This post is from the XebiaLabs blog and has not been updated since the original publish date.
Building Your Software Chain of Custody
A Software Chain of Custody that truly covers the enterprise-scale software delivery process starts with the strategic goals that you want to achieve. Most organizations execute a pipeline of business activities similar to the one below when determining which software assets to invest in and how to measure their return on investment.
A typical pipeline of business activities
The inputs into and outputs of this process are usually scattered in many places. Organizational leaders have ideas in mind and sketch out vision statements and goals on whiteboards; product managers build roadmaps in PowerPoint; release managers create plans and schedules in Excel; and product owners add work items to a backlog in Jira. A Software Chain of Custody can transform this disconnected set of inputs and outputs into a structured, connected, traceable chain of decisions, activities, and outcomes.
Note: Portfolio Planning and Agile Management tools such as CollabNet VersionOne are rich sources of data for the activities in this business-oriented process. Capturing that data and building it into your Software Chain of Custody gives you a complete picture of your true end-to-end process so you can:
- Track compliance tasks that happen outside the technical pipeline
- Better visualize and understand your value stream
- Use data to align the backlog of technical work with strategic goals
- Measure DevOps teams’ performance against strategic goals
Understanding the Challenging Landscape of DevOps Tools
IT Revolution’s DevOps Automated Governance Reference Architecture (September 17, 2019) illustrates the
technical software delivery pipeline as follows.
The technical software delivery pipeline
DevOps teams manage and execute the activities that move software assets through the development and delivery process: writing new code, integrating it with the codebase, testing it, packaging it into applications, deploying those applications to both pre-production and production environments, and monitoring each application’s availability, stability, and performance. These activities require a variety of tools that support source code management, continuous integration, build capabilities, environment provisioning, application deployment, log aggregation, and performance monitoring.
This landscape of varied, often disconnected tools makes it inherently challenging to create a Software Chain of Custody that reliably tracks the work that is being done and that captures and documents which person or process triggered the work.
DevOps teams are often required to manually collect, compile, and correlate data across tools to satisfy audit reporting requirements—a process that is time-consuming, prone to human error, and that distracts developers from the work of building value-adding business applications.
Automation is Key for a Scalable, Repeatable Software Chain of Custody
To establish a Software Chain of Custody for technical software delivery processes, you must automate the process of capturing and correlating evidence for delivery activities across all tools in the DevOps landscape. According to DevOps Automated Governance Reference Architecture:
As more and more DevOps practices are automated, it becomes harder to capture the data required
to ensure all security and compliance concerns are met. Organizations need an automated way to track
governance throughout the entire software delivery process so they can attest to the integrity of all
assets and to the security of all running applications.
Implementing this type of automation, and then optimizing it for enterprise-scale use, requires tools and mechanisms that are built for repetition and scale. A Software Chain of Custody process that is highly repeatable ensures that audit evidence is captured for every release. This process must scale to capture evidence automatically for every change made to every software asset—no matter how many tools are involved or how complex the technical delivery pipeline is.
Continuous Improvement through Value Stream Management
Value Stream Management is an emerging discipline that tracks software delivery activities and provides the contextual data enterprises need to analyze and continuously improve their software delivery processes. A Software Chain of Custody provides the foundation for Value Stream Management because, in addition to proving the integrity of software assets, it paints a complete picture of each and every software release from beginning to end.
In many enterprises, DevOps leaders use strategic goals to build a roadmap that guides decisions about the future of software assets: which assets to build, which assets to change, and even which assets to retire. Product managers break the roadmap down into portfolio items, grouped by strategic theme, that turn goals into actionable work. Then, product owners create a backlog of user stories and changes so teams can plan and estimate their day-to-day workload and delivery timeline.
Many enterprises work this way, but they lack a rich, end-to-end chain that would help leaders understand whether the technical changes that are being implemented actually support the company’s strategic goals—especially when the software delivery process happens in long-running, complicated delivery pipelines that span many applications or teams. Value Stream Management that’s built on top of a Software Chain of Custody provides the crucial data and insights needed to identify opportunities for automation, reduce release delays, eliminate process bottlenecks, and, ultimately, help teams push changes to production faster.
Next week, learn how to take control of your software assets.
- Building a Software Chain of Custody: A Guide for CTOs, CIOs, and Enterprise DevOps Teams
- Asset Integrity in a Software-Driven World
- Download our white paper: Building a Software Chain of Custody
- Watch the corresponding Software Chain of Custody on-demand webinar