DevOps is changing the meaning of the word ‘release’
Ops is becoming obsolete and the dialogue with security is improving – in conversation with Forrester’s Kurt Bittner at the recent Jenkins User Conference, we learn about some fascinating changes taking place in the DevOps world.
JAXenter: Can DevOps actually increase and improve security?
Kurt Bittner, Forrester: There’s a couple of issues here. First of all, it helps if you think of it as “dev plus ops”, bringing dev and ops together to improve the performance and collaboration of both. We’ve had a similar problem with security. Security has been off in its own world. They’re not terribly integrated into the development or operations organisations. They don’t tend to use the same tools that the dev and ops people use. In some cases they have their own private tools that only they use, because they want to keep them secret. But the reality is that just as customer experience benefits from faster feedback, security also benefits from faster feedback. Constantly testing code against known security threats is essential for understanding the risk that you have. So the more you can build that into the automated pipeline, the more visibility you have into what the potential holes might be.
You can build in code scanning into the delivery pipeline so that you’re constantly looking for known coding errors. And then some of the other things – for example, many security threats are created by unpatched vulnerabilities. The patches are available, but ops hasn’t gotten around to patching the systems because they’re doing everything manually. So if they have automated environment management capabilities they can keep all the systems updated and patched all the time. It’s just part of their normal delivery processes.
So it’s a combination of different techniques, but really the first step is just getting dev and ops and security to talk to one another and realise that they all really have the same goal – a good customer experience. So security’s part of that, development is part of that and ops is part of that.
And that’s of course one of the things that DevOps does so well – opening up new channels for communication…
Yes. But mere talk isn’t enough. There are some specific practices that are important.
So DevOps has slowly become a mainstream concept in IT. What’s happening now in the DevOps world?
We’re seeing increasing interest in and penetration of DevOps in organisations. The practices are widespread in the mobile and cloud parts of many organisations. CIOs are looking at those faster-delivering teams and saying well we’d like other people to be more like that. They’re also facing increasing threats from competitors and customers who now have more choices about who they pick for their services and products. To make it sound a little dramatic, a lot of CIOs are scared about how slow their deliveries and how poor the quality is. So that’s on the negative side.
Getting a seat at the table with business
But others see it more positively. We’ve always wanted to have a seat at the table with business and to be real contributors. And now developers finally have some ways of doing that with faster delivery. With 12-month delivery cycles it’s really hard to make a real contribution to the business. But at one month or less it starts to change the game.
And that’s another thing that’s changing at the moment: the meaning of the word ‘release’.
Correct. There are a couple of aspects to that. So if you look at the really advanced companies doing this, they’re releasing all the time, but what they’re releasing are API changes or new APIs and then gradually, enough of those changes accumulate and they can turn a feature on, or they can turn a new capability on. So what traditional organisations have done is that they have coupled the idea of releasing software with a new capability being available.
But at faster release cycles, more modular architectures, things like services and microservices allow you to decouple those. And now you can use things like feature toggling and frameworks to turn on and off features more on the demand cycle of the business, as opposed tied to a technical software release event.
DevOps and Continuous Delivery are often being used interchangeably. How do you differentiate between DevOps and CD?
Yeah. I look at DevOps as a philosophical concept that says Dev and Ops should work together, but it’s rather vague and unspecific about what exactly they should do. So it’s a kind of umbrella term for lots of different practices and activities. Continuous Delivery is a very specific set of practices mostly around having an automated delivery pipeline, and having processing and tools that support that delivery of software.
Philosophical concept vs. specific processes
But there are things in DevOps that perhaps are outside of CD, such as generally the value of having beer and pizza meetups to get people talking to one another. While that’s important, with CD we’re talking about some very specific kinds of things. Usually a process triggered by CI that ultimately results in deployment, at least to a stage test environment, if not to production
Some individuals here at the Jenkins conference have even gone so far as to advocate a ‘NoOps’ approach. Can you relate to this?
I think broadly speaking yes, in the sense that ops as a separate organisation ceases to exist. So let’s look at what we’ve put into operations in the past – we’ve given them the responsibility for keeping machines and networks running, for maintaining applications, and sometimes doing infrasecurity (although that’s now become a separate specialty). And some organisations, they won’t actually have people maintaining the machines because they’re actually using third-party cloud providers. But what remains is that you still have to be able to provision those environments, you still have to manage the environments and you still have to deploy software to them.
What NoOps suggests is that those responsibilities go into the delivery team. And I specifically use that term instead of ‘development team’ because there’s a ‘delivery team’ responsible for delivering these new capabilities or changed capabilities. And they have some operations responsibilities over environments, management and the way that environments are configured. Let’s say that you’re using an internal cloud, you’ve got some kind of data centre somewhere, and a bunch of infrastructure – as you move to virtual machines and then to containers, those ops people never really see what’s in the application.
The movement of ops responsibilities to the delivery team
They’re just responsible for keeping the infrastructure running, much in the way that in a city there are people responsible for bridges and roads, but they have nothing to do with the cars and trucks that run on them. And so I think that kind of separation will play itself out. And I think that the people keeping the server farms running are definitely needed. But they may be outside the organisation and they don’t really have to understand what’s running in the applications. They’re just looking at workload and traffic, much in the way you’d look at transportation in the city.
In what way is CD helping companies compete?
It’s ties back to the comment that has been attributed to Marc Andreessen that “software is eating the world”. Increasingly more and more of the products and services that companies offer are dependent on software in one way or another. Either through customer interface, through mobile applications or cloud applications, or it’s embedded in the product itself.
I would say an extreme example of that is the Tesla Automobile, where a huge part of the automobile itself is defined in software. You can control all kinds of capabilities, power distribution, power management, acceleration, breaking as well as customer experience. As those software-enabled and software-defined products become more and more prevalent in the industry (and now we’ve got relatively mundane devices like thermostats like Nest and Honeywell basically controlled through and utilising software and analytic information to provide a better experience) – all of those things together mean that software delivery is more and more important. To put a finer point on it, the products that interact directly with customers give you the ability to understand what the customer is doing – the context, successful achievement, satisfaction.
And by measuring these, you can start to fine-tune those products to better meet the customer needs and create more loyalty. So it’s the ability to drive that feedback loop faster that gives you a competitive advantage over people who can’t.