Large enterprises continuously slow
While these concepts are not new, they are certainly new to many larger organizations. "Many of the big enterprises still have not adopted CI/DC. If you have a large multinational workforce, trying to get them to do one or two week iterations is nearly impossible. So, there are just a lot of challenges with it," Cera says.
Some of those challenges include the complexity associated with composite applications. An enterprise's automated software testing capabilities need to be very robust and able to validate the continuous releases of code.
"From a security perspective, that also means that the security people who might previously have been invoked once a quarter to do reviews and testing now need to be involved much more frequently," says Cera.
But integrating security with continuous integration and delivery enterprises, Cera and others contend, requires the right level of investment and for the business to understand what time and energy need to go into quality software development. "Assume your traditional release cycles are quarterly; then you have to have compliance and risk people come in once a quarter to look at things. Now, if you're doing one or two week iterations, you've have them come in for the same cycles, or get them to agree and approve an automated set of tests," Cera says.
One key to success, especially when the goal is improving code quality and resiliency, is to enable developers to test the code in their own virtual environments that are identical to their production environment.
"Testing is often on a shared infrastructure that, using something like Puppet, can be configured to be exactly the same as the continuous integration production system. And that's good enough for the developers. They're getting their tight feedback loop. They're testing code in pretty much the same way as it's going to be tested in the official continuous integration pipeline, and yet you can still manage tight change control process in the merge from test to production," Kersten says.
None of this is to say that the move to continuous integration and deployment and maintaining, or even improving upon, security is a given — or even easy. Bad processes and shortcuts will come back to haunt the organization as bugs and security holes are identified while the applications are live in production — when it tends to be more expensive to remedy serious flaws. "I think continuous integration and deployment fall down when you don't have a very tightly disciplined development organization, and it's just open season on the production infrastructure. This actually becomes counterproductive because the feedback loops become longer and longer," Kersten says.
That certainly creates a "debt" of work that very likely will need to be done at some point because mistakes need to be corrected.
Sign up for CIO Asia eNewsletters.