3. 3
FUG2016
How Many Bugs Are Too Many?
“Industry Average: about 15 – 50 errors per
1,000 lines of delivered code”
Source: Code Complete by Steve McConnell
12. 12
FUG2016
#2 Code review every change
Code Inspection often more than 65% efficient at defecting defects (Capers-Jones)
Five Simple Steps to Shift Left
13. 13
FUG2016
#3 Use a static analysis tool regularly
Static Analysis combined with peer review can detect up to 95% of bugs (Capers-Jones)
Five Simple Steps to Shift Left
14. 14
FUG2016
#4 Be aware of third-party components
and their vulnerabilities
Five Simple Steps to Shift Left
In a security analysis across 5,300
applications, Veracode also found and
confirmed that an average application has 24
known security vulnerabilities associated with
open source and third-party components
(State of the Software Supply Chain Report)
16. 16
FUG2016
1. Build every change
2. Code review every change
3. Use a static analysis tool regularly
4. Be aware of third-party components and their vulnerabilities
5. Provide visibility of all changes and their health
Five Simple Steps to Shift Left
19. 19
FUG2016
Continuous Inspection
Key Capabilities
• Extensible plug-in architecture
• Schedule & inspect code changes
• Report findings & vulnerabilities
• Supports DevOps “Shift-Left”
• Aggregated KPI Metrics
Value Benefits
• Display results in code review
• Real-time developer feedback
• Reduce coding risks & issues
• Monitor code health & quality
• Speed release readiness
"Given enough eyeballs, all bugs are shallow."
The Cathedral and the Bazar —Eric Raymond
20. 20
FUG2016
Changeset Graph and Change Health
Key Capabilities
• Visualize branch dependencies
• Navigation of change history
• Visual approach to merging
• Integrated with CI
Value Benefits
• Insight into release readiness
• Change timeline visibility
• Complexity of merging
21. 21
FUG2016
Integrated Peer Review
Key Capabilities
• Collaborative web based peer review
• Linked to Continuous Inspection
• Configurable process
• Full audit trail
• Tightly integrated into Dimensions
Value Benefits
• Improved code quality
• Find 70-90% of all defects earlier
• Cost reduction
• Save up to 30% of re-work hours
• Developer productivity
• Up to 25% improvement in coding
22. 22
FUG2016
Automatic Detection of Known Vulnerabilities
Key Capabilities
• Built in vulnerability scanner
• Works with public OWASP project
• Checks NVD security issues with
delivered components
• Scan on regularly or on every
checkin
Value Benefits
• Provides full report of your
components and their
vulnerabilities
• Know when vulnerabilities are
reported in your third-party
components
23. 23
FUG2016
Work Item Management (due in May)
Key Capabilities
• Backlog management, Kanban,
burn-down and reporting
• Development focused
• Planning of CM requests
• Management of teams
• Integrated with SBM, RM and Jira
Value Benefits
• Visualize and plan work within CM
• Track progress, identify bottlenecks
• Manage movement of work between
backlogs in other tools
• Integrates with the full CM lifecycle
25. 25
FUG2016
1. Build every change
2. Code review every change
3. Use a static analysis tool regularly
4. Be aware of third-party components and their vulnerabilities
5. Provide visibility of all changes and their health
The Corridor Test…
29. 29
FUG2016
Need to drive competitive
advantage and respond to market
needs
Adoption of Agile practices have
increased the speed of engineering
delivery
Still ruled by a SLA’s, stability and
an inherent resistance to change
BUSINESS DEVELOPMENT OPERATIONS
Move Fast Without Breaking Things
COMPLIANCE (CONTROL)AGILITY (SPEED)
30. 30
FUG2016
“Who has an Agile
Transformation Project /
Program in place
currently?”
Define
Develop
Construct
Deploy
Verify
31. 31
FUG2016
“Who has a DevOps
Transformation Project /
Program in place
currently?”Development Teams “Shift Right”
Dev Test UAT Prod
Operations Teams “Shift Left”
36. 36
FUG2016
DevOps, Continuous Delivery and Multi-Speed IT
DevOps tries to align goals between Development and Operations
Continuous Delivery ensures software is always production ready and releases are tied
to business needs and not operational constraints
Multi-Speed IT understands that there isn’t a simple ‘CD or non-CD’ approach but a
collection of approaches and speeds that IT can use to release software
37. 37
FUG2016
DevOps…
Automation?
Infrastructure as code?
Continuous Delivery (CD)?
Infrastructure Automation?
Continuous Integration (CI)?
“A movement to address the gap between
Dev and Ops”
What is DevOps?
“82% of high performing companies
automate their code deployments”
38. 38
FUG2016
DevOps / CD Benefits for Regulated Industries
Reduced risk by implementing frequent, smaller
changes
Developers have better understanding of
development, test and production infrastructure
Operations gain application-centric
understanding
Simplified end to end IT processes inclusive of
Audit and Compliance requirements
Supportive of Application Automation
= Increased collaboration between Dev and Ops /
Lower Risk / Faster Time to Value
Ops
QADev
DevOps
39. 39
FUG2016
End to End Domain Interaction – The Sum of the Parts
Continuous Delivery
Source Code
Management
BUILD / CI Deployment / Test Automation Formal Release
Containers
Virtual
Infrastructure
Physical
Infrastructure
Cloud
Infrastructure
Enterprise Change Management
Dev Test UAT Prod
APM
IT Service
Management &
DML
Agile
Planning
Requirements
Management
Project Portfolio Management
Enterprise Release Management
Is this DevOps?
Is this DevOps?Is THIS DevOps?
40. 40
FUG2016
Identifying the Challenges in Federal / Regulated Industries
One size fits all approach won’t work for traditional Federal organizations
Legacy, Transitional and Innovative Applications must co-exist
Organizational Framework based approach with multiple ”Flavors” of implementation
Multiple Contract teams own areas of the End to End process, adding complexity
SPOC and ownership is difficult to find – what is the sponsor trying to achieve
Startup “Application is the Business” doesn’t apply
41. 41
FUG2016
“More than 95% of IT operations organizations lack a
centralized release management process”
“Through 2016, a lack of effective release management
will contribute up to 80% of production incidents in large
organizations with complex IT services”
“82% of high performing companies
automate their code deployments”
42. 42
FUG2016
Bi-Modal vs Multi-Modal IT
“By 2017, 75% of IT organizations will have a bimodal capability”*
“95% of Large Enterprises require multi-modal capabilities. Type 1 &
Type 2 becomes Type 1 - 5”
43. 43
FUG2016
“By 2017, 75% of IT organizations will have a bimodal capability”*
Systems of
Innovation
Systems of
Differentiation
Systems of
Record
Mode 1
Reliability
Waterfall, V-Model
IT-centric
Release in
Months/Years
Mode 2
Agility
Agile, Kanban
Business-centric
Release in
Days/Weeks
Dependencies
Governance
Change
*Gartner predictions, 2014
44. 44
FUG2016
Systems of
Innovation
Systems of
Differentiation
Systems of
Record
App 1
Traditional
Waterfall, V-Model
IT-centric
Release in
Months/Years
App 2
Agile
Agile, Kanban
Business-centric
Release in
Days/Weeks
Governance
Change
App 3
Transitional
Scrum fall
Product-centric
Release in
Weeks/Months
Serena Provides Multi-Modal IT Support
Dependencies
Application Deployment speed determined by Application Architecture, Application Type and Compliance requirements
45. 45
FUG2016
Shift Left vs. Shift Right
Development Teams “Shift Right”
Dev Test UAT Prod
Operations Teams “Shift Left”
Measured Functional Competence (High – Low)Key:
46. 46
FUG2016
46
Where to Start?
• What matters to the business?
• How do we Define and
measure success
• Look to Eliminate waste
• Incremental changes/quick
wins
• Focus on continuous
improvement
• Implement Process and
Technology Simultaneously
• Automate Everything
47. 47
FUG2016
How Responsive are you to the Business?
• How do you measure success?
• Average cycle time for moving a
business request from
Development to Production?
• Number of business requests
implements this week, month,
year?
• Cost of moving a unit of change
through your application lifecycle?
• Percentage of a release focused on
technical debt?
• Develop metrics to support what
matters to the business
49. 49
FUG2016
49
Automate Almost Everything
• People should not move the “bits”
• Automate code and configuration deployments with a single set of
deployment processes across all environments
• All pre-prod deployments should be rehearsals for the final deploy into prod
• Quick incremental wins with big impact
51. 51
FUG2016
51
Standardize the Release Process
Streamline and accelerate the release lifecycle
• Single system of record for
release planning and
execution
– Schedules
– Milestones
– Gates and Approvals
• Automatic cycle-time capture
• Ensure audit trails for
compliance and learning
52. 52
FUG2016
Process and Technology work together
Release Control
Release Train
Release Package
Tasks
Integration Framework / Service Layer / Widgets
SDA DIM CM ZMF EROOTHER
RELEASE
PROCESS
ARTIFACT
MANAGEMENT
53. 53
FUG2016
Identify Teams for Continuous Delivery vs. Release Management
Continuous Delivery Enterprise Release Management
Dev
Source Code
Management
BUILD / CI
Deployment / Test
Automation
Test UAT Prod
Formal Release
Containers Virtual Infrastructure Physical InfrastructureCloud Infrastructure Infrastructure as Code
Enterprise Change Management
APM
IT Service
Management
54. 54
FUG2016
Release Control Object Overview
Release Package
Dev Test UAT Prod
Request
Release Train
Deployment Path
Release Package
Release Package Release Package
Deploy UnitDeploy Task
Dev Test UAT Prod
Request
Deployment Path
Deploy
Unit
Deploy Task
Dev Test UAT Prod
Request
Deployment Path
Deploy
Unit
Deploy Task
Integration Framework
Integration Framework
55. 55
FUG2016
Package level control and visibility
Dev Test UAT Prod
Request
Deployment Path
Deploy UnitDeploy Task
Release Package
Integration to Serena and 3rd party artifact
management / source code solutions
(Dimensions CM, ChangeMan ZMF, Serena
Deployment Automation, Artifactory, TFS,
Jenkins, IBM, CA etc.)
Integration to Serena and 3rd party request /
ticketing systems (Dimensions CM, SBM,
Rally, Jira, Version One, Bugzilla etc.)
Defines the activities to deploy / implement
the Package via integrations to Serena and
3rd party tools (Dimensions CM, ChangeMan
ZMF, Serena Deployment Automation, CA
Nolio, IBM uDeploy, XebiaLabs, Manual
Steps etc.)
Integration Framework
Package Deployed via configurable
deployment paths
56. 56
FUG2016
Enterprise Deployment Pipelines
Key Capabilities
• Create, manage and automate deployment pipelines
• Enforce environment sequencing and auto promote
• Full stack automation with new plug-ins:
• Chef, Puppet, Jenkins workflow
• Docker, Bamboo, Openstack and more
Benefits
• Supports Dev / Test Churn with Managed Stage &
Production Releases
• Improves quality with a single repeatable deployment
process
• Reduces cycle time
• Provides end-to-end traceability for compliance and audit
57. 57
FUG2016
Continuous Delivery Maturity Model for Enterprises
REPEATABLE
BUILD
CONTINUOUS
INTEGRATION
AUTOMATED
APPLICATION AND
INFRASTRUCTURE
DEPLOYMENTS
TEST
AUTOMATION
ENTERPRISE
CONTINUOUS
DELIVERY
Standard Build
processes across all
development and SCM
tools. Daily / nightly
builds exist utilizing
secured SDLC
CI Build processes
build deliverables upon
code commit and
invoke automated unit
tests
Target integrated
Application and
Infrastructure
Deployments
(provisioning on
demand – Cloud, Virtual
or Physical for app
deployments)
Fully Automated Test
Suites allowing entire
application to be Tested
without user
intervention
End to End Build, Test
and Deployment
Capabilities
58. 58
FUG2016
“Full Stack” Provisioning
APPLICATION CONFIGURATION
APPLICATION DEPLOYMENT
CONFIGURED
APPLICATION
STACK
VM VM VM
OS PROVISIONINGPROVISIOINGORDER
OS CONFIGURATION
BARE METAL / CLOUD STORAGE
• Infrastructure / Cloud / Virtual
Provisioning
• Application Architecture
Deployment
• Application Configuration
• Build Up &Tear Down
Capabilities
Essential Steps for Enterprise Continuous Delivery