The process of creating good software is more like a game of soccer. On one hand, you have a team of individuals with different skills and specialties (right/left/center fullbacks, midfielder, defender, goalkeeper) trying to score the most number of goals. On the other hand, you have another heterogeneous group (developer, tester, security engineer, and operations) trying to create the most number of user centric, ultra-responsive applications while ensuring supreme quality.
But while the beautiful game has always been a pleasure to watch and follow (more due to the coordination, communication, and understanding displayed by the heterogeneous set by way of deft touches and clever passing game), the game of creating software seldom saw such teamwork before the onset of a philosophy called DevOps.
Currently DevOps is in its 12th year and as per Gartner, around 70% of the IT organizations are focused on the DevOps discipline but only about 26% of them have adopted it in its true sense.
Renowned software architects and DevOps practitioners Len Bass, Ingo Weber and Liming Zhu describe DevOps as “A set of practices that helps reduce the time between committing a change to a system and committing the change into normal production – all the while ensuring high quality.”
It is this high-quality aspect that most organizations either overlook or simply fail to measure up.
The Hangover from the Waterfall
Not long ago (before the advent of Agile Approach in the early 2000), organizations that created software followed a very linear approach, which moved systematically from left to right. The process blindly glided like waterfall and there was no looking back on the process till the software got tested by the QA during pre-release and a bug got identified at that point. And once identified, the ball got passed on to the developers’ court for rework, rejig, and re-rollout which only got vetted by the testers at the very end of the process.
Imagine this as a soccer game where the positions are not able to see each other’s move and at the very end when the ball reaches the forward position in a misplaced manner, there is somebody from the opposition ready to push the ball back into the team’s defense. Imagine how un-synchronic this game would be. How non-fluid, boring, and mostly unproductive too!
But this was possible because there were hardly one or two releases a year. Times have changed and so has the need to shift gears.
Thus, arrived DevOps
Cometh the 21st century, heralded the internet economy, where agility is the name of the game and multiple releases per month, week, and even day has become the mantra of successful companies. Amazon engineers deploy code every 11.7 seconds on an average. Be it Netflix, Target, Walmart, Facebook or Twitter; these organizations have changed the face of the software game by adopting DevOps, by bringing in developers and operations together and bridging the gaps of waterfall by keeping testers and security personnel at every step of the process.
No longer is there a wall separating the players, their moves unseen, or operate in siloes. Character, collaboration, and community flourish in true colors and as a result, the code that gets deployed and the software that gets generated has customer satisfaction written all over it.
Welcome to the world of DevOps where the defender can play the role of a forward too and a midfielder can be a darn good defender. This is a team where each knows the other and together, they produce good software.
But as discussed earlier, hardly 26% of the organizations are really being able to reap the ROI from DevOps. What is preventing them from harnessing the DevOps capabilities?
Lack of continuous testing and the relegation of security to the final stage of the software lifecycle impedes the majority of organizations to leverage the most of it. In fact, many organizations find continuous testing and embedded security as an impediment to their time to market and code deployment rate objectives and hence sideline it or bring it only as an afterthought, more like a tick-mark exercise.
Consequently, they do reach the market faster but only with buggy software. Hence, for organizations to truly leverage DevOps, DevTestOps, and DevSecOps become increasingly important. Just like passing the ball and assessing the field, though time consuming, only increase the chance of scoring goals in the game of soccer.
Figure 2: Continuous Testing and Imbued Security hold Development and Operations Together
Shift Left and Shift Right to Truly Extract Maximum DevOps RoI
Shifting left and shifting right entails moving testing and security across the length and breadth of the software development lifecycle. Keeping testing and security active in every step of the software game is the only way to win the game in the most cost-optimized manner.
This means tester and security engineer is involved right from systems analysis phase and unless they approve the output of a particular phase, things don’t move to the next phase. This process minimizes the probability of future code failure and continuous security (DevSecOps) reduces the vulnerability of the code by introducing security processes and protocols throughout the development cycle.
Following the footsteps of the successful unicorns such as Lemonade, Facebook, and Netflix etc., many organizations are beginning to adopt test driven development” (TDD), an inside out approach where the developer writes an automated test case and the necessary code to pass that test.
Some organizations are also adopting behavior-driven development (BDD), an outside in approach which combines the general principles of TDD with ideates from domain-driven design to provide software development and operations teams with shared tools and processes to collaborate.
DevTestOps involves a combination of exploratory testing (check systems on the fly), manual testing, and TDD.
In an agile delivery ecosystem, it may not be feasible to test everything before releasing a code into production. It is equally important to take into consideration real world users and their application usage experiences to transform them into future test cases or give a feedback to the developer team so that they can incorporate some learnings into their next code.
Shift right facilitates testing in a post-production environment by undertaking requirements validation based on real user journeys, deriving performance test scenarios, A/B testing and canary testing to understand customer vibes, and crowd testing to better appreciate real world experiences.
Organizations have now realized that DevOps minus continuous testing and embedded security is simply a faster route to produce patchy software. That is why DevTestOps and DevSecOps are the buzz words in the industry today.
As the continuous delivery pipeline becomes hyper-automated, there will be vulnerabilities and compromises on code quality to speed up time to deployment. Here DevSecOps, TDD, and BDD along with appropriate post-production testing will stand as effective deterrents and balance out speed with quality for a superior CX, CSAT, and true DevOps ROI.