The definitive answer is about the best way to develop software. The impact of agile, lean DevOps practices on software development is stunning. See 5 years of research of over 4,000 organizations in Accelerate by Forsgren et al.
By Agile, I mean both Agile – collaboration on small, rapid releases – and DevOps – bringing development and operations teams together.
On both velocity and stability, teams who master the culture, technology and processes of lean, version-controlled, continuous and automated flow in development and deployment are wildly outperforming teams who don’t. These organization are / achieve:
More Agile / Higher Velocity:
- 46x more frequent code deployments. High performers deploy multiple times a day. Low performers: once a week or less.
- 440 times faster commit to deploy. High performers go from commit (done) to deploy (live) in less than an hour. Low performers: in more than a week.
More Reliable / Better Stability:
- 96 times faster mean time to recover from down time. High performers recover from down time in less than an hour. Low performers: in several days.
- 1/5 as likely that changes will fail. High performers' changes fail 0 to 15% of the time. Low performers': 31-45% of the time.
And if you’re more interested in leadership questions, note that high performers are 2.2 times more likely to rate their company as a great place to work in Employee Net Promoter Scores.
One follow-up question: do those results apply to networking and security?
Let’s start with security.
“Our research shows that building security into software development not only improves delivery performance, but also improves security quality. We found that high performers are spending 50% less time remediating security issues than low performers.” (Forsgren)
This pattern extends to all infrastructure, including networking. The highest performers suffer the least measurable deployment pain.
“Key factors include systems designed to be deployed easily in multiple environments, and eliminating handoffs across organizational silos, ie between system, database and networking admins, infosec, and development & test.”
Second follow-up – What is holding networking back?
In the dozens of interviews that we conducted at Bayware as part of our Steve Blanc-style customer validation and Eric Ries-style lean startup process, we found that networking professionals need make two key changes to get to Agile or DevNetOps or NetDevOps or DevSecOps.
Process: Networking and information security professionals are too often only involved at what developers perceive to be “…the end of the software delivery process, when…”, as James Wickett notes, “it is often painful and excessively expensive to make changes necessary to improve…”
We found that when application teams move to put new applications into production, they expect networking and information security professionals to use a variety of tools to complete their tasks very quickly.
The reality is eventually not quickly. Changes to meet corporate, customer, and compliance standards flow back upstream to developers.
This continues, back and forth, for 2 to 8 months for initial deployments to finally go live. And this over-the-wall approach remains a source of friction and delay as frequent changes and upgrades come to the application and to the underlying infrastructure.
You can see some illustrations in this video.
We found this waterfall to be the reality even where app dev adopted an application-centric networking framework such as a Service Mesh with the goal of making themselves independent of networking and security infrastructure departments.
Flat full-mesh networks created by a CNI or a Service Mesh end up needing additional layers of networking and security solutions to meet corporate and customer standards especially for distributed implementations, e.g. hybrid or multi-cloud. So, over the wall they go again.
In other words, networking, including security, is still largely not Agile. It is still largely stuck in Waterfall. And that slows down what is on top of nearly every company’s digital agenda: securely deploy more applications faster!
And…Networking Technology that aligns to that process.
In order to get to Agile, networking and security folks need not just culture and process change. They also need technology that enables them to cooperate with developers on a shared code base that executes the networking and security for and in full sync with an application.
That’s how Agile works. If you are collaborating via requirements documents, you’re not doing it right. Agile DevOps means collaborating – co-creating and co-evolving - the code that you run in production.
In future posts, my colleagues and I at Bayware.io will share more about such emerging code bases, the advantages of dedicating one code base to each application team, and fascinating developments in identity and encryption that support cloud-native models.