production instances v. Keep developers’ environments most current e. MODIFY OUR DEFINITION OF DEVELOPMENT “DONE” TO INCLUDE RUNNNING IN PRODUCTION-LIKE ENVIRONMENTS i. In general, the longer the interval frequently as possible i. WRITE OUR AUTOMATED TESTS BEFORE WE WRITE THE CODE (“TEST DRIVEN DEVELOPMENT”) i. TDD – Kent Beck as part of Extreme Programming 1. Ensure the tests fail – “Write a test ii. Implemented Trunk-based development & CI iii. After CI: 40% effort on new features, 40% decrease in development costs, 140% increase in programs under development, 78% reduction in cost per program

INFRASTRUCTURE i. Remove the silos of information – Developers don’t just log what’s interesting to development. Operations don’t just monitor what’s up or down. ii. Modern Monitoring architecture 1. Data iii. More exotic - Fast Fourier Transforms or Kolmogorov-Smirnov 4. Ch. 16 – Enable Feedback So Development and Operation Can Safely Deploy Code a. USE TELEMETRY TO MAKE DEPLOYMENTS SAFER i. Actively monitor Prevent upstream work from locally optimizing at the expense of the entire value stream – Everyone (development, managers, architects, ops, etc.) in the value stream shares responsibility for handling operational

when we have an annual schedule for software releases, where an entire year’s worth of code that Development has worked on is released to production deployment. Like in manufacturing, this large batch release 1. In the book Implementing Lean Software Development: From Concept to Cash, Mary and Tom Poppendieck describe waste and hardship in the software development stream as anything that causes delay for result. The following categories of waste and hardship come from Implementing Lean Software Development unless otherwise noted: a. Partially done work: b. Extra processes: c. Extra features: d.

feasible.  History – How I Got Here?  Contentious relationship existed between development and operations.  Left development because I was frustrated that it took so much time to get my products into production team wasn’t the same as the game time team.  Segregated technical and business functions  Development  Operations (Operational Waterfall)  Infrastructure Ops  Product Ops  Product Management related to product configuration and deployment  Built a strong relationship with development (built empathy)  Development began to see operational issues, and usability problems  The relationship is

contractor-control model. But it doesn’t. Requirements: Requirements are a way of controlling the development team by constraining their creativity. Instead of requirements, we want to charge the team—the changes to the whole ball of EA.  It has a robust, automated regression test suite, so that new development does not cause expensive break-fix activity.  It has good monitoring tools in place.  It is it. This obvious fact is neat, plausible, and in most cases, wrong. The economics of software development have changed: Changed in a way that now favors “building” over “buying.” There are now ways of

and when we realize that the costs and risks of custom development have been radically reduced, the economics often now favor custom development. Governance and Oversight: Governance has traditionally Cross-functional and team-based: It used to be natural for ops specialists to do ops, developers to do development, and testers to do testing. Now, crossover skills are increasingly important. On a delivery team interest of shipping code. If there is a backlog in exploratory testing, people who normally do development will help test. Software engineers will oversee their code in production and help make changes

architecture is in place, systems engineers continue to refine it as they learn more from the development sprints and releases. Cost Estimation  Cost estimation in an Agile environment is challenging releases it can manage in a given year and the totality of delivered requirements within the entire development period of performance.  During the program execution phase, a high-level program estimate undergoes estimates as requirements become better defined. The fidelity of the cost estimate increases once a development team is established to help estimate the level of work for each requirement (i.e., as translated

is an organizational software engineering culture and practice that aims at unifying software development (Dev), security (Sec) and operations (Ops). The main characteristic of DevSecOps is to automate approach  Remove bottlenecks (including human ones) and manual actions.  Automate as much of the development and deployment activities as possible.  Adopt common tools from planning and requirements through frequent updates over larger, more sporadic releases.  Apply the cross-functional skill sets of Development, Cybersecurity, and Operations throughout the software lifecycle, embracing a continuous monitoring

NFRs. Codify these into the tests and pipeline f. BUILD REUSABLE OPERATIONS USER STORIES INTO DEVELOPMENT i. Goal – make recurring work as repeatable and deterministic as possible; standardize and automate operations b. Compliance checking is the opposite of security engineering c. INTEGRATE SECURITY INTO DEVELOPMENT ITERATION DEMONSTRATIONS i. Bring Infosec left; incorporate them into demos and help them understand secured. f. INTEGRATE SECURITY INTO OUR DEPLOYMENT PIPELINE i. Hardening the application after development completes is not acceptable. Left issues unaddressed due to schedule and budget constraints ii