Actionable Information from the DevSecOps Pipeline

Because the Particular Operations Command (SOCOM) commander, you’re informed that intelligence has found that an adversary has surprising capabilities. Subsequently, you might want to reprioritize capabilities. You inform this system supervisor (PM) to your superior plane platform that the decrease precedence functionality for the whiz-bang software program for sensor fusion that was on the roadmap 18 months from now might want to change into the highest precedence and be delivered within the subsequent six months. However the subsequent two priorities are nonetheless essential and are wanted as near the unique dates (three months and 9 months out) as potential.

That you must know

  • What choices to offer the brand new functionality and the following two precedence capabilities (with lowered functionality) will be supplied with out a change in staffing?
  • What number of extra groups would should be added to get the sensor-fusion software program within the subsequent six months and to remain on schedule for the opposite two capabilities? And what’s the price?

On this weblog put up, excerpted and tailored from a lately revealed white paper, we discover the choices that PMs make and data they should confidently make choices like these with the assistance of knowledge that’s obtainable from DevSecOps pipelines.

As in industrial corporations, DoD PMs are accountable for the general price, schedule, and efficiency of a program. Nonetheless, the DoD PM operates in a special surroundings, serving navy and political stakeholders, utilizing authorities funding, and making choices inside a fancy set of procurement laws, congressional approval, and authorities oversight. They train management, decision-making, and oversight all through a program and a system’s lifecycle. They should be the leaders of this system, perceive necessities, stability constraints, handle contractors, construct help, and use fundamental administration expertise. The PM’s job is much more advanced in massive applications with a number of software-development pipelines the place price, schedule, efficiency, and danger for the merchandise of every pipeline should be thought of when making choices, in addition to the interrelationships amongst merchandise developed on totally different pipelines.

The aim of the SEI analysis venture known as Automated Value Estimation in a Pipeline of Pipelines (ACE/PoPs) is to point out PMs find out how to accumulate and remodel unprocessed DevSecOps growth information into helpful program-management info that may information choices they need to make throughout program execution. The flexibility to constantly monitor, analyze, and supply actionable information to the PM from instruments in a number of interconnected pipelines of pipelines (PoPs) might help maintain the general program on observe.

What Information Do Program Managers Want?

PMs are required to make choices nearly constantly over the course of program execution. There are a lot of totally different areas the place the PM wants goal information to make the most effective determination potential on the time. These information fall into the primary classes of price, schedule, efficiency, and danger. Nevertheless, these classes, and lots of PM choices, are additionally impacted by different areas of concern, together with staffing, course of effectiveness, program stability, and the standard and information supplied by program documentation. You will need to acknowledge how these information are associated to one another, as proven in Determine 1.

Actionable Data from DevSecOps Fig 1

Determine 1: Notional Program Efficiency Mannequin

All PMs observe price and schedule, however adjustments in staffing, program stability, and course of effectiveness can drive adjustments to each price and schedule. If price and schedule are held fixed, these adjustments will manifest ultimately product’s efficiency or high quality. Dangers will be present in each class. Managing dangers requires accumulating information to quantify each the likelihood of prevalence and affect of every danger if it happens.

Within the following subsections, we describe these classes of PM issues and counsel methods through which metrics generated by DevSecOps instruments and processes might help present the PM with actionable information inside these classes. For a extra detailed therapy of those matters, please learn our white paper.


Value is often one of many largest drivers of selections for a PM. Value charged by the contractor(s) on a program has many sides, together with prices for administration, engineering, manufacturing, testing, documentation, and many others. This weblog put up focuses on offering metrics for one side of price: software program growth.

For software-development initiatives, labor is often the only most important contributor to price, together with prices for software program structure, modeling, design, growth, safety, integration, testing, documentation, and launch. For DoD PMs, the necessity for correct price information is exacerbated by the requirement to plan budgets 5 years upfront and to replace funds numbers yearly. It’s subsequently vital for PMs to have high quality metrics to allow them to higher perceive total software-development prices and assist estimate future prices.

The DevSecOps pipeline gives information that may assist PMs make choices relating to price. Whereas the pipeline usually doesn’t straight present info on {dollars} spent, it could possibly feed typical earned worth administration (EVM) programs and might present EVM-like information even when there isn’t a requirement for EVM. Value is most evident from work utilized to particular work gadgets, which in flip requires info on staffing and the actions carried out. For software program developed utilizing Agile processes in a DevSecOps surroundings, measures obtainable by means of the pipeline can present information on group dimension, precise labor hours, and the particular work deliberate and accomplished. Though clearly not the identical as price, monitoring labor fees (hours labored) and full-time equivalents (FTEs) can present a sign of price efficiency. On the group degree, the DevSecOps cadence of planning increments and sprints gives labor hours, and labor hours scale linearly with price.

A PM can use metrics on work accomplished vs. deliberate to make knowledgeable choices about potential price overruns for a functionality or characteristic. These metrics may assist a PM prioritize work and determine whether or not to proceed work in particular areas or transfer funding to different capabilities. The work will be measured in estimated/precise price, and optionally an estimated/precise dimension will be measured. The anticipated price of labor deliberate vs. precise price of labor delivered measures predictability. The DevSecOps pipeline gives a number of direct measurements, together with the precise work gadgets taken by means of growth and manufacturing, and the time they enter the DevSecOps pipeline, as they’re constructed and as they’re deployed. These measurements lead us to schedule information.


The PM wants correct info to make choices that rely upon supply timelines. Schedule adjustments can have an effect on the supply of functionality within the discipline. Schedule can also be essential when contemplating funding availability, want for check belongings, commitments to interfacing applications, and lots of different points of this system. On applications with a number of software program pipelines, you will need to perceive not solely the technical dependencies, but in addition the lead and lag occasions between inter-pipeline capabilities and rework. Schedule metrics obtainable from the DevSecOps pipeline might help the PM make choices based mostly on how software-development and testing actions on a number of pipelines are progressing.

The DevSecOps pipeline can present progress towards plan at a number of totally different ranges. Crucial degree for the PM is the schedule associated to delivering functionality to the customers. The pipeline usually tracks tales and options, however with hyperlinks to a work-breakdown construction (WBS), options will be aggregated to point out progress vs. the plan for functionality supply as nicely. This traceability doesn’t naturally happen, nonetheless, nor will the metrics if not adequately deliberate and instantiated. Program work should be prioritized, the trouble estimated, and a nominal schedule derived from the obtainable workers and groups. The granularity of monitoring ought to be sufficiently small to detect schedule slips however massive sufficient to keep away from extreme plan churn as work is reprioritized.

The schedule will likely be extra correct on a short-term scale, and the plans should be up to date at any time when priorities change. In Agile growth, one of many principal metrics to search for with respect to schedule is predictability. Is the developer working to a repeatable cadence and delivering what was promised when anticipated? The PM wants credible ranges for program schedule, price, and efficiency. Measures that inform predictability, resembling effort bias and variation of estimates versus actuals, throughput, and lead occasions, will be obtained from the pipeline. Though the seventh precept of the Agile Manifesto states that working software program is the first measure of progress, you will need to distinguish between indicators of progress (i.e., interim deliverables) and precise progress.

Story factors is usually a main indicator. As a program populates a burn-up or burndown chart displaying accomplished story factors, this means that work is being accomplished. It gives a number one indication of future software program manufacturing. Nevertheless, work carried out to finish particular person tales or sprints is just not assured to generate working software program. From the PM perspective, solely accomplished software program merchandise that fulfill all situations for performed are true measures of progress (i.e., working software program).

A standard drawback within the multi-pipeline state of affairs—particularly throughout organizational boundaries—is the achievement of coordination occasions (milestones). Applications mustn’t solely independently monitor the schedule efficiency of every pipeline to find out that work is progressing towards key milestones (often requiring integration of outputs from a number of pipelines), but in addition confirm that the work is actually full.

Along with monitoring the schedule for the operational software program, the DevSecOps instruments can present metrics for associated software program actions. Software program for help gadgets resembling trainers, program-specific help tools, information evaluation, and many others., will be important to this system’s total success. The software program for all of the system elements ought to be developed within the DevSecOps surroundings so their progress will be tracked and any dependencies acknowledged, thereby offering a clearer schedule for this system as an entire.

Within the DoD, understanding when capabilities will likely be accomplished will be vital for scheduling follow-on actions resembling operational testing and certification. As well as, programs typically should interface to different programs in growth, and understanding schedule constraints is essential. Utilizing information from the DevSecOps pipeline permits DoD PMs to higher estimate when the capabilities below growth will likely be prepared for testing, certification, integration, and fielding.


Useful efficiency is vital in making choices relating to the precedence of capabilities and options in an Agile surroundings. Understanding the required degree of efficiency of the software program being developed can enable knowledgeable choices on what capabilities to proceed creating and which to reassess. The idea of fail quick can’t achieve success until you’ve got metrics to rapidly inform the PM (and the group) when an thought results in a technical lifeless finish.

A essential situation for a functionality supply is that each one work gadgets required for that functionality have been deployed by means of the pipeline. Supply alone, nonetheless, is inadequate to contemplate a functionality full. A whole functionality should additionally fulfill the desired necessities and fulfill the wants within the supposed surroundings. The event pipeline can present early indicators for technical efficiency. Technical efficiency is often validated by the client. Nonetheless, technical efficiency contains indicators that may be measured by means of metrics obtainable within the DevSecOps pipeline.

Check outcomes will be collected utilizing modeling and simulation runs or by means of varied ranges of testing inside the pipeline. If automated testing has been applied, checks will be run with each construct. With a number of pipelines, these outcomes will be aggregated to present determination makers perception into test-passage charges at totally different ranges of testing.

A second technique to measure technical efficiency is to ask customers for suggestions after dash demos and end-of-increment demos. Suggestions from these demos can present precious details about the system efficiency and its means to satisfy person wants and expectations.

A 3rd technique to measure technical efficiency is thru specialised testing within the pipeline. Stress testing that evaluates necessities for key efficiency parameters, resembling complete variety of customers, response time with most customers, and so forth, might help predict system functionality when deployed.

High quality

Poor-quality software program can have an effect on each efficiency and long-term upkeep of the software program. Along with performance, there are lots of high quality attributes to contemplate based mostly on the area and necessities of the software program. Extra efficiency components change into extra outstanding in a pipeline-of-pipelines surroundings. Interoperability, agility, modularity, and compliance with interface specs are a couple of of the obvious ones.

This system should be happy that the event makes use of efficient strategies, points are recognized and remediated, and the delivered product has ample high quality for not simply the first delivering pipeline however for all upstream pipelines as nicely. Earlier than completion, particular person tales should go by means of a DevSecOps toolchain that features a number of automated actions. As well as, the general workflow contains duties, design, and critiques that may be tracked and measured for your complete PoP.

Categorizing work gadgets is essential to account for, not just for work that builds options and functionality, but in addition work that’s typically thought of overhead or help. Mik Kersten makes use of characteristic, bug, danger merchandise, and technical debt. We’d add adaptation.

The work sort stability can present a number one measure of program well being. Every work merchandise is given a piece sort class, an estimated price, and an precise price. For the finished work gadgets, the portion of labor in every class will be in comparison with plans and baselines. Variance from the plan or surprising drift in one of many measures can point out an issue that ought to be investigated. For instance, a rise in bug work suggests high quality issues whereas a rise in technical-debt points can sign design or architectural deficiencies that aren’t addressed.

Usually, a DevSecOps surroundings contains a number of code-analysis purposes that robotically run each day or with each code commit. These analyzers output weaknesses that had been found. Timestamps from evaluation execution and code commits can be utilized to deduce the time delay that was launched to deal with the problems. Situation density, utilizing bodily dimension, purposeful dimension, or manufacturing effort can present a first-level evaluation of the general high quality of the code. Massive lead occasions for this stage point out a excessive price of high quality. A static scanner may establish points with design adjustments in cyclomatic or interface complexity and should predict technical debt. For a PoP, analyzing the upstream and downstream outcomes throughout pipelines can present perception as to how efficient high quality applications are on the ultimate product.

Automated builds help one other indicator of high quality. Construct points often contain inconsistent interfaces, out of date libraries, or different international inconsistencies. Lead time for builds and variety of failed builds point out high quality failures and should predict future high quality points. Through the use of the length of a zero-defect construct time as a baseline, the construct lead time gives a technique to measure the construct rework.

For PoPs, construct time following integration of upstream content material straight measures how nicely the person pipelines collaborated. Check capabilities inside the DevSecOps surroundings additionally present perception into total code high quality. Defects discovered throughout testing versus after deployment might help consider the general high quality of the code and the event and testing processes.


Dangers typically threaten price, schedule, efficiency, or high quality. The PM wants info to evaluate the likelihood and affect of the dangers if not managed and potential mitigations (together with the price of the mitigations and discount in danger consequence) for every potential plan of action. The dangers concerned in software program growth may result from inadequacy of the technical answer, supply-chain points, obsolescence, software program vulnerabilities, and points with the DevSecOps surroundings and total staffing.

Threat outcomes from uncertainty and contains potential threats to the product functionality and operational points resembling cyberattack, supply schedule, and price. This system should be certain that dangers have been recognized, quantified, and, as acceptable, tracked till mitigated. For the needs of the PM, danger exposures and mitigations ought to be quantified by way of price, schedule, and technical efficiency.

Threat mitigations must also be prioritized, included among the many work gadgets, and scheduled. Effort utilized to burning down danger is just not obtainable for growth, so danger burndown should be explicitly deliberate and tracked. The PM ought to monitor the chance burndown and price ratios of danger to the general interval prices. Two separate burndowns ought to be monitored: the fee and the worth (publicity). The price assures that danger mitigations have been adequately funded and executed. The worth burndown signifies precise discount in danger degree.

Improvement groups might assign particular dangers to capabilities or options. Improvement-team dangers are often mentioned throughout increment planning. Threat mitigations added to the work gadgets ought to be recognized as danger and the totals ought to be included in reviews to the PM.

Different Areas of Concern to the Program Supervisor

Along with the standard PM tasks of creating choices associated to price, schedule, efficiency, and danger, the PM should additionally think about extra contributing components when making program choices, particularly with respect to software program growth. Every of those components can have an effect on price, schedule, and efficiency.

  • Group/staffing—PMs want to grasp the group/staffing for each their very own program administration workplace (PMO) group and the contractor’s group (together with any subcontractors or authorities personnel on these groups). Acquiring this understanding is very essential in an Agile or Lean growth. The PMO and customers want to offer subject-matter consultants to the creating group to make sure that the event is assembly the customers’ wants and expectations. Customers can embrace operators, maintainers, trainers, and others. The PMO additionally must contain acceptable workers with particular expertise in Agile occasions and to evaluate the artifacts developed.
  • Processes—For multi-pipeline applications, course of inconsistencies (e.g., definition of performed) and variations within the contents of software program deliverables can create large integration points. It will be significant for a PM to make sure that PMO, contractor, and provider processes are outlined and repeatably executed. In single pipelines, all program companions should perceive the processes and practices of the upstream and downstream DevSecOps actions, together with coding practices and requirements and the pipeline tooling environments. For multi-pipeline applications, course of inconsistencies and variations within the contents of software program deliverables can create large integration points, with each price and schedule impacts.
  • Stability—Along with monitoring metrics for gadgets like staffing, price, schedule, and high quality, a PM additionally must know if these areas are steady. Even when some metrics are optimistic (for instance, this system is beneath price), tendencies or volatility can level to potential points sooner or later if there are broad swings within the information that aren’t defined by program circumstances. As well as, stability in necessities and long-term characteristic prioritization is also essential to trace. Whereas agility encourages adjustments in priorities, the PM wants to grasp the prices and dangers incurred. Furthermore, the Agile precept to fail quick can improve the speed of studying the software program’s strengths and weaknesses. These are a traditional a part of Agile growth, however the total stability of the Agile course of should be understood by the PM.
  • Documentation—The DoD requirement for documentation of acquisition applications creates a PM problem to stability the Agile follow of avoiding non-value-added documentation. You will need to seize essential design, structure, coding, integration, and testing information in a way that’s helpful to engineering workers chargeable for software program sustainment whereas additionally assembly DoD documentation necessities.

Creating Dashboards from Pipelines to Determine Dangers

Though the quantity of knowledge obtainable from a number of pipelines can get overwhelming, there are instruments obtainable to be used inside pipelines that can mixture information and create a dashboard of the obtainable metrics. Pipelines can generate a number of totally different dashboards to be used by builders, testers, and PMs. The important thing to creating a helpful dashboard is to pick out acceptable metrics to make choices, tailor-made to the wants of the particular program at varied occasions throughout the lifecycle. The dashboard ought to change to focus on metrics associated to these altering sides of program wants.

It takes effort and time to find out what dangers will drive choices and what metrics might inform these choices. With instrumented DevSecOps pipelines, these metrics are extra available, and lots of will be supplied in actual time with out the necessity to look ahead to a month-to-month metrics report. Instrumentation might help the PM to make choices based mostly on well timed information, particularly in massive, advanced applications with a number of pipelines.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles