AGILE DEVSECOPS
Agile Takes Flight
It seems everyone who develops software is or has already begun adopting Agile practices as their preferred approach to deliver more responsive, higher quality software. For development teams, this means smaller and more frequent releases (i.e., “sprints”) that allow for more immediate feedback loops from testing and business stakeholders. This surge in Agile practices, however, has centered on improving the performance and output of application development teams. The unintended consequence is that Operations teams caught off guard by a wave of new requests are often unable to handle the resulting volume of activity. A traffic jam results, and the once optimistic goals of Continuous Delivery come to grinding halt.
The wall between the “change producers” and “change implementers” becomes increasingly contentious as the constant drumbeat of new changes clashes with Operations’ mandated goals of stability and reliability of the infrastructure. The increased pressure on Ops to deploy changes ever faster while still maintaining a low risk and stable environment inevitably leads to conflict.
DevOps Emerges
This “clash of silos” has led to the rise in an ever greater need for cooperation and collaboration between these often opposing forces, yielding way to the identification and promotion of a whole “new” focused discipline: DevOps. The goal of DevOps is simply to accommodate the speed and turnaround introduced by Agile adoptions, while protecting the integrity and availability of the overall IT infrastructure.
While manageable at small scales, the greater challenge is with the much larger institutions, and in particular Government Agencies, that must navigate layers within their organizations and adhere to strict rules of governance and compliance with regulations and service level agreements.
Software Factories
It is into this world that VIRE steps in and assumes control. Our deep experience and drive focus attention directly to the area of improved enterprise efficiencies that provides customers a guiding light to turn a complex and chaotic new world of change into a disciplined and highly efficient software production factory.
It is no longer competitive nor acceptable to produce software in the traditional “waterfall” approach, where up-front planning and large releases dominate the landscape over smaller, quicker, more real-time feedback loops. The production of software must be viewed and executed with the repetitiveness and reliability of a factory assembly line. Like the evolution of the pre-Ford car industry, software development today must take up the mantle of mass production or organizations will face being overtaken or marginalized in this fast-paced world of constant change and high end-user expectations. But how?
Getting there…
Any successful journey begins with an understanding of where you are on the map, and where you need to be. Before setting out on the road towards Continuous Delivery, VIRE performs a thorough assessment of the organization. It examines the people, processes and tools currently in use, and immediately targets choke points in your application “delivery pipeline.”
Just as the overall strength of a chain is determined by its weakest link, so can the speed and efficiency of a software delivery pipeline be strangled by a single unaddressed “pipeline segment.” For example, modern Agile initiatives often tackle first the low-hanging fruit of instituting “Continuous Builds,” but if that same organization has failed to address the area of automated regression testing, their either just expediting the deployment of unchecked and flawed code, or quickly queuing up test requests to a testing organization that cannot adequately process the backlog.
Accordingly, VIRE assesses an organizations delivery pipeline holistically to ensure that all segments are improved and advancing at a consistent rate such that no one area overwhelms the next in line. The major DevOps areas most commonly addressed are:
Each of these disciplines requires highly skilled Subject Matter Experts (SMEs) to assess and address deficiencies and areas for improvement. The VIRE philosophy is that a relatively small cross-functional team of such SMEs can address what needs to be accomplished more effectively and faster than a much larger team with increased overhead and unnecessary layers of communication.
VIRE teams comprise SMEs who have spent considerable time in functional roles on real continuous delivery projects. Each team member understands both the overall desired outcomes as well as near term priorities. As the project matures and the needs of the team change, a different skillset is often required, and is inserted at the appropriate time for a smooth transition of pipeline improvements. As such, VIRE incorporates adaption into the services engagement model, which we have found critical to customer success.
Moving towards a culture of collaboration…
DevOps is a relatively new concept with varying definitions being proffered throughout industry. Without a doubt, tools, automation, and integration of those tools play an instrumental role. But VIRE believes the real challenge and true value of DevOps lies in managing the interactions and process collaborations of traditionally interdependent siloed teams that must all collaborate efficiently to build, integrate, test, release, and support all changes being introduced.
Organizations must be on board and properly aligned with the overall goals of the enterprise if success is to be achieved. VIRE SMEs are familiar with such organizational challenges and are well equipped to identify potential roadblocks and meet these challenges head-on through coaching and mentoring of all affected partners and stakeholders.
Deployment Automation (DevOps)
Once organizational control has been properly established, focused attention can be brought to bear on automating the delivery pipeline as this is essential to any successful DevOps solution. To keep pace with Continuous Builds that are typically first introduced in Agile-based initiatives, deployment automation must be addressed next to reduce the risks and failures typically associated with manual deployments.
By introducing an approach that requires close collaboration among organizational participants, VIRE seeks to close the gap between those silos by establishing the use of common terminology and objectives, and including a selection of best-of-breed tools that take into account existing and available skillsets.
Using the latest advances in “deployment automation” tools has made implementing this segment of the pipeline increasingly easier to adopt and maintain for clients, removing the traditional costly reliance on manually intensive “script-based” solutions that often vary greatly amongst the various applications of a given organization.
This practical yet powerful approach provides compelling benefits, accelerating time to delivery increasing product usefulness while at the same time improving infrastructure stability.
Automated Testing
Many early phase DevOps initiatives are focused on the areas of Continuous Integration, Builds, and Deployments, as these are often the most visible and “active” segments of the pipeline. The more “invisible” hand of resistance that often goes unnoticed until too late is that no matter how fast and efficient the implementation of a full Continuous Delivery solution is, audit and upper management will never allow it to reach “full throttle” unless and until they are convinced that the process itself will yield higher quality releases that minimize defects being introduced and don’t jeopardize existing operations.
This comfort level, and its resulting drop in the need for overly burdensome checkpoints and approvals, can only be achieved once testing is fully and increasingly inserted directly and automatically into the delivery pipeline.
It’s very simple: the less automated testing injected into the process, the more the increase in delay due to manual testing, management oversight through verification and validation of that testing, and a final series of sign-offs and approvals that all boxes have been checked.
THIS is the Achilles heel that will doom even the most well thought-out plans for automating the delivery pipeline. VIRE understands this exceedingly well and makes every effort to engage all internal quality management personnel and control groups to ensure the testing function keeps up the same pace as the more visible build and deploy functions.
Security Scanning (DevSecOps)
While the DevOps term has exploded in popularity, the notion of embedding security directly within the pipeline is too often an after-thought or not considered at all. While security testing is often delegated to the internal test organization, VIRE believes it should be built into the pipeline right from the start. This is what is now being termed DevSecOps, and has become a critical element to the hardening of systems that are unfortunately coming under increasing attacks from hostile and nefarious actors.
For example, for several clients, VIRE has introduced into the pipeline tools that automatically scan source code for vulnerabilities that internal developers may inadvertently create in their source files, but also may be brought in through the increasingly popular use of “Open Source” modules downloaded from the Internet.
In fact, the Federal Government has begun encouraging and even mandating the increased inclusion of Open Source in custom built applications due its increased reliability and the time-savings introduced by reusable code. VIRE supports this whole-heartedly, but would also caution that this benefit and convenience brings with it real and unforeseen dangers. That is why we insist on building in scanning capabilities throughout the lifecycle of code development – from code builds that expose potential vulnerabilities directly to the front-line developer for immediate remediation, to final “firewall” checkpoints that prevent objectionable code from reaching production environments at the final leg.
Continuous Delivery
Faster, frequent, more reliable software has arrived.
Continuous Delivery – or the routine and regular incorporation of new software features and fixes – does indeed seem daunting and quite impossible to reach given all the above areas that need to be considered and addressed. But with the skillful application of modern agile processes and tools combined with new approaches to communication, what was once thought of as extraordinary and unachievable can truly become commonplace. With a repeatable, reliable, and reproducible process in place, software delivery becomes increasingly predictable – resulting in high quality software released at accelerated intervals.
Implementing a functional and efficient pipeline for Continuous Delivery is not easy, and takes dedicated and experienced professionals to see it through. VIRE’s nimble team approach has achieved numerous successes by embedding SME’s directly into customers’ projects that encourages and promotes the collaboration of traditionally siloed people, processes and technologies forging new bonds and realigning goals and work efforts to ultimately achieve successful Continuous Delivery program.
Anticipated outcomes of moving to a Continuous Delivery model include: