All Aboard the DevOps SHIP

TL:DR: More than just a buzzword, DevOps is a culture that can help organisations accelerate their delivery of digital solutions. But for it to work, organisations must understand their own pain points and bottlenecks. Mr Hudson Lee, DevOps Consultant at GovTech, shared his insights on DevOps in a highly-regulated environment at the STACK 2018 Developers Conference.

As technology advances, new vocabulary surrounding novel inventions and processes start to appear. One example of this is the term ‘DevOps’, which had no meaning until 2009, when a pair of IT professionals—Mr Patrick Debois and Mr Andrew ‘Clay’ Shafer—decided that development and operations teams within organisations should not be operating in silos.

The pair went on to start a cultural and professional movement that stresses communication, collaboration and integration between software developers and IT operations managers. They called this new modus operandi—you guessed it—DevOps.

Today, DevOps has been widely adopted by IT departments in both the public and private sectors, and GovTech is no exception, said Mr Hudson Lee, DevOps Consultant at the Government Technology Agency of Singapore (GovTech).

Fewer hurdles, faster progress

But DevOps is no magic bullet. Before it can be effective, organisations first have to identify the pain points in their internal processes that they want to address. To this end, Mr Lee noted that GovTech uses “value stream mapping”—a systematic analysis of existing application development workflows.

“We found that one of the key bottlenecks was policy clearance, which really prolonged deployment times,” he said. Once the problem was identified, solving it was simply a matter of “baking as many policies into the code as possible”. This means that the intent of the policy is reflected in the design of the application, hence the application can be approved and released more quickly.

Mr Lee noted that a unified release pipeline called SHIP (Secure Hybrid Integrated Pipeline) is in the works to crystallise this philosophy of “codifying policy”. Importantly, SHIP is not a one-size-fits-all solution—different public sector agencies can customise it to suit their own objectives.

“If an agency has tighter policies, they can still add it to the code. But fundamentally, we have already built in the basic checkpoints that have been dictated by the government,” Mr Lee elaborated.

Steering the SHIP towards success

Nonetheless, the ship is not yet ready to set sail, said Mr Lee. In a climate of brazen and frequent cyberattacks, the ‘secure’ aspect of SHIP is being beefed up to better protect applications against malicious tampering. Hence, in addition to the developer and operations teams, cybersecurity professionals must also get involved. Just when the term ‘DevOps’ is gaining traction, a new word has emerged to describe this tripartite IT unit—‘DevSecOps’.

Another problem that Mr Lee foresees is SHIP’s compatibility. “For example, at Microsoft, you can have just one pipeline that supports [software development on Microsoft’s platform]. This is different from the government environment, where we need our pipeline to support other frameworks such as Java, Macintosh and so on,” Lee said.

This is where taking a consultative approach with multiple stakeholders helps. By speaking to the potential end users of SHIP and gathering their feedback on how to improve the system, Mr Lee’s team can ensure that the pipeline will eventually be relevant across a wide swathe of government.

“At the end of the day, what we want is to enable software products to be delivered faster, more frequently and more reliably,” he concluded.