DevOps is a software development approach that brings development and operations staff (IT) together. The approach unites previously siloed organizations that tend to cooperate only when their interests converge, resulting in an inefficient and expensive struggle to release a product. DevOps is exactly what the founders of the Agile Manifesto envisioned: a nimble, streamlined process for developing and deploying software while continuously integrating feedback and new requirements. Since 2011, the number of organizations adopting DevOps has increased by 26 percent. According to recent research, those organizations adopting DevOps ship code 30 times faster. Despite its obvious benefits, I still encounter many organizations that hesitate to embrace DevOps. In this blog post, I am introducing a new series that will offer weekly guidelines and practical advice to organizations seeking to adopt the DevOps approach.

My Background

As a federally-funded research and development center (FFRDC), the SEI must maintain high standards of efficiency, security, and functionality. At the SEI, I oversee a software engineering team that works within CERT's Cyber Security Solutions Directorate. My team develops tools and technologies to help federal agencies address cybersecurity risks, manage secure systems, and investigate increasingly complex cyber attacks and crimes. To fulfill these responsibilities, we develop many increasingly complex software applications, and DevOps has become a necessary, defining factor in our software development process.

Our role in helping federal agencies assess cybersecurity risks heavily influences our approach to DevOps, necessitating that we weave security considerations into every facet of our software development lifecycle.

Cybersecurity is often misunderstood or even ignored as new systems are designed and developed, falling out of view to more high profile quality requirements, such as availability or correctness of software systems. Due to CERT's responsibility to our sponsors and the community, security is consistently a first-tier concern, addressed as an early and fundamental requirement for any system developed by our team. This focus has precipitated our research into Secure DevOps, or DevOpsSec, a topic we will revisit often in this blog series.

Origins and Benefits of DevOps

DevOps emerged in 2009 when a group of Belgian developers hosted DevOps Days, which advocated collaboration between developers and operational staff. Since then, organizations have rapidly adopted DevOps. In their 2014 State of DevOps report, Puppet Labs found DevOps adopters to be "deploying code 30 times more frequently with 50 percent fewer failures." In addition, the more than 9,000 people who completed the Puppet Labs survey reported the following:

• Firms with high-performing IT organizations were twice as likely to exceed their profitability, market share, and productivity goals.
• IT performance strongly correlates with well-known DevOps practices, such as use of version control and continuous delivery.
• Organizational culture is one of the strongest predictors of both IT performance and overall performance of the organization.

For more on the origins of DevOps, see my post, An Introduction to DevOps.

Addressing Challenges to DevOps Adoption

Before an organization can consider adopting DevOps, it needs to shift the prevailing mindset and culture and gain a better understanding of how DevOps works. In my experience, some barriers to adoption are technical, and a number are cultural. The practical advice and suggestions that we will publish every Thursday will focus on three core areas of DevOps:

• collaboration and cooperative culture
• infrastructure as code
• automation and repetition

The following are some of the specific challenges that I will address in the subsequent weeks:

• Continuous integration: What build server should I choose? How do I know what processes to automate? Who manages build configurations? There are many questions involved in implementing robust continuous integration in the enterprise. In this series we will cover many common issues and some advanced topics to get your organization on a successful path.
• Continuous deployment: This concept terrifies many organizations, but it doesn't have to. There are many paths to continuous deployment, and many ways to implement the technology in a way that maintains stability and assurance in your delivered products. Stay tuned for more.
• Fear of automation: DevOps provides a means for automating repetitive tasks within the SDLC, allowing engineers to focus on the important task of writing code. However, the fear of automated tools and the technical expertise needed to use them, especially in legacy systems, is pervasive. We'll talk about what tasks to automate, when to automate, and the cost and benefits of automation.
• Incomplete implementation: Agilists often encounter organizations that embrace Agile development language but ignore fundamental concepts and behaviors. This can result in a watered down process of writing code very fast without documentation. This is not Agile, this is irresponsible. In DevOps, I have witnessed the same problem. For instance, an organization may think it embraces DevOps, but it may not have any operations staff on project teams. This is not DevOps.
• Breaking down the silos: Altering organizational culture to enable developers and operations engineers to fully collaborate on a project is trickier than it sounds. We'll discuss a number of issues and tactics for shaping organizational culture and thinking to achieve your goal of functional DevOps.
• Tailoring DevOps: There are many ways to do DevOps. It is important to note that different teams and projects may structure DevOps practices differently, depending on their needs. I, along with several members of my team, will present tactics, case studies, and alternatives throughout this series.
• DevOpsSec: Most software teams believe in secure software, but are unsure how to structure their process to produce verifiably, consistently secure code. We will present tools, techniques, and practices to help you increase your software security through DevOps.
• Infrastructure as code: In addition to writing code for an application, software development teams practicing DevOps develop code to define their infrastructure. There are many advantages, and many pitfalls, to automated environment provisioning, and it will be a frequent topic in this series.
• Automation & repetition: In addition to being a significant time-saver, automation and repetition of complex tasks can give a team extreme confidence in their ability to perform these tasks when it counts. But what steps should be automated? What tools are best? We'll discuss a variety of topics around DevOps automation throughout this series.

Looking Ahead

While I will use this series will provide weekly guidelines and advice on DevOps adoption, I will continue to publish more in-depth posts that take a deeper dive into issues surrounding DevOps. The next post in this series will explore continuous integration in DevOps.

We welcome your feedback. What issues surrounding DevOps do you want to know more about? What challenges is your organization facing in adoption? Please leave feedback in the comments section below.

Additional Resources

To listen to the podcast, DevOps--Transform Development and Operations for Fast, Secure Deployments, featuring Gene Kim and Julia Allen, please visit
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=58525.

To view the August 2011 edition of the Cutter IT Journal, which was dedicated to DevOps, please visit http://www.cutter.com/promotions/itj1108/itj1108.pdf.

Additional resources include the following sites:

https://devops.com/

http://dev2ops.org/

https://www.evolven.com/blog/devops-developments.html

https://www.ibm.com/developerworks/library/d-develop-reliable-software-devops/index.html?ca=dat-