A True Story: DevOps(Sec) Manages Out Elective Risks

A True Story

Recent Posts By Derek E. Weeks

• State of the Software Supply Chain: Secure Coding Takes Spotlight
• Reducing Risk in Applications Using Docker Containers
• 200 Billion Downloads Can’t Be Wrong

More from Derek E. Weeks

Related Posts

• The Cost to DevOps: 27 Mufflers
• Security, DevOps and the shift to a software supply chain
• From ‘Water-Scrum-Fall’ to DevSecOps

Related Categories
• Blogs
• DevSecOps
• Enterprise DevOps

Related Topics
• devops
• DevOpsSec
• gene kim
• josh corman
• Software Supply Chain

Show more

Show less

There are over 2000 developers in Bill’s organization.  He is a C-level executive for one of the largest insurance companies in North America. Bill boosted developer productivity by 15% last year after taking a closer look at the company’s software supply chain. And this approach isn’t unique to Bill’s organization.  Many high performance IT and DevOps teams are adopting proven supply chain principles to accelerate software delivery.

Origins, Quality and Integrity

The concept was rather simple and straightforward.  Bill’s team recognized that they were consuming hundreds of thousands of open source and third-party software components to build their applications.  But at the same time, they did not apply much scrutiny to the origin, quality, age, or integrity of those components.  Developers simply selected components at-will that met their functional requirements and helped them meet the next delivery deadline.

Secrets of the Free-For-All

Deeper analysis of their practice revealed that the free-for-all component sourcing methods were leading to quality, efficiency, and productivity issues.  Here is what Bill found:

• The company had downloaded an average of 27 versions of over 100 different binary artifacts over a one year period.  Bill knew this meant the quality of their applications was being impacted through the use of outdated software components.
• The company had also downloaded 13,203 software components with known security vulnerabilities — and 65% of those included alerts earlier than 2014.  Without quality controls in place, Bill recognized they were sourcing in elective and avoidable risks that would impact the integrity of their application, grow their technical debt, and lead to more rework down the road to replace the flawed components.

Removing Complexity

Bill decided to take action.  He knew that to accelerate innovation, he needed to remove complexity from the company’s software supply chain.  He enacted three moves to eliminate waste and complexity within the open source and third-party components being used:

1. Automate the scrutiny of software suppliers to minimize risk and bloat.
2. Enable real-time traceability and visibility to components used across the development lifecycle, in order to improve response times when defects were discovered – cutting back from days/weeks to minutes!
3. Reducing complexity, rework and risk by standardizing on specific components types (e.g., web frameworks, logging frameworks, encryption modules), using fewer and more current artifact versions, and managing out elective security risks.

Want to hear the rest of the story?

The same principles that Bill applied to his business that boosted developer productivity by 15% are being discussed by Gene Kim (@RealGeneKim), author of The Phoenix Project, and Joshua Corman (@JoshCorman), CTO of Sonatype, on April 30th.  Both Gene and Josh are huge fans of marrying DevOps practices with leading supply chain management principles that enable developers to maximize throughput of features from “code complete” to ‘in production,” without causing chaos.

If you’re looking to achieve similar goals, be sure to join Josh and Gene for this April 30th, 1pm ET, discussion.