Date post: | 10-Feb-2017 |
Category: |
Technology |
Upload: | serena-software |
View: | 575 times |
Download: | 3 times |
1 FUG2016Copyright © Serena Software 2016
WE OWN IT!Shift Left with Continuous Inspection
Don Irvine
Vice President ALM Products
3 FUG2016
How Many Bugs Are Too Many?
“Industry Average: about 15 – 50 errors per
1,000 lines of delivered code”
Source: Code Complete by Steve McConnell
12 FUG2016
#2 Code review every change
Code Inspection often more than 65% efficient at defecting defects (Capers-Jones)
Five Simple Steps to Shift Left
13 FUG2016
#3 Use a static analysis tool regularly
Static Analysis combined with peer review can detect up to 95% of bugs (Capers-Jones)
Five Simple Steps to Shift Left
14 FUG2016
#4 Be aware of third-party components
and their vulnerabilities
Five Simple Steps to Shift Left
In a security analysis across 5,300
applications, Veracode also found and
confirmed that an average application has 24
known security vulnerabilities associated with
open source and third-party components(State of the Software Supply Chain Report)
16 FUG2016
1. Build every change
2. Code review every change
3. Use a static analysis tool regularly
4. Be aware of third-party components and their vulnerabilities
5. Provide visibility of all changes and their health
Five Simple Steps to Shift Left
18 FUG2016
Change
Build
Static Analysis
Security
Scan
Peer Review
Visibility
Continuous Inspection
The process of putting
software code changes
through a series of expert
inspections to rapidly identify
and respond to coding issues,
improving quality and
reducing costs
19 FUG2016
Continuous Inspection
Key Capabilities
• Extensible plug-in architecture
• Schedule & inspect code changes
• Report findings & vulnerabilities
• Supports DevOps “Shift-Left”
• Aggregated KPI Metrics
Value Benefits
• Display results in code review
• Real-time developer feedback
• Reduce coding risks & issues
• Monitor code health & quality
• Speed release readiness
"Given enough eyeballs, all bugs are shallow."The Cathedral and the Bazar —Eric Raymond
20 FUG2016
Changeset Graph and Change Health
Key Capabilities
• Visualize branch dependencies
• Navigation of change history
• Visual approach to merging
• Integrated with CI
Value Benefits
• Insight into release readiness
• Change timeline visibility
• Complexity of merging
21 FUG2016
Integrated Peer Review
Key Capabilities
• Collaborative web based peer review
• Linked to Continuous Inspection
• Configurable process
• Full audit trail
• Tightly integrated into Dimensions
Value Benefits
• Improved code quality
• Find 70-90% of all defects earlier
• Cost reduction
• Save up to 30% of re-work hours
• Developer productivity
• Up to 25% improvement in coding
22 FUG2016
Automatic Detection of Known Vulnerabilities
Key Capabilities
• Built in vulnerability scanner
• Works with public OWASP project
• Checks NVD security issues with
delivered components
• Scan on regularly or on every
checkin
Value Benefits
• Provides full report of your
components and their
vulnerabilities
• Know when vulnerabilities are
reported in your third-party
components
23 FUG2016
Work Item Management (due in May)
Key Capabilities
• Backlog management, Kanban,
burn-down and reporting
• Development focused
• Planning of CM requests
• Management of teams
• Integrated with SBM, RM and Jira
Value Benefits
• Visualize and plan work within CM
• Track progress, identify bottlenecks
• Manage movement of work between
backlogs in other tools
• Integrates with the full CM lifecycle
25 FUG2016
1. Build every change
2. Code review every change
3. Use a static analysis tool regularly
4. Be aware of third-party components and their vulnerabilities
5. Provide visibility of all changes and their health
The Corridor Test…
27 FUG2016Copyright © Serena Software 2016
WE OWN IT!
Julian Fish
Director of Products
Serena Software
Move Fast Without Breaking ThingsDevOps, Continuous Delivery and Multi-Speed IT Delivery in
Regulated Environments
29 FUG2016
Need to drive competitive
advantage and respond to market
needs
Adoption of Agile practices have
increased the speed of engineering
delivery
Still ruled by a SLA’s, stability and
an inherent resistance to change
BUSINESS DEVELOPMENT OPERATIONS
Move Fast Without Breaking Things
COMPLIANCE (CONTROL)AGILITY (SPEED)
30 FUG2016
“Who has an Agile Transformation Project /
Program in place currently?”
Define
Develop
Construct
Deploy
Verify
31 FUG2016
“Who has a DevOpsTransformation Project /
Program in place currently?”
Development Teams “Shift Right”
Dev Test UAT Prod
Operations Teams “Shift Left”
35 FUG2016
“Devops good news!
Devops is 100% peoples
and culture so you not
have of understand
functional programming!”
DevOps?
© 2013 @DevOpsBorat
36 FUG2016
DevOps, Continuous Delivery and Multi-Speed IT
DevOps tries to align goals between Development and Operations
Continuous Delivery ensures software is always production ready and releases are tied
to business needs and not operational constraints
Multi-Speed IT understands that there isn’t a simple ‘CD or non-CD’ approach but a
collection of approaches and speeds that IT can use to release software
37 FUG2016
DevOps…
Automation?
Infrastructure as code?
Continuous Delivery (CD)?
Infrastructure Automation?
Continuous Integration (CI)?
“A movement to address the gap between
Dev and Ops”
What is DevOps?
“82% of high performing companies
automate their code deployments”
38 FUG2016
DevOps / CD Benefits for Regulated Industries
Reduced risk by implementing frequent, smaller changes
Developers have better understanding of development, test and production infrastructure
Operations gain application-centric understanding
Simplified end to end IT processes inclusive of Audit and Compliance requirements
Supportive of Application Automation
= Increased collaboration between Dev and Ops / Lower Risk / Faster Time to Value
Ops
QADev
DevOps
39 FUG2016
End to End Domain Interaction – The Sum of the Parts
Continuous Delivery
Source Code
ManagementBUILD / CI Deployment / Test Automation Formal Release
ContainersVirtual
InfrastructurePhysical
Infrastructure
Cloud
Infrastructure
Enterprise Change Management
Dev Test UAT Prod
APM
IT Service
Management &
DML
Agile
PlanningRequirements
Management
Project Portfolio Management
Enterprise Release Management
Is this DevOps?
Is this DevOps?Is THIS DevOps?
40 FUG2016
Identifying the Challenges in Federal / Regulated Industries
One size fits all approach won’t work for traditional Federal organizations
Legacy, Transitional and Innovative Applications must co-exist
Organizational Framework based approach with multiple ”Flavors” of implementation
Multiple Contract teams own areas of the End to End process, adding complexity
SPOC and ownership is difficult to find – what is the sponsor trying to achieve
Startup “Application is the Business” doesn’t apply
41 FUG2016
“More than 95% of IT operations organizations lack a
centralized release management process”
“Through 2016, a lack of effective release management
will contribute up to 80% of production incidents in large
organizations with complex IT services”
“82% of high performing companies
automate their code deployments”
42 FUG2016
Bi-Modal vs Multi-Modal IT
“By 2017, 75% of IT organizations will have a bimodal capability”*
“95% of Large Enterprises require multi-modal capabilities. Type 1 &
Type 2 becomes Type 1 - 5”
43 FUG2016
“By 2017, 75% of IT organizations will have a bimodal capability”*
Systems of Innovation
Systems of Differentiation
Systems of Record
Mode 1
Reliability
Waterfall, V-Model
IT-centric
Release in
Months/Years
Mode 2
Agility
Agile, Kanban
Business-centric
Release in
Days/WeeksDependencies
Govern
anceC
hange
*Gartner predictions, 2014
44 FUG2016
Systems of Innovation
Systems of Differentiation
Systems of Record
App 1
TraditionalWaterfall, V-Model
IT-centricRelease in
Months/Years
App 2
AgileAgile, Kanban
Business-centric
Release in
Days/Weeks Govern
anceC
hange
App 3
TransitionalScrum fall
Product-centricRelease in
Weeks/Months
Serena Provides Multi-Modal IT Support
Dependencies
Application Deployment speed determined by Application Architecture, Application Type and Compliance requirements
45 FUG2016
Shift Left vs. Shift Right
Development Teams “Shift Right”
Dev Test UAT Prod
Operations Teams “Shift Left”
Measured Functional Competence (High – Low)Key:
46 FUG201646
Where to Start?
• What matters to the business?
• How do we Define and
measure success
• Look to Eliminate waste
• Incremental changes/quick
wins
• Focus on continuous
improvement
• Implement Process and
Technology Simultaneously
• Automate Everything
47 FUG2016
How Responsive are you to the Business?
• How do you measure success?
• Average cycle time for moving a business request from Development to Production?
• Number of business requests implements this week, month, year?
• Cost of moving a unit of change through your application lifecycle?
• Percentage of a release focused on technical debt?
• Develop metrics to support what matters to the business
48 FUG2016
inetOrgPerson inetOrgPerson
Secured
Repository
Common
Build Process
Secured build processes
ensures audit compliance and
artifact traceability.
Secured artifact repository
provides common source
for artifact deployment.
Continuous Integration & Standard Build Frameworks
49 FUG201649
Automate Almost Everything
• People should not move the “bits”
• Automate code and configuration deployments with a single set of
deployment processes across all environments
• All pre-prod deployments should be rehearsals for the final deploy into prod
• Quick incremental wins with big impact
50 FUG2016
Developer
Commits Code
Test Automation
Validates CodeOperations
Releases Code
DEV TEST PROD
Process
Artifacts
Build
Initiated
Centralized Release Management Process and Path to Production
51 FUG201651
Standardize the Release ProcessStreamline and accelerate the release lifecycle
• Single system of record for release planning and execution
– Schedules
– Milestones
– Gates and Approvals
• Automatic cycle-time capture
• Ensure audit trails for compliance and learning
52 FUG2016
Process and Technology work together
Release Control
Release Train
Release Package
Tasks
Integration Framework / Service Layer / Widgets
SDA DIM CM ZMF EROOTHER
RELEASE
PROCESS
ARTIFACT
MANAGEMENT
53 FUG2016
Identify Teams for Continuous Delivery vs. Release Management
Continuous Delivery Enterprise Release Management
Dev
Source Code
ManagementBUILD / CI
Deployment / Test
Automation
Test UAT Prod
Formal Release
Containers Virtual Infrastructure Physical InfrastructureCloud Infrastructure Infrastructure as Code
Enterprise Change Management
APM
IT Service
Management
54 FUG2016
Release Control Object Overview
Release Package
Dev Test UAT Prod
Request
Release Train
Deployment Path
Release Package
Release Package Release Package
Deploy UnitDeploy Task
Dev Test UAT Prod
Request
Deployment Path
Deploy
UnitDeploy Task
Dev Test UAT Prod
Request
Deployment Path
Deploy
UnitDeploy Task
Integration Framework
Integration Framework
55 FUG2016
Package level control and visibility
Dev Test UAT Prod
Request
Deployment Path
Deploy UnitDeploy Task
Release Package
Integration to Serena and 3rd party artifact
management / source code solutions
(Dimensions CM, ChangeMan ZMF, Serena
Deployment Automation, Artifactory, TFS,
Jenkins, IBM, CA etc.)
Integration to Serena and 3rd party request /
ticketing systems (Dimensions CM, SBM,
Rally, Jira, Version One, Bugzilla etc.)
Defines the activities to deploy / implement
the Package via integrations to Serena and
3rd party tools (Dimensions CM, ChangeMan
ZMF, Serena Deployment Automation, CA
Nolio, IBM uDeploy, XebiaLabs, Manual
Steps etc.)
Integration Framework
Package Deployed via configurable
deployment paths
56 FUG2016
Enterprise Deployment Pipelines
Key Capabilities
• Create, manage and automate deployment pipelines
• Enforce environment sequencing and auto promote
• Full stack automation with new plug-ins:
• Chef, Puppet, Jenkins workflow
• Docker, Bamboo, Openstack and more
Benefits
• Supports Dev / Test Churn with Managed Stage & Production Releases
• Improves quality with a single repeatable deployment process
• Reduces cycle time
• Provides end-to-end traceability for compliance and audit
57 FUG2016
Continuous Delivery Maturity Model for Enterprises
REPEATABLE
BUILD
CONTINUOUS
INTEGRATION
AUTOMATED
APPLICATION AND
INFRASTRUCTURE
DEPLOYMENTS
TEST
AUTOMATION
ENTERPRISE
CONTINUOUS
DELIVERY
Standard Build
processes across all
development and SCM
tools. Daily / nightly
builds exist utilizing
secured SDLC
CI Build processes
build deliverables upon
code commit and
invoke automated unit
tests
Target integrated
Application and
Infrastructure
Deployments
(provisioning on
demand – Cloud, Virtual
or Physical for app
deployments)
Fully Automated Test
Suites allowing entire
application to be Tested
without user
intervention
End to End Build, Test
and Deployment
Capabilities
58 FUG2016
“Full Stack” Provisioning
APPLICATION CONFIGURATION
APPLICATION DEPLOYMENT
CONFIGURED APPLICATION
STACKVM VM VM
OS PROVISIONINGP
RO
VIS
IOIN
G O
RD
ER
OS CONFIGURATION
BARE METAL / CLOUD STORAGE
• Infrastructure / Cloud / Virtual
Provisioning
• Application Architecture
Deployment
• Application Configuration
• Build Up &Tear Down
Capabilities
Essential Steps for Enterprise Continuous Delivery