DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Blogs » DevOps Practice » Developers Are Running With Scissors. Here’s How to Do It Safely

developers

Developers Are Running With Scissors. Here’s How to Do It Safely

By: Rob Whiteley on October 8, 2020 Leave a Comment

We’ve all heard the stories. It takes too long to make changes to applications, right?

Related Posts
  • Developers Are Running With Scissors. Here’s How to Do It Safely
  • Reinvent Testing to Galvanize Digital Transformation
  • DevOps Unbound EP 21 Leading a DevOps Transformation – Lessons Learned – TechStrong TV
    Related Categories
  • Blogs
  • DevOps Practice
    Related Topics
  • COVID-19
  • devops
  • digital transformation
  • time to market
Show more
Show less

Well, until COVID-19, that was true.

DevOps Connect:DevSecOps @ RSAC 2022

Many enterprises have found that the global pandemic brought on by the novel coronavirus has given them the will to find the way to move faster. As one customer recently relayed: “Before COVID it would take us six months to a year to roll out a new app, but with COVID it took just six weeks. An existential crisis will do that for you.”

Enterprises have always felt compelled to go faster, improve online experiences and bring new applications to market. But COVID ratcheted up the urgency, to put it mildly. All the processes and politics were pushed out of the way and companies just told their developers to run. Developers planned, prototyped and pushed code into production in a fraction of the time.

The problem? These enterprise developers are running with scissors. We all recall our favorite kindergarten teacher telling us not to do so. But if you’re facing an existential crisis, do you really have a choice? The fact of the matter is that a developer’s new code (the scissors) could break something, potentially taking down mission-critical applications, affecting the company’s reputation or its revenue, or even compromising customer data. However, if we yell at the developers to slow down and walk, then we risk revenues falling too precipitously.

Moving at that speed works fine for cloud-native companies built entirely on modern architectures. They have no legacy. They were architected from the get-to to roll out several changes per day. But in normal times a large bank or insurance company might make the same number of changes per month, not per day. Like your favorite teacher, these enterprises prohibit their developers from running with scissors.

This leads to almost-diametric friction between the developers and the infrastructure teams, whose job is to improve reliability and uptime and make sure the business doesn’t get breached.

Now that we’ve had COVID as a forcing function in the world, the time-to-market and time-to-change pressures are forever going to be too fast for manual governance processes. So companies need to resolve this tension. They need to allow developers to run safely with scissors.

Luckily, all the team, tools and technology know-how exists. We know that DevOps teams help automate the release process. We know that continuous integration and continuous delivery (CI/CD) and orchestration tools are mature. And we know that technology shifts in containers, Kubernetes and cloud-native architectures are production-ready. It’s really just a matter of pulling it all together.

At the epicenter of this is the concept of microservices: breaking an application down into small, discrete functions. Each is reusable and optimized for the teams, tools and technologies described above. With microservices, if the developer breaks something, they’re breaking one small piece. The vast majority of any given app—and therefore the business runs it—is not going to go down. Enterprises deploy these microservices environments alongside their legacy apps, creating a hybrid architecture.

Decoupling from the architecture allows developers to self-service the capabilities they need to test and deploy new app features that require changes to traffic rules. They can conduct canary testing, blue-green testing and A/B testing without ever having to contact their infrastructure counterparts or opening up an IT ticket and waiting for a change window.

Presto, right? But no. It’s a good solution, but it only takes you halfway. There is still the challenge of visibility and stitching the workflows together so everyone is on the same page. For many companies with complex workflows, it almost doesn’t matter how quickly developers can move on a change—it still winds up in purgatory, waiting for a security person to audit the code or change a firewall rule. It’s not uncommon that 50 separate app teams, each working on their own microservice, need to coordinate changes with security acting as a shared services team and, unfortunately, the new bottleneck. At least it’s not the network team’s fault anymore.

Investing in the abstracted layer that sits above the application delivery infrastructure solves the software-versus-network integration issue, but if those layers aren’t talking, then you’ve really just introduced another silo. You’ve moved the same problem out of the hardware and into the software. Half the equation can go fast, but the other half can’t.

If latency is how long it takes to complete a round trip, then think of this as human latency. As technologists, we love to measure application latency. We can take an app down from 100 milliseconds to 10 milliseconds and congratulate ourselves on a job well done. But if your security team is still taking 60 days to approve code and implement new policies, then you still have more than 5 billion milliseconds of human latency. Your 90% reduction in application latency only compressed a tiny portion of the problem.

To solve for the ultimate problem of human latency, there needs to be a way to provide visibility, orchestration and automation that removes the handoff points and the resulting friction across the different teams of Dev, DevOps, Infrastructure and Operations and Security—just like cloud-native companies have done.

Previously, one way to solve this would be to get a vertically integrated platform that does it all for you. This is the approach that platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) providers take. The downside is you’ve coupled your application services to your underlying infrastructure. The simplicity of the all-in-one approach allows you to go fast in the beginning, but you may find later that you have hampered your ability to adapt. If there’s a major change like an acquisition, for example, you can’t quickly merge systems, port to a new cloud or repatriate an app back on-premises.

Think of this as vertical integration, in which the app, the app services and the infrastructure are all tightly coupled. Now consider a different approach where you horizontally integrate across your silos. There is more value in integrating left to right across people rather than top to bottom across the technology stack. The solution is to invest in new technologies, but in a way that provides visibility, workflows and APIs across all the stages of the application life cycle. Now you have a relay race where each team runs with scissors, enabling security to ensure it’s done safely.

Fortunately, the technologies to enable this model in an open, loosely coupled way are here today. For enterprises with legacy and hybrid infrastructures, your capability to go fast and compete with cloud-native companies has arrived, and you don’t have to hire a thousand Silicon Valley software developers to compete with cloud-native organizations.

By investing in the abstraction layer that automates and maintains application delivery and application security left to right across your organization, you can encourage your developers to run faster. Take that, Mrs. McGonagle. Kindergarten will never be the same.

Filed Under: Blogs, DevOps Practice Tagged With: COVID-19, devops, digital transformation, time to market

Sponsored Content
Featured eBook
Hybrid Cloud Security 101

Hybrid Cloud Security 101

No matter where you are in your hybrid cloud journey, security is a big concern. Hybrid cloud security vulnerabilities typically take the form of loss of resource oversight and control, including unsanctioned public cloud use, lack of visibility into resources, inadequate change control, poor configuration management, and ineffective access controls ... Read More
« Open Source License Compliance Tips for DevOps Pipelines
Equinix Unveils Fully Automated and Interconnected Bare Metal Service »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Continuous Deployment
Monday, July 11, 2022 - 1:00 pm EDT
Using External Tables to Store and Query Data on MinIO With SQL Server 2022
Tuesday, July 12, 2022 - 11:00 am EDT
Goldilocks and the 3 Levels of Cardinality: Getting it Just Right
Tuesday, July 12, 2022 - 1:00 pm EDT

Latest from DevOps.com

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New Normal’
June 30, 2022 | Richi Jennings
Moving From Lift-and-Shift to Cloud-Native
June 30, 2022 | Alexander Gallagher
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson
Common RDS Misconfigurations DevSecOps Teams Should Know
June 29, 2022 | Gad Rosenthal
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

Hybrid Cloud Security 101
New call-to-action

Most Read on DevOps.com

What Is User Acceptance Testing and Why Is it so Important?
June 27, 2022 | Ron Stefanski
Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New No...
June 30, 2022 | Richi Jennings
Chip-to-Cloud IoT: A Step Toward Web3
June 28, 2022 | Nahla Davies
DevOps Connect: DevSecOps — Building a Modern Cybersecurity ...
June 27, 2022 | Veronica Haggar
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.