WEBINAR Improving Application Delivery Governance With DevOps Abstract Nearly every organization wants to deliver applications faster, with higher quality and lower cost. DevOps practices enable organizations to do this, but some organizations claim that they can’t use them because they are in regulated industries with stringent governance requirements. The truth is that DevOps practices give organizations the processes and tools they need to not only speed delivery and reduce cost, but to also improve their ability to govern application delivery. This webinar will describe how organizations are delivering faster while also improving their ability to govern.   Outline the agenda of your presentation in three or more bullets Manual governance processes are slow, costly, and ineffective Agile practices improve transparency but are not sufficient DevOps practices improve control and consistency 4. What will attendees do differently because of this webinar? What will their key takeaways be? Don’t govern broken processes; fix them first Simpler processes are easier to control and automate Automation improves and enforces consistency Kurt Bittner, Principal Analyst Amy DeMartine, Senior Analyst December 15, 2015. Call in at 10:55 a.m. Eastern time

Regulated industries and safety-critical products have a problem.

Image source: Next Big Future (http://nextbigfuture.com/) Consumers want this.

Image source: CNN (http://edition.cnn.com/) Not this.

They want this. Image source: Ally Bank (http://community.ally.com/straight-talk/)

Not this.

That’s where governance comes in . . . With so much riding on software, lots of people want to make sure nothing goes wrong with it. That’s where governance comes in . . .

Governance Compliance Audit (all companies, “control”) (depends on industry, predefined controls) Audit

Prior to DevOps, governance looked like: Segregation of duties CAB reviews Results of manual testing Image source: PKPolitics (http://pkpolitics.com/) Manual approvals Code reviews

Good governance Inclusive Sustainable Transparent Consistent Constant

“We can have software running on 300 turbines, where we can model the wind, can optimize performance on the grid, and increase output by 20%. That’s the industrial Internet.” Image source: Business Insider (http://www.businessinsider.com/) Jeff Immelt, CEO, GE

Many organizations think DevOps is fine for web- based shopping, but regulated and safety-critical products require a slower and more careful approach. They’re wrong.

Automation and standardization make governance better and easier. Speed and quality are not inherently opposed. Manual quality processes can be little more than risk management theater. Automation and standardization make governance better and easier. Image source: TripAdvisor (https://www.tripadvisor.com)

Let’s look at how . . . Image source: TripAdvisor (https://www.tripadvisor.com)

The application delivery pipeline Idea proposed Understand needs and invent solutions. Functional testing Deploy solution. Production support Load, performance, security, . . . testing UAT/exploratory testing Release decision. Develop, commit, and build. Image source: BVG8Science (https://bvg8science.wikispaces.com/) Provision environments.

Control point No. 1: control over work UAT/Exploratory Testing Work is defined and prioritized only by authorized persons. Full transparency also improves collaboration and communication. Understand Needs and invent solutions Release Decision Develop, commit and& Build. Idea proposed Deploy Solution Production Support Functional Testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Idea Load, Performance, Security, … Testing Backlog Provision Environments

Control point No. 2: control over solution Important characteristics of the solution (technology stack, architecture . . .) is defined and prioritized only by authorized persons. Full transparency also improves collaboration and communication. UAT/Exploratory Testing Understand needs and invent solutions Release Decision Develop, Commit & Build Idea proposed Deploy Solution Production Support Functional Testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing Backlog Provision Environments

Control point No. 3: control over environments Environment definitions are defined only by authorized persons. Control over who can create environments is also defined only by authorized persons. Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Production Support Load, Performance, Security, … Testing UAT/Exploratory Testing Release Decision Develop, Commit & Build Image source: BVG8Science (https://bvg8science.wikispaces.com/) Provision environments.

Control point No. 3: control over environments Idea proposed Understand Needs & Invent Solutions Functional Testing Deploy Solution Production Support Load, Performance, Security, … Testing UAT/Exploratory Testing Release Decision Environment provisioning automation Develop, Commit & Build Image source: BVG8Science (https://bvg8science.wikispaces.com/) Developers EA, testers Ops, and security versioned source repository Code environ configs tests Provision Environments Developers EA, testers Ops, and security

Control point No. 4: control over code Code should be created or modified only by authorized persons. Code should be inspected to ensure that it conforms to standards: Peer review Static code analysis UAT/Exploratory Testing Understand Needs & Invent Solutions Release Decision Develop, commit, and build Idea proposed Deploy Solution Production Support Functional Testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing Provision Environments

Control point No. 4: control over code UAT/Exploratory Testing CI automation Environment Provisioning automation Understand Needs & Invent Solutions Release Decision Develop, Commit & Build Idea proposed Deploy Solution Production Support Functional Testing Static code analysis Peer code review Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing versioned source repository Code environ configs tests Provision Environments Developers EA, testers Ops, and security

Control point No. 5: control over the software supply chain UAT/Exploratory Testing Understand Needs & Invent Solutions Release Decision Develop, commit, and build Idea proposed Deploy Solution Production Support Functional Testing Applying supply chain principles to software gives greater control over the finished products. Choose fewer and better suppliers. Choose the highest quality parts. Track which parts went where. Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing Provision Environments

Control point No. 5: control over the software supply chain UAT/Exploratory Testing CI automation Understand Needs & Invent Solutions Release Decision Develop, Commit & Build Idea proposed Deploy Solution Production Support Functional Testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing Artifact repository “Built” artifacts Open source Provision Environments EA, developers, Ops, QA, and security Vendors

Control point No. 6: control over the release process UAT/exploratory testing Standardizing release processes improves consistency and auditability. Code should only be released to authorized environments by authorized persons or processes. Understand Needs & Invent Solutions Release decision. Develop, Commit & Build Idea proposed Deploy solution. Production Support Functional testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, performance, security, . . . testing Provision Environments

Control point No. 6: control over the release process The same release automation processes are used for deploying to test and prod environments. The only difference is the “decision to release” process. UAT/Exploratory Testing CI or pipeline automation Test environment provisioning automation Understand Needs & Invent Solutions Release Decision Develop, Commit & Build Idea proposed Deploy Solution Production Support Functional Testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing versioned source repository Code environ configs tests Application release automation Provision Environments Developers EA, testers Ops, and security

Control point No. 7: control over quality assessment UAT/exploratory testing Test automation can verify many/most/all compliance concerns, including security and safety-critical issues. Understand Needs & Invent Solutions Release decision. Develop, Commit & Build Idea proposed Production Support Functional testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, performance, security, . . . testing Provision Environments

Control point No. 7: control over quality assessment Release decision. UAT/Exploratory Testing CI or pipeline automation Test automation (Functional, load, scalability, security, reliability. . .) Understand Needs & Invent Solutions Release Decision Develop, Commit & Build Idea proposed Deploy Solution Production Support Functional Testing Image source: BVG8Science (https://bvg8science.wikispaces.com/) Load, Performance, Security, … Testing versioned source repository Code environ configs tests Provision Environments Developers EA, testers Ops, and security

Recommendations Gradually replace manual governance with automation. Automate compliance reports using ALM/pipeline tools. Refocus specialists on automating compliance. DevOps tool support: Create and support “pipeline-as-a-service.” Security: Build secure frameworks and components. EA: Create and support platforms, certify components. Ops: Create and maintain standard configurations. Audit: Automate compliance tests in pipeline. Continuously improve. Image source: Next Big Future (http://nextbigfuture.com/)

Kurt Bittner, Principal Analyst kbittner@forrester.com @ksbittner Amy DeMartine, Senior Analyst ademartine@forrester.com @AmyDeMartine