shift left with continuous inspection

1 FUG2016Copyright © Serena Software 2016

WE OWN IT!Shift Left with Continuous Inspection

Don Irvine

Vice President ALM Products

2 FUG2016

3 FUG2016

How Many Bugs Are Too Many?

“Industry Average: about 15 – 50 errors per

1,000 lines of delivered code”

Source: Code Complete by Steve McConnell

4 FUG2016

Quality is Expensive

5 FUG2016

But Getting Quality Wrong is Costly Too!

6 FUG2016


7 FUG2016


8 FUG2016

Cheaper to Fix Bugs Early

Shift Left

9 FUG2016

What to Invest in to Shift Left?

10 FUG2016

Five Simple Steps to Shift Left

11 FUG2016

#1 Build every change


Detect broken builds early

12 FUG2016

#2 Code review every change

Code Inspection often more than 65% efficient at defecting defects (Capers-Jones)


13 FUG2016

#3 Use a static analysis tool regularly

Static Analysis combined with peer review can detect up to 95% of bugs (Capers-Jones)


14 FUG2016

#4 Be aware of third-party components

and their vulnerabilities


In a security analysis across 5,300

applications, Veracode also found and

confirmed that an average application has 24

known security vulnerabilities associated with

open source and third-party components(State of the Software Supply Chain Report)

15 FUG2016

#5 Provide visibility of all changes

and their health

Five simple steps to Shift Left

16 FUG2016

1. Build every change

2. Code review every change

3. Use a static analysis tool regularly

4. Be aware of third-party components and their vulnerabilities

5. Provide visibility of all changes and their health


17 FUG2016

Serena’s

18 FUG2016

Change

Build

Static Analysis

Security

Scan

Peer Review

Visibility

Continuous Inspection

The process of putting

software code changes

through a series of expert

inspections to rapidly identify

and respond to coding issues,

improving quality and

reducing costs

19 FUG2016

Continuous Inspection

Key Capabilities

• Extensible plug-in architecture

• Schedule & inspect code changes

• Report findings & vulnerabilities

• Supports DevOps “Shift-Left”

• Aggregated KPI Metrics

Value Benefits

• Display results in code review

• Real-time developer feedback

• Reduce coding risks & issues

• Monitor code health & quality

• Speed release readiness

"Given enough eyeballs, all bugs are shallow."The Cathedral and the Bazar —Eric Raymond

20 FUG2016

Changeset Graph and Change Health

Key Capabilities

• Visualize branch dependencies

• Navigation of change history

• Visual approach to merging

• Integrated with CI

Value Benefits

• Insight into release readiness

• Change timeline visibility

• Complexity of merging

21 FUG2016

Integrated Peer Review

Key Capabilities

• Collaborative web based peer review

• Linked to Continuous Inspection

• Configurable process

• Full audit trail

• Tightly integrated into Dimensions

Value Benefits

• Improved code quality

• Find 70-90% of all defects earlier

• Cost reduction

• Save up to 30% of re-work hours

• Developer productivity

• Up to 25% improvement in coding

22 FUG2016

Automatic Detection of Known Vulnerabilities

Key Capabilities

• Built in vulnerability scanner

• Works with public OWASP project

• Checks NVD security issues with

delivered components

• Scan on regularly or on every

checkin

Value Benefits

• Provides full report of your

components and their

vulnerabilities

• Know when vulnerabilities are

reported in your third-party

components

23 FUG2016

Work Item Management (due in May)

Key Capabilities

• Backlog management, Kanban,

burn-down and reporting

• Development focused

• Planning of CM requests

• Management of teams

• Integrated with SBM, RM and Jira

Value Benefits

• Visualize and plan work within CM

• Track progress, identify bottlenecks

• Manage movement of work between

backlogs in other tools

• Integrates with the full CM lifecycle

24 FUG2016

Demo

25 FUG2016

1. Build every change

2. Code review every change

3. Use a static analysis tool regularly

4. Be aware of third-party components and their vulnerabilities

5. Provide visibility of all changes and their health

The Corridor Test…

26 FUG2016

Thank YouDon Irvine

[email protected]

27 FUG2016Copyright © Serena Software 2016

WE OWN IT!

Julian Fish

Director of Products

Serena Software

Move Fast Without Breaking ThingsDevOps, Continuous Delivery and Multi-Speed IT Delivery in

Regulated Environments

28 FUG2016

29 FUG2016

Need to drive competitive

advantage and respond to market

needs

Adoption of Agile practices have

increased the speed of engineering

delivery

Still ruled by a SLA’s, stability and

an inherent resistance to change

BUSINESS DEVELOPMENT OPERATIONS

Move Fast Without Breaking Things

COMPLIANCE (CONTROL)AGILITY (SPEED)

30 FUG2016

“Who has an Agile Transformation Project /

Program in place currently?”

Define

Develop

Construct

Deploy

Verify

31 FUG2016

“Who has a DevOpsTransformation Project /

Program in place currently?”

Development Teams “Shift Right”

Dev Test UAT Prod

Operations Teams “Shift Left”

32 FUG2016

“Who has a defined goal / objective for these programs in place?”

33 FUG2016

“What is DevOps?”

34 FUG2016

DevOps – NOT just Release or Infrastructure Management

Image: IT Revolution

35 FUG2016

“Devops good news!

Devops is 100% peoples

and culture so you not

have of understand

functional programming!”

DevOps?

© 2013 @DevOpsBorat

36 FUG2016

DevOps, Continuous Delivery and Multi-Speed IT

DevOps tries to align goals between Development and Operations

Continuous Delivery ensures software is always production ready and releases are tied

to business needs and not operational constraints

Multi-Speed IT understands that there isn’t a simple ‘CD or non-CD’ approach but a

collection of approaches and speeds that IT can use to release software

37 FUG2016

DevOps…

Automation?

Infrastructure as code?

Continuous Delivery (CD)?

Infrastructure Automation?

Continuous Integration (CI)?

“A movement to address the gap between

Dev and Ops”

What is DevOps?

“82% of high performing companies

automate their code deployments”

38 FUG2016

DevOps / CD Benefits for Regulated Industries

Reduced risk by implementing frequent, smaller changes

Developers have better understanding of development, test and production infrastructure

Operations gain application-centric understanding

Simplified end to end IT processes inclusive of Audit and Compliance requirements

Supportive of Application Automation

= Increased collaboration between Dev and Ops / Lower Risk / Faster Time to Value

Ops

QADev

DevOps

39 FUG2016

End to End Domain Interaction – The Sum of the Parts

Continuous Delivery

Source Code

ManagementBUILD / CI Deployment / Test Automation Formal Release

ContainersVirtual

InfrastructurePhysical

Infrastructure

Cloud

Infrastructure

Enterprise Change Management

Dev Test UAT Prod

APM

IT Service

Management &

DML

Agile

PlanningRequirements

Management

Project Portfolio Management

Enterprise Release Management

Is this DevOps?

Is this DevOps?Is THIS DevOps?

40 FUG2016

Identifying the Challenges in Federal / Regulated Industries

One size fits all approach won’t work for traditional Federal organizations

Legacy, Transitional and Innovative Applications must co-exist

Organizational Framework based approach with multiple ”Flavors” of implementation

Multiple Contract teams own areas of the End to End process, adding complexity

SPOC and ownership is difficult to find – what is the sponsor trying to achieve

Startup “Application is the Business” doesn’t apply

41 FUG2016

“More than 95% of IT operations organizations lack a

centralized release management process”

“Through 2016, a lack of effective release management

will contribute up to 80% of production incidents in large

organizations with complex IT services”

“82% of high performing companies

automate their code deployments”

42 FUG2016

Bi-Modal vs Multi-Modal IT

“By 2017, 75% of IT organizations will have a bimodal capability”*

“95% of Large Enterprises require multi-modal capabilities. Type 1 &

Type 2 becomes Type 1 - 5”

43 FUG2016

“By 2017, 75% of IT organizations will have a bimodal capability”*

Systems of Innovation

Systems of Differentiation

Systems of Record

Mode 1

Reliability

Waterfall, V-Model

IT-centric

Release in

Months/Years

Mode 2

Agility

Agile, Kanban

Business-centric

Release in

Days/WeeksDependencies

Govern

anceC

hange

*Gartner predictions, 2014

44 FUG2016

Systems of Innovation

Systems of Differentiation

Systems of Record

App 1

TraditionalWaterfall, V-Model

IT-centricRelease in

Months/Years

App 2

AgileAgile, Kanban

Business-centric

Release in

Days/Weeks Govern

anceC

hange

App 3

TransitionalScrum fall

Product-centricRelease in

Weeks/Months

Serena Provides Multi-Modal IT Support

Dependencies

Application Deployment speed determined by Application Architecture, Application Type and Compliance requirements

45 FUG2016

Shift Left vs. Shift Right

Development Teams “Shift Right”

Dev Test UAT Prod

Operations Teams “Shift Left”

Measured Functional Competence (High – Low)Key:

46 FUG201646

Where to Start?

• What matters to the business?

• How do we Define and

measure success

• Look to Eliminate waste

• Incremental changes/quick

wins

• Focus on continuous

improvement

• Implement Process and

Technology Simultaneously

• Automate Everything

47 FUG2016

How Responsive are you to the Business?

• How do you measure success?

• Average cycle time for moving a business request from Development to Production?

• Number of business requests implements this week, month, year?

• Cost of moving a unit of change through your application lifecycle?

• Percentage of a release focused on technical debt?

• Develop metrics to support what matters to the business

48 FUG2016

inetOrgPerson inetOrgPerson

Secured

Repository

Common

Build Process

Secured build processes

ensures audit compliance and

artifact traceability.

Secured artifact repository

provides common source

for artifact deployment.

Continuous Integration & Standard Build Frameworks

49 FUG201649

Automate Almost Everything

• People should not move the “bits”

• Automate code and configuration deployments with a single set of

deployment processes across all environments

• All pre-prod deployments should be rehearsals for the final deploy into prod

• Quick incremental wins with big impact

50 FUG2016

Developer

Commits Code

Test Automation

Validates CodeOperations

Releases Code

DEV TEST PROD

Process

Artifacts

Build

Initiated

Centralized Release Management Process and Path to Production

51 FUG201651

Standardize the Release ProcessStreamline and accelerate the release lifecycle

• Single system of record for release planning and execution

– Schedules

– Milestones

– Gates and Approvals

• Automatic cycle-time capture

• Ensure audit trails for compliance and learning

52 FUG2016

Process and Technology work together

Release Control

Release Train

Release Package

Tasks

Integration Framework / Service Layer / Widgets

SDA DIM CM ZMF EROOTHER

RELEASE

PROCESS

ARTIFACT

MANAGEMENT

53 FUG2016

Identify Teams for Continuous Delivery vs. Release Management

Continuous Delivery Enterprise Release Management

Dev

Source Code

ManagementBUILD / CI

Deployment / Test

Automation

Test UAT Prod

Formal Release

Containers Virtual Infrastructure Physical InfrastructureCloud Infrastructure Infrastructure as Code

Enterprise Change Management

APM

IT Service

Management

54 FUG2016

Release Control Object Overview

Release Package

Dev Test UAT Prod

Request

Release Train

Deployment Path

Release Package

Release Package Release Package

Deploy UnitDeploy Task

Dev Test UAT Prod

Request

Deployment Path

Deploy

UnitDeploy Task

Dev Test UAT Prod

Request

Deployment Path

Deploy

UnitDeploy Task

Integration Framework


55 FUG2016

Package level control and visibility

Dev Test UAT Prod

Request

Deployment Path

Deploy UnitDeploy Task

Release Package

Integration to Serena and 3rd party artifact

management / source code solutions

(Dimensions CM, ChangeMan ZMF, Serena

Deployment Automation, Artifactory, TFS,

Jenkins, IBM, CA etc.)

Integration to Serena and 3rd party request /

ticketing systems (Dimensions CM, SBM,

Rally, Jira, Version One, Bugzilla etc.)

Defines the activities to deploy / implement

the Package via integrations to Serena and

3rd party tools (Dimensions CM, ChangeMan

ZMF, Serena Deployment Automation, CA

Nolio, IBM uDeploy, XebiaLabs, Manual

Steps etc.)


Package Deployed via configurable

deployment paths

56 FUG2016

Enterprise Deployment Pipelines

Key Capabilities

• Create, manage and automate deployment pipelines

• Enforce environment sequencing and auto promote

• Full stack automation with new plug-ins:

• Chef, Puppet, Jenkins workflow

• Docker, Bamboo, Openstack and more

Benefits

• Supports Dev / Test Churn with Managed Stage & Production Releases

• Improves quality with a single repeatable deployment process

• Reduces cycle time

• Provides end-to-end traceability for compliance and audit

57 FUG2016

Continuous Delivery Maturity Model for Enterprises

REPEATABLE

BUILD

CONTINUOUS

INTEGRATION

AUTOMATED

APPLICATION AND

INFRASTRUCTURE

DEPLOYMENTS

TEST

AUTOMATION

ENTERPRISE

CONTINUOUS

DELIVERY

Standard Build

processes across all

development and SCM

tools. Daily / nightly

builds exist utilizing

secured SDLC

CI Build processes

build deliverables upon

code commit and

invoke automated unit

tests

Target integrated

Application and

Infrastructure

Deployments

(provisioning on

demand – Cloud, Virtual

or Physical for app

deployments)

Fully Automated Test

Suites allowing entire

application to be Tested

without user

intervention

End to End Build, Test

and Deployment

Capabilities

58 FUG2016

“Full Stack” Provisioning

APPLICATION CONFIGURATION

APPLICATION DEPLOYMENT

CONFIGURED APPLICATION

STACKVM VM VM

OS PROVISIONINGP

RO

VIS

IOIN

G O

RD

ER

OS CONFIGURATION

BARE METAL / CLOUD STORAGE

• Infrastructure / Cloud / Virtual

Provisioning

• Application Architecture

Deployment

• Application Configuration

• Build Up &Tear Down

Capabilities

Essential Steps for Enterprise Continuous Delivery