:09:12.660
factors that they should improve in
00:09:14.640
order to
00:09:16.459
improve their grade
00:09:18.899
if they click to open up any particular
00:09:22.200
score Factor they can see the
00:09:24.480
instructions
00:09:25.820
down there at the bottom one of those is
00:09:28.019
expanded
00:09:29.880
and this has really reduced our audit
00:09:33.000
workload just to call out a few of the
00:09:35.399
most important score factors since that
00:09:38.100
text is kind of small
00:09:40.100
the security team creates approved
00:09:42.920
docker-based images which they get
00:09:46.019
rebuilt regularly which resolves most of
00:09:48.360
the vulnerabilities so we want everyone
00:09:50.220
to use those
00:09:51.720
we want everybody to get code reviews
00:09:54.720
it's kind of self-explanatory and when a
00:09:57.839
service has vulnerabilities we want
00:09:59.519
people to resolve those
00:10:02.640
um
00:10:03.980
so here's some of our results got a
00:10:07.380
lovely up and to the right graph
00:10:09.620
we've tracked more and more score
00:10:12.720
factors
00:10:13.920
and more of our production repositories
00:10:16.440
over time have
00:10:18.360
reached a b or better
00:10:21.060
so
00:10:22.740
member data has been safeguarded
00:10:24.660
Engineers know what to do and leaders
00:10:27.180
can see the security Investments paying
00:10:29.040
off
00:10:31.560
so if you wanted to build something like
00:10:34.260
this at home so to speak at your own
00:10:36.959
company
00:10:37.860
where would you want to start
00:10:40.320
so in the security realm you just kind
00:10:42.420
of think where does engineering interact
00:10:45.000
with security and like where do we want
00:10:48.060
to build some tooling to help with that
00:10:50.220
so a great start for your MVP is just
00:10:53.160
like a Cron job that hits some apis like
00:10:56.040
say GitHub and then send slack messages
00:10:58.740
and can also send reports from that job
00:11:03.200
slack messages we found are very
00:11:05.820
effective
00:11:07.019
and
00:11:08.779
uh if we do want to open source monocle
00:11:13.740
although we're not sure when or and
00:11:16.320
haven't made a final decision
00:11:18.600
um but in the meantime you could check
00:11:20.459
out
00:11:21.320
ossf's All-Star or backstage for some
00:11:25.079
similar tooling
00:11:28.260
and if you have questions please send us
00:11:32.399
an email security at chime or message me
00:11:35.220
on Twitter at DD Trejo
00:11:38.000
this has definitely been my favorite job
00:11:40.740
ever so please get in touch with us
00:11:44.820
and next up we've got Brian
00:11:49.019
thanks David hi everybody
00:11:51.899
thanks for coming my name is Brian
00:11:54.120
lesperance I'm a software engineer in
00:11:56.940
the in Chimes risk and support
00:11:58.620
Engineering Group I'm going to share a
00:12:00.600
story about developing secure and
00:12:02.339
observable software active support
00:12:05.519
for any team it's important to bounce
00:12:08.060
development speed with security and as
00:12:10.920
teams grow it's important to balance
00:12:12.480
autonomy with consistency amongst teams
00:12:17.760
now let's imagine we're in a growing
00:12:19.920
engineering organization we've
00:12:21.720
encapsulated logic into their own
00:12:24.660
objects like you see here this
00:12:26.579
particular Mission critical piece of our
00:12:28.920
code base however we have heard from
00:12:32.760
Upstream consumer stakeholders that
00:12:34.860
there's an issue
00:12:37.019
it could be anything from returning the
00:12:39.060
wrong results it could be slowing down
00:12:41.279
it could be crashing how would you go
00:12:43.680
about debugging this diagnosing this
00:12:46.160
I bet a lot of you would probably take a
00:12:49.019
fairly traditional scientific approach
00:12:52.139
measure learn and build well in this
00:12:54.240
case fix
00:12:55.459
but that raises a tactical question how
00:12:58.200
should we measure this we likely don't
00:13:00.600
have perfect instrumentation on every
00:13:02.519
feature that we have so we'll likely
00:13:05.100
have to add it especially in this case
00:13:07.440
in the past I have definitely wrapped
00:13:09.660
code in question and something and some
00:13:11.579
timing and logging code like this you
00:13:13.680
you all probably have done something
00:13:14.940
very similar this works but it could use
00:13:17.339
a little bit of drying up to be a little
00:13:19.380
bit more reusable and rails has a few
00:13:21.959
libraries that are especially useful to
00:13:23.459
accomplish this
00:13:25.500
active support notifications is an
00:13:27.180
instrumentation API that is built into
00:13:29.760
rails it's how rails measures requests
00:13:32.339
tracks queries in order to log them
00:13:35.820
so let's take advantage of this to take
00:13:38.220
a fairly rails uh Centric approach to
00:13:40.860
this problem active support
00:13:42.360
notifications takes a published
00:13:44.220
subscription approach Pub sub approach
00:13:46.320
to instrumenting code meaning that there
00:13:49.440
are two pieces that are involved in this
00:13:50.820
one is to measure the code in question
00:13:53.700
you see here wrapping any code that you
00:13:55.440
want to instrument and the other
00:13:57.360
something like this will be the um
00:14:00.959
we'll take the measurement
00:14:02.720
and be able to log it or do whatever it
00:14:05.399
is you please with it be it to send it
00:14:07.139
to a metrics tool anything that your
00:14:09.180
heart desires
00:14:11.399
so this library is helpful for
00:14:12.660
separating the instrument
00:14:13.500
instrumentation code from our own
00:14:15.600
business logic
00:14:17.519
um the pub sub pattern that it takes
00:14:19.800
internally helps decouple as well the
00:14:22.500
logic of measuring the code under
00:14:24.540
question as well as presenting it in the
00:14:26.639
way that you want that that nice
00:14:28.019
separation of concerns it also lays the
00:14:30.180
groundwork for further improvements and
00:14:31.860
reuse upstreaming it perhaps to a an
00:14:35.220
application service object if you so
00:14:36.660
choose
00:14:38.279
so looking at our naive approach we went
00:14:41.220
from explicitly measuring to something
00:14:42.839
like this
00:14:43.920
where we are implicitly measuring
00:14:45.360
through the library
00:14:46.820
and it also will track other things that
00:14:49.440
are just as important such as object
00:14:50.760
allocation and a number of other things
00:14:54.839
so let's take a look at how we present
00:14:56.579
this information what we're using it for
00:14:59.660
we have been explicitly logging it like
00:15:02.040
this
00:15:02.779
now we need to consume the example that
00:15:05.940
we saw previously right it might look
00:15:08.760
something like this fairly
00:15:10.500
straightforward call to monotonic
00:15:13.260
subscribe there used to be a subscribe
00:15:14.880
method but this is a little more uh it's
00:15:17.880
nicer to use the monotonic clock for
00:15:20.519
purposes of of dealing with potential
00:15:22.380
SKU and just wall clock changes over
00:15:25.620
time
00:15:26.820
you know I
00:15:28.980
I wonder where this might live though uh
00:15:31.680
should this be an initializer it feels
00:15:34.079
funny to me though because there there
00:15:36.300
might be presentation logic
00:15:38.160
um that might be important to test there
00:15:40.079
might be some complexity if you've ever
00:15:41.399
taken a look at the way active record
00:15:42.660
does its logging it has quite a bit of
00:15:44.940
presentation logic that's very helpful
00:15:46.740
for us so uh where should we put this
00:15:49.920
fortunately rails has a solution for
00:15:51.839
that
00:15:52.980
action so action support active support
00:15:55.500
logger log subscriber is a library that
00:15:57.899
is meant for consuming after active
00:15:59.760
action support wow active support
00:16:01.800
notifications events in order to log
00:16:03.899
them
00:16:04.740
this is a parent class used by a number
00:16:06.600
of rails libraries for such purposes
00:16:08.220
action controller action active record
00:16:10.500
uses it to excuse me to log requests and
00:16:13.800
queries respectively
00:16:16.380
there are a few important pieces to this
00:16:19.260
equation but this is a simple example of
00:16:21.120
it
00:16:22.260
um the the first two are related the
00:16:24.720
attached to class method and the
00:16:27.240
instance method in here
00:16:29.880
are are named in a very specific way you
00:16:33.720
may have been noticing that I've been
00:16:34.860
using the the label when running the
00:16:37.019
instrumentation code called dot
00:16:39.480
Fibonacci that was very intentional
00:16:41.399
because in this context Fibonacci is
00:16:43.920
essentially a namespace even though it's
00:16:45.240
coming at the end which might seem a
00:16:47.100
little strange and then called in
00:16:48.839
particular is you can sort of think of
00:16:50.639
that as an event documentation doesn't
00:16:52.139
really call it out like that but that is
00:16:54.839
how it is being used so it can be a
00:16:56.519
little bit confusing but it can really
00:16:58.199
help if you're doing more
00:17:01.259
instrumentation within a single library
00:17:02.940
that you want to coalesce the the
00:17:05.339
logging into a single spot
00:17:07.319
and the last thing that I'll point out
00:17:08.819
about this example is this call to info
00:17:10.620
this invocation to info
00:17:12.720
um active support logger
00:17:14.760
active support log subscriber creates a
00:17:17.160
few helper methods that are similar to
00:17:19.199
some of the log methods that you may be
00:17:20.459
familiar with it essentially delegates
00:17:21.660
to a set logger underneath and rails
00:17:24.059
will automatically initialize that to
00:17:25.500
the rails logger I'm you may see at the
00:17:28.500
bottom calling to Json I'm not sure how
00:17:30.960
familiar people are with structured logs
00:17:32.400
if you use Heroku they do something
00:17:33.540
similar it's just sort of a quick and
00:17:34.919
easy way to accomplish that
00:17:37.620
so this approach is helpful because it
00:17:39.539
allows us to follow a sort of internal
00:17:41.400
pattern that rails has already
00:17:42.539
established it consolidates the
00:17:44.640
presentation
00:17:45.740
which can be even more helpful uh the
00:17:49.740
more related events that start getting
00:17:51.539
uh instrumented it also cuts down in a
00:17:54.299
few characters if you don't want to be
00:17:56.400
calling rails lager all the time so
00:17:57.900
that's always helpful
00:18:00.000
so if what we're logging though is
00:18:01.620
sensitive information we have to be
00:18:03.179
careful about logging it it's a
00:18:04.440
liability to both our users and to our
00:18:06.360
business logs have been used in breaches
00:18:08.460
before they have in the past and they
00:18:10.919
will be in the future so we need to be
00:18:12.360
careful when we handle this information
00:18:14.720
you know we want to we want to log
00:18:17.580
information to give us intelligence into
00:18:19.559
what's going on when investigating
00:18:21.179
issues but we need to not log in the
00:18:24.000
first place
00:18:25.740
so the last Library I'll bring up with
00:18:27.120
regard to this is active support
00:18:29.520
parameter filter it allows you to
00:18:32.039
replace sensitive data from hash like
00:18:33.600
objects
00:18:34.860
so that way you don't have to worry
00:18:37.679
about that leaking anywhere that you
00:18:39.179
don't want it to go
00:18:40.260
you may have noticed it uh
00:18:42.720
it also is doing some hard work for
00:18:45.299
request logging as well anytime that
00:18:47.640
you've seen the filtered message that is
00:18:49.080
the the default filter message which is
00:18:51.000
configurable
00:18:52.860
so adding that to our log subscriber
00:18:54.539
might lead us to this right here it's a
00:18:57.840
it's a little bit noisy so I'll try to
00:18:59.220
call out a few important pieces right
00:19:01.039
we'll initially initialize a list of
00:19:03.780
sensitive Fields sensitive Keys rails
00:19:06.900
already has something like this so we
00:19:07.919
could reuse that I'm just using a simple
00:19:09.179
example here
00:19:10.260
uh we'll instantiate a new filter with
00:19:12.179
that list of sensitive keys and we'll
00:19:14.640
let it do the hard work of recursively
00:19:16.620
filtering anything that it finds and
00:19:18.780
there's some uh some really helpful
00:19:22.760
approaches to actually
00:19:24.919
specifying particular nested Fields if
00:19:27.240
you don't want to let it recursively
00:19:28.380
find keys
00:19:29.640
so this is great we have sanitized our
00:19:31.980
hash and we can even reuse rails list of
00:19:35.220
sensitive keys
00:19:37.380
I'd say that's mission accomplished to
00:19:39.660
sort of reiterate what we've gone
00:19:40.740
through today active support
00:19:41.580
notification is what's measuring our
00:19:43.080
code log subscriber consumes that data
00:19:45.299
and parameter filter is what's
00:19:47.280
sanitizing it before we log it
00:19:49.620
uh we don't have to stop here perhaps we
00:19:52.260
want to go a little bit further
00:19:53.100
extracted to a parent service or even to
00:19:54.900
a library
00:19:56.660
and use it throughout our application
00:19:58.740
throughout our organization we might
00:20:00.900
want to send us instrumentation
00:20:02.039
somewhere else aside from logs perhaps
00:20:03.419
the metrics to them regardless of what
00:20:05.280
you do I really hope that knowing a
00:20:07.380
little bit more about active support
00:20:08.600
will inspire you and your curiosity one
00:20:13.080
thing I'll leave you with real fast is a
00:20:14.580
book recommendation who doesn't love
00:20:15.720
Tech books right crafting rails for
00:20:17.820
applications this book was very uh
00:20:21.120
important to me it inspired me when I
00:20:23.760
was becoming a software developer and
00:20:25.500
gave me the Curiosity and confidence to
00:20:27.480
start exploring internals of libraries
00:20:29.100
especially rails uh Jersey verulim Works
00:20:32.039
through several examples in here that
00:20:33.360
are really helpful in a similar vein It
00:20:35.100
Was Written in 2014 against rails for as
00:20:37.200
you can see I think it holds up really
00:20:38.280
well you know minus the mongodb parts
00:20:40.500
but I actually kid about that so I'll
00:20:43.200
leave you there and thank you so much
00:20:44.160
for your attention and let me introduce
00:20:45.840
Chris
00:20:47.160
when the iPhone came out it changed uh
00:20:51.419
everything it was transformational
00:20:54.900
and Ruby and rails are also
00:20:57.480
transformational ideas in fact when I
00:21:00.120
discovered a little project called in
00:21:01.679
sticky by dhh around 19 years ago it
00:21:05.280
changed me
00:21:06.720
and when rails was released I quit my
00:21:09.360
job as a father with two young kids and
00:21:12.419
almost everything to pursue it
00:21:15.660
these are the actions of a crazy person
00:21:18.679
or maybe someone in love
00:21:22.860
uh but what does this have to do with
00:21:26.280
onboarding
00:21:28.020
well I'm here to talk about what we
00:21:29.760
learned while developing an onboarding
00:21:31.440
session to introduce people to Ruby and
00:21:34.380
rails
00:21:36.360
now we've had hundreds of people come
00:21:38.159
through our sessions in the past year
00:21:39.659
and I've loved to share some of the
00:21:41.880
things that we learned
00:21:43.679
but first why is onboarding so important
00:21:47.280
well maybe you've been you've
00:21:48.960
experienced being handed a laptop and a
00:21:51.120
pat on the back on your first day
00:21:52.980
or maybe you've all also experienced a
00:21:55.799
lengthy
00:21:57.360
your onboarding session uh so so you
00:22:01.679
probably know how important this is to
00:22:03.419
get First Impressions right
00:22:05.820
and at chime we need a consistent and
00:22:08.760
effective onboarding program so that we
00:22:11.640
can reduce the burden on hiring managers
00:22:14.100
and get people up to speed quickly or
00:22:17.580
else hiring can become a huge drag
00:22:20.820
on teams I'm sorry and at chime we were
00:22:25.260
hiring people without rails experience
00:22:26.820
so we really needed to introduce people
00:22:28.679
to Ruby and rails
00:22:30.659
in a way that might lead to love and a
00:22:34.020
good relationship with these great ideas
00:22:37.200
because we all know what happens in a
00:22:38.760
bad relationship there's arguing and
00:22:40.140
fighting but in a bad relationship with
00:22:42.840
rails it leads to
00:22:45.299
bad code
00:22:47.400
so
00:22:48.900
first question that we have really is
00:22:50.820
where did I begin in developing these
00:22:52.860
sessions
00:22:53.940
well the first thing I did was to create
00:22:56.220
an initial version of the onboarding
00:22:57.720
session and just get started because we
00:22:59.520
had a great need for it
00:23:01.559
but as soon as humanly possible I got
00:23:03.960
someone to partner with me on it
00:23:06.240
when I brought Jeff onto the team I gave
00:23:08.100
him full ownership I showed him what I
00:23:09.900
was doing in the sessions and handed it
00:23:11.340
over to him to run the next session
00:23:13.740
he updated the slides he added his own
00:23:16.020
code ideas his own ideas to the slides
00:23:18.299
got rid of some of my bad ideas
00:23:20.820
but then he created a GitHub repo with
00:23:23.100
code examples and added a lot of
00:23:25.020
consistency and improvements to the
00:23:27.120
session
00:23:28.200
but what's really important about this
00:23:30.419
is it made it sustainable I couldn't do
00:23:34.380
it alone I would burn out and I'd have a
00:23:36.900
hard time taking vacation and I wanted
00:23:39.600
to build something that would continue
00:23:41.760
to benefit chime over the long term
00:23:44.880
so now it was sustainable we could focus
00:23:47.220
on improving the content
00:23:50.340
and we found this is a this is a
00:23:52.679
challenging balance so we if we give too
00:23:54.539
many concrete details then
00:23:56.580
uh sorry if we give too many uh abstract
00:24:00.059
details then becomes people gave us
00:24:04.080
feedback that the sessions weren't
00:24:05.640
useful but if we give too many concrete
00:24:08.159
details then it becomes overwhelming
00:24:10.620
boring and people forget what they hear
00:24:12.960
and we had people of different
00:24:14.580
backgrounds and experience coming
00:24:16.020
through so it was tricky to balance how
00:24:18.780
do we scope this effectively
00:24:20.880
uh so how do we balance all that well
00:24:24.179
one fateful Thursday when Jeff went on
00:24:25.980
holidays I took over the session and I
00:24:28.440
stumbled upon an idea
00:24:30.780
I was going through Jeff's improved
00:24:32.400
slides and I realized that I didn't know
00:24:34.260
what I was going to say on the slides so
00:24:37.559
I cheated
00:24:39.179
I decided to turn it into a game for the
00:24:41.820
participants where they would drive the
00:24:43.740
session by asking questions about the
00:24:45.659
slides
00:24:46.820
and this actually turned out really well
00:24:49.620
it was a lot of fun and way better than
00:24:52.140
being a talking head over Zoom for an
00:24:54.059
hour so we started to refine these
00:24:56.400
sessions around this New Concept and
00:24:58.500
this is how we run our Ruby session of
00:25:00.480
our intro to Ruby session now first we
00:25:02.880
welcome people and then we give them an
00:25:05.340
IRB session immediately so that they can
00:25:08.280
tinker and play and then we briefly talk
00:25:10.980
about the philosophy of Ruby why chime
00:25:12.840
uses Ruby and then the main event is the
00:25:15.840
question game
00:25:17.220
where we put up slides with some basic
00:25:20.100
Ruby code and these are sequentially
00:25:21.720
leading people through different
00:25:24.059
concepts of Ruby but we put up the
00:25:26.039
slides and we say okay your job will
00:25:28.380
make it a little bit of a game you get
00:25:30.059
points for asking questions you get
00:25:31.980
points for answering questions we don't
00:25:34.320
track the points super well but it
00:25:36.080
emphasizes what we're after here and so
00:25:39.419
people start looking at the slides and
00:25:41.580
asking questions and then we can just
00:25:42.900
lead the session
00:25:44.700
uh and then we end it all with a mob
00:25:47.400
programming exercise where people build
00:25:49.200
some Ruby working Ruby together using
00:25:52.620
test driven development
00:25:54.720
if you're interested in exactly how we
00:25:57.240
run this question game and the session
00:25:59.760
I'm planning to post it on the chime
00:26:01.200
blog but please reach out to me my
00:26:02.940
contact information will be at the end
00:26:05.580
but then why does the question game work
00:26:09.000
we'll have some ideas firstly as Stephen
00:26:11.100
Cutler says curiosity is free Focus
00:26:15.120
if we can get people curious then they
00:26:17.279
become engaged and they're able to
00:26:18.840
absorb more ideas secondly by
00:26:21.539
encouraging everyone to answer questions
00:26:23.039
it removes the limitations on this the
00:26:26.400
presenter and other people can ask
00:26:29.400
questions answer questions that
00:26:30.659
participants might have
00:26:32.520
and then thirdly it uses a concept I
00:26:35.100
learned from Jessica care which is in
00:26:37.740
her systems thinking Workshop which is
00:26:39.600
pulled don't push
00:26:41.340
when we try to push information on
00:26:43.320
people it's hard just ask my kids
00:26:47.640
but if people are drawn into curiosity
00:26:50.220
and ask for what they need then it
00:26:53.039
becomes easy
00:26:55.559
so sometimes these sessions have gone
00:26:57.059
better than others so your next question
00:26:58.799
might be well how do you run them
00:27:00.120
effectively
00:27:01.440
well here's some things that I've
00:27:04.260
learned along the way people get
00:27:05.880
people's hands dirty actually using the
00:27:08.039
tools probably the big
00:27:10.320
thing I'd emphasize is engage two-way
00:27:12.600
communication right away I find that
00:27:15.179
what I need to do is I arrive early when
00:27:17.760
people come I welcome them by name
00:27:20.159
and then early in the session we don't
00:27:23.039
do the go around to introduce yourself I
00:27:25.440
find it doesn't work very well but what
00:27:27.600
does work well is to ask people how much
00:27:30.539
Ruby experience do they have and what
00:27:32.460
are they hoping to get out of the
00:27:33.720
session if I just do that it greatly
00:27:36.419
increases the chance that later on in
00:27:38.520
the session people engage ask questions
00:27:40.500
and be involved
00:27:42.419
also we need to allow empty space we put
00:27:44.940
up slides we have to allow them just to
00:27:46.679
be silently reading which is really hard
00:27:48.659
to do as a presenter you want to you
00:27:50.760
know throw in some ideas but allow that
00:27:53.220
empty space to be there keeping it
00:27:55.740
moving can be challenging it requires a
00:27:57.659
skill to get through the slides and then
00:28:00.539
also splitting the Ruby and rail
00:28:02.400
sessions into two so they can both
00:28:04.559
breathe is another thing that we learned
00:28:07.740
all right if you want a front row seat
00:28:10.320
for the onboarding sessions to see how
00:28:12.179
it goes you know what to do
00:28:16.320
overall I'm really grateful I'm grateful
00:28:18.179
to mats and dhh for their great ideas
00:28:20.220
which have changed me
00:28:22.140
I'm grateful to chime for giving me the
00:28:24.600
opportunity to go on this journey and
00:28:26.220
work with an amazing team
00:28:28.500
Jeff and I have grown into a team and we
00:28:31.919
are working on
00:28:33.980
building a culture of ongoing learning
00:28:36.480
for Ruby and rails at chime and I'm
00:28:39.659
really grateful to you for being here so
00:28:42.059
thank you for coming
00:28:45.240
overall
00:28:47.880
I think that incremental change is
00:28:51.840
mostly worthless
00:28:53.299
transformational change is something
00:28:56.460
that all of our companies are trying to
00:28:58.200
go through
00:28:59.279
and it's essential to be able to grow
00:29:03.000
and transformational change cannot
00:29:05.159
happen without love
00:29:07.080
and love will never happen without a
00:29:09.900
proper
00:29:10.740
introduction
00:29:12.419
and this is why I think onboarding is so
00:29:14.580
important thank you very much