Our wonderful friends at Sonatype just released the results of their annual DevSecOps survey. For the full results you can download the report. I wrote this article for an ebook where it's collated with a number of other articles from other practitioners - you can download the ebook here.
In 2017, 57% of all participants in the DevSecOps Community survey confirmed that, yes, they did have an open source policy. In 2018 this has risen to 64% - but 35% say they ignore it.
Breaking that down further: in 2018, 58% of those with no DevOps practices and 77% of those with mature DevOps practices reported having an open source policy. 46% of the former and 24% of the latter reported ignoring it. Effectively, that’s then just 12% of organisations with no DevOps practices actually using an open source policy, while 53% with mature practices are following internal regulations. Having, and using, an open source policy is then an indicator of mature DevOps practices.
It's that time of year again! I hope everyone has happy holidays. I've been staring into my crystal ball and thinking about what's been happening in 2017 and these are my thoughts on what the big themes in DevOps are going to be in the year ahead:
1) BizIT: Whilst we are working with many organisations who are facing the classic DevOps challenge of getting development and IT operations to work better together (particularly where new digital transformation departments are accelerating agile adoption), there are many that are achieving the target state of OneIT and the friction they are feeling is more about the business' acceptance of what agile and DevOps really mean in terms of their commitment and involvement in the processes and feedback loops. As we move towards working in value streams, the lines will continue to blur between IT and the business and we'll go from align, past integrate and into 'IT is the business' and beyond where there is no separation. See what the CTO at Hiscox, Jonathan Fletcher, had to say in his talk at the DevOps Enterprise Summit in London this year.
Yesterday, we had a webcast on 'DevSecOps - is it a Good Thing?' - you can watch the recording here but here's a summary of what we covered:
What is DevSecOps?
Since DevOps originated from the recognition that developers had started to do things like Agile development - the operations teams were getting left behind so, we started with the concept of Agile System Administration & the recognition that we have created silos in the way that we had traditionally organised enterprise IT into a development team. Generally, in software development, security has been looked at as an afterthought - something reflected by security experts.
DevOps Foundation Course,
We spend a lot of time talking about change at Ranger4, as you may well imagine, in the context of DevOps. We talk about:
- Increasing throughput and quality simultaneously as a key DevOps goal
- Where Change Approval Boards are a key bottleneck (The Theory of Constraints and The First Way: Flow) - particularly when we are Value Stream Mapping
- What DevOps Target Operating Models look like and how peer-review change works, and what Change Management roles look like
I've been sharing this article, Change Goes Away, a lot in the DevOps Foundation courses we have been delivering in recent months. I love it partly because it's so crisply written but mainly because it's by Rob England, a self-styled IT Skeptic, and who has a primarily IT Operations background. This last part is particularly important since it's often the dev people who want to do away with change, and the IT ops people who want to retain the governance that change management policies and procedures bring - so to have an IT ops person to be such a strong proponent of change changing (!) like this really supports what DevOps is doing here. And gives solid advice on how to manage this potential conflict, together.
Our partner, Sonatype, recently released their latest annual State of the Software Supply Chain report and in it provided new evidence that DevOps practices deliver measurable improvements. It also kickstarted another conversation between us.
One of the things we offer organisations is a free scan of their software to identify a bill of materials (of the open source components within an application) and a summary of the security vulnerabilities and licence risks that exist therein. Applications these days are decreasingly coded and increasingly composed from open source components available in online artifact repositories. It's not difficult to understand why developers would take this approach, as Sonatype's Derek Weeks says:
Yesterday we ran a public version of The Phoenix Project Game to give a bunch of people a feel for how it works and the kind of outcomes they could expect when they run the game with their own teams. If you missed this one but it sounds like something you want to do, we have another one in October; you can register yourself on it here but be warned - the last one booked out super-quick!
The Phoenix Project Game,
Leading IT Analyst, Forrester, just published their The Forrester Wave™: Continuous Delivery And Release Automation, Q3 2017 analysing part of the DevOps toolchain. We know from experience how hard it is for organisations to choose the tools to include in their toolchain and that decisions made today often need to be changed tomorrow as the technology landscape moves so fast. We recently stood up a new LinkedIn group to facilitate discussion around DevOps toolchains as a result of our customers asking us for more help, blueprints and examples of existing toolchains - feel free to join!
application release automation,
We had a webcast about DevOps in Banking - here's a summary of what we covered. (We did record the webcast - you can access the recording here and download the slides here).
Like many industries, banking is under pressure from digital disruption and from digital disruptors (often referred to as 'fintechs').
From the 2017 state of Strategic Digital Banking report:
- According to Gartner and IDC, by 2018, banks and financial institutions’ clients will access and contact their banks mainly through mobile devices
- Banks and financial institutions CIOs’ main concern to 2017 and beyond is what will be done with their companies’ branches
- According to the 2016 MX Consumer Survey, clients find it more important to have an easy digital banking experience (67 percent) rather than a friendly teller or staff (33 percent) when choosing where to open an account
- According to the 2016 MX Consumer Survey, banks and financial Institutions clients are now more likely to access their banks in a more impersonal way, and only 19 percent use a personal method (branch or call center)
I recently had an opportunity to observe the Phoenix Project Game in action at UCAS headquarters in Cheltenham. Here's what I saw!
During the Introduction I learned:
- A few players had heard of this thing we call DevOps and read The Phoenix Project book - neither is a pre-requisite to playing the game although it's useful to have a few in the room with awareness of the DevOps principles - that is what we are here to learn though!
- Many of the players played their own roles in the game - some customers like to do this, some like to mix it up I have noticed. I guess playing a role that isn't your own is an opportunity to build more understanding and empathy for the challenges our colleagues face, but the advantage of playing your own is to be able to directly apply learnings to your everyday life. I don't think it's possible to switch roles during the game though - I think that would inhibit the flow of learning.
In the First Round
At the start of the first round, the CEO (the Game Leader, in this case, Helen) sets the high level business goals for the game - there are two:
- Revenue target - $110,000
- Share price - $23.00
Teamwork was visible from the start with Application Development's and Change Management's curiosity in what other players had at their disposal. A clear hierarchy was demonstrated with Retail Operations, the CFO and Human Resources taking turns in leading group discussions. It was also good to see players discuss the round's business objectives and current live issues around VP of IT Operations & CISO tables.
Business Process Management,
The Phoenix Project Game,
I recently came across an intriguing article on 'Top 10 Challenges to DevOps Implementation'. Written by Alison DeNisco from TechRepublic, it focuses on a new survey from cloud sandbox software provider Quali. The article emphasises that the survey points to company culture, test automation and legacy insfrastructure as the largest barriers to DevOps implementation.