What are a few of the trends and themes in DevOps that have caught our attention this year? Let's dive in … Platform Teams Are On The Rise Business and customer-facing application teams have been successfully using agile and DevOps for many years. The infrastructure world (traditional infrastructure and operations) has lagged, however, and this trend is changing. Traditional infrastructure groups are under increasing pressure to become customer-focused and more responsive — the customer, in this case, is the application teams requiring their services. Large-scale agile transformations of infrastructure and operations (I&O) are underway at Nationwide and JPMorgan Chase, but there are still significant challenges and questions. In many organizations, the business and customer-facing product teams have successfully formed as cross-functional units, with representation from the product, design, engineering, and delivery perspectives. Bringing similar cross-functional expertise to infrastructure teams historically focused on deep technical expertise is not simple. Organizations succeeding in this effort typically have found a way to bring product management skills to the infrastructure group. They note, however, that bringing in these skills (not typically found in the I&O organization) can be challenging on multiple fronts: finding the right person, the risk of team rejection, and the resistance of the CFO, who may point out that the I&O team has never needed that role before. At this writing, these issues are top of mind for many agile and DevOps advocates and supportive leaders in organizations large and small; a lot of experimentation is happening, and good practices are still emerging. At least one large European bank is sending all IT staff to three days of product management training, akin to the broad workforce immersion in ITIL (Information Technology Infrastructure Library) often seen in previous years.
Value Stream Management Expands Into Value Stream Planning
DevOps must expand as business challenges shift from 'complicated' to 'complex' problems — where the complex can only be mapped in an instance of time because they are constantly changing. Value stream management (VSM) has to address cross-organizational/company flows of value creation — spanning policy, funding, and tech stacks. The phrase 'not running on all cylinders' is an oldie but a goodie — usually, it just means you need another cup of coffee. But for too many development teams, it means they need a better way of working. Sure, they might have automated continuous integration/continuous delivery (CI/CD). Yes, they might have automation in pockets, but there's the wait time, inefficiency, and bad practices between all these phases. VSM doesn't fix those issues; instead, it shines a bright light on them through data and analytics. This past year, companies as diverse as auto parts retailers, banks, and travel companies didn't just tune their dev team; they tuned the entire engine based on data and insights provided by their VSM solution. With many large enterprises in dire need of operating on all cylinders, expect to see more end-user adoption and vendor investment in advanced capabilities such as predictive AI, bottleneck analysis, and overall value delivered. DevSecOps Extends Into Infrastructure And Security Of The Tool Chain
DevSecOps has gone beyond automating application security testing in the software development lifecycle and toward securing the application infrastructure and development pipeline. By integrating with container registries, security tools catch container image security flaws before those images end up in development or production; these tools suggest alternative (more secure) image versions or recommend removing unnecessary libraries. Dev teams have embraced serverless functions to deploy code quickly and cost-effectively in the cloud. Some application security tools have added serverless protections, such as whether the serverless function interacts with an open S3 bucket. Meanwhile, infrastructure-as-code (IaC) security scanning in the integrated development environment, on pull requests and in the CI\CD pipeline, gives developers, cloud engineers, and platform developers early feedback on misconfigurations that would pose a risk if resources were provisioned using that IaC template. Another trend we're watching: securing the development toolchain. Pipeline composition analysis tools analyze and secure components in development tools (e.g., build tools, container registries, and source code management), development tool plugins, build modules, and IaC-introduced dependencies. Development and operations teams recognize the need to manage CI/CD pipeline access better and apply least-privilege principles — these teams are adding multifactor authentication and secrets management. Look for the definition of DevSecOps to continue to extend beyond the 'classic' code security issues.
Policy Automation Enables Complex Digital Business
Increasingly complex digital business challenges push tech organizations toward modern and future fit approaches to DevOps governance. Traditional approaches stall change by relying on serial, meeting-centric decisions — setting policy, reviewing metrics, and managing risks through human review and decisions. Besides creating bottlenecks, they also make less effective decisions, since the central review board members are further removed from the problem domain.
Modern digital business requires automation of design and operating results to ensure that policies are enforced and performance tolerances are met. For example, some API vendors provide tooling to find and report on APIs that do not comply with security, documentation, and design standards. Automated governance creates more consistency and shifts conversations from simple rules to complex decisions requiring human intervention. The improved consistency from automated governance opens the door for federated governance, eliminating the bureaucratic central review team so often viewed as an obstacle to agile delivery.
This post was written by Senior Analyst Julie Mohr and it originally appeared here.