CloudBees gets busy with security, visibility and control as DevOps evolves

CEO Sacha Labourey: 'DevOps is a pretty good proxy for what needs to happen in any organisation'

Everyone's doing DevOps now, aren't they? Well, actually no. A Computing survey earlier this year found that 43 per cent of software-producing companies have not yet embraced the "de facto way of developing software", a figure that is only dropping slowly.

Does that give CloudBees CEO Sacha Labourey pause for thought? Not a bit of it.

"Well, you know, you still have people driving drunk or driving too fast. The same is true with software, right? You still have people doing software in ways that shouldn't be done. But the reality is that DevOps is a pretty good proxy for what needs to happen in the organisation - in any organisation," he said, speaking to Computing prior to the CloudBees DevOps World event.

The way it should be done, Labourey contends, is to make software development a production-line activity, where everything that can be automated and standardised is automated and standardised, where every beneficial change is written into code and incorporated into the next version, and where every error is tagged so it can be automatically avoided next time.

But some companies say "we have no intention of being the next Netflix, so we're not interested in DevOps", and this misperception is where the sticking point with DevOps adoption lies he believes.

"We shouldn't be too religious about how we do DevOps. The more you get to automate collaborate and codify things the better. Then if you have more of a waterfall behaviour, in some cases it can be okay so long as you start automating. That's the thing. People don't necessarily realise that once you start codifying and automating then Waterfall just becomes a shorter Waterfall. What took 18 months you can do in three months, then it's a natural progression."

Security remains a tricky part of the DevOps process, not least because traditionally checks have been performed at the end of the pipeline, which does not fit well with DevOps' iterative model. The CloudBees approach is to build security into the pipeline, through acquisitions like Electric Cloud, which had a focus on application security, auditing and compliance, and by integrating third-party vulnerability security scanning tools like Snyk and WhiteSource into the pipeline itself.

"Part of the confusion around DevSecOps is whether people need to buy a specific tool, but really it's much like an assembly line and you're better making sure that the process is solid rather than inspecting the output of that process," said Labourey.

Notable by its absence from the promotional literature surrounding the event is any mention of Jenkins, the open source pipeline automation platform on which CloudBees bases its services. Labourey denied Jenkins is somehow being sidelined.

"We're still very much a Jenkins company. It's core to what we do, and you're going to see in the next few months a lot more activity around Jenkins. However, it is true that from a business standpoint it's important for organisations to understand that CloudBees is a lot more than the enterprise Jenkins company."

Current teases on the product front are two new software delivery management (SDM) modules which will be available by the end of the year. These aim to improve management visibility into the pipeline, by providing an abstracted layer over all the tools and actors involved, and to provide more controls. The developer efficiency module will analyse how teams are operating, how much time they are spending fixing bugs, rather than developing new features, and so on. The feature management module will give development teams more granulated control over the features that get issued in software releases, building on CloudBees' feature flags capabilities which were introduced following the acquisition of Rollout last year.

"It makes it possible to bundle a set of features and activate them for a segment of the market, and then do things like A/B testing of some of those features based on business metrics," Labourey said.