Puppet and DORA have released their annual report on the State of DevOps for 2016. As with previous reports, the primary objective of the report is to measure the impact of organizations following a DevOps philosophy relative to those who have adopted alternative models. For those of you new to the term “DevOps,” there are a few attributes that characterize the DevOps philosophy.
A Short DevOps Primer
For those of you who are new to DevOps, a short primer is in order. DevOps is a philosophy of IT operations that binds the development of services and their delivery to the core principles of W. Edwards Deming’s points on Quality Management. When applied to software development and IT organizations, Deming’s principles seek to improve the overall quality of software systems as a whole. This is done in part by decomposing the system into manageable components, which can be owned by teams. These teams have the freedom to quickly resolve any issues that might prevent the system from operating properly.
By creating a sense of pride and ownership in the delivered system, any issues discovered can be quickly resolved. This method increases the overall health of the system, which has led to the rise of Continuous Integration (CI) and Continuous Delivery (CD) as defining attributes of DevOps. Continuous delivery is a model where components of a system are updated on an as needed basis, rather than waiting for a traditional “release vehicle.” Continuous integration is a development model where changes made by a developer are integrated into the source code mainline as they are completed. From a testing perspective, a feedback model is used, leading to a concept of a CI/CD “loop.”
For the purposes of the State of DevOps report, organizations are divided into groupings of “high performing” and “low performing.” A high performing organization is one that is embracing the tenets of the DevOps philosophy and deploys multiple times per day. By contrast, a low performing organization deploys less frequently than once per month. With that as the back drop, there are some rather interesting conclusions in this year’s report.
- High performing organizations report that lead time to deploy changes was less than an hour
- High performing organizations spend 22% less time reworking a solution
- High performing organizations spend 50% less remediating security issues
The report also went on to look at organizational structure, and used the Westrum model as the taxonomy. It also used the Net Promoter Score model to determine overall employee satisfaction with their organization. They then found employees at high performing organizations were 2.2 times more likely to recommend their organization as a great place to work. One key conclusion was that performance oriented organizations experienced less deployment pain than power-oriented or rules-oriented organizations.
This conclusion was applied to the security process used by high performing organizations to determine why they were able to spend 50% less time remediating security issues. By incorporating a philosophy of “quality and security is everyone’s responsibility,” high performing organizations were able to shift the burden of security management to lower pain areas of the delivery process. For example, if a security audit can be performed as part of the continuous integration portion of the delivery cycle, then the impact of a security issue can be minimized. High performing organizations don’t stop there, and include security workflows at all steps of the delivery chain, which in turn results in less rework. This enables them to focus efforts on new work rather than rework.
The report ends with a challenge for all readers – “What would you do with 10% more engineering time?” While the answers to this will vary, I’d like to offer up a tool to help get you there. Black Duck has developed a free security checker you can use to get a view of how vulnerable your Java archive or Docker image might be. The tool is available here: https://info.blackducksoftware.com/Security-Checker.html