Are you underutilizing DevSecOps and SRE to make modernization decisions?

DevSecOps encompasses the full circle of application life-cycle management, starting from business planning, development, continuous integration, continuous delivery, monitoring, receiving feedback, and optimizing based on the learnings. Many organizations have started on the DevSecOps journey and are at different levels of maturity in various capabilities. Site reliability engineering (SRE) that has also gained popularity provides prescriptive guidance on accomplishing DevSecOps practices.

One of the key ways to measure the success of DevSecOps and SRE is by measuring the key performance indicators (KPI) and service level indicators (SLI). It is crucial to define KPIs and SLIs, measure, and monitor them continuously using tools and automation.

As organizations are adapting DevSecOps and SRE, a whole lot of the telemetry data is now available. These data points and the derived insights can play a very crucial role in defining the approach and roadmap for IT portfolio modernization.

Now let’s look at some of the key insights derived from DevSecOps and SRE telemetry.

At the business planning step, frequency and quantity of demand-for-change and the actual velocity and burn down of teams are measured. This information is helping teams to derive insights if the IT and Business teams can deliver the outcomes at the desired pace.

At the development and testing steps, from the continuous integration and testing activities, information related to quality, agility, resilience, the elegance of the code, frequency of builds, the time it takes for builds, success/failure of builds are being gathered. A variety of practices like static code analysis, testing (unit, integration, functional, performance, chaos), and related tools are used. This information provides insight into the overall quality of the application, readiness of the application to exploit cloud and other emerging technologies, and the remediation/refactoring needed.

At the provisioning and deployment step, teams gather information regarding the number and frequency of environment provisioning and deployments, time taken, success/failure rates of provisioning and deployment.

As part of monitoring, teams monitor the infrastructure, platform, middleware, and application layers and their logs. Incidents and service ticket information are available. This information provides valuable insights on how to improve resiliency, time to market, reduce technical debt, optimize cost, and improve the user experience for the application. These insights help to identify opportunities for automated remediation and AI-based ops.

Analyzing the information regarding the usage of the application (e.g., usage of different features of the application), what’s going on when there is a crash, which screens are used more by the users, how successful the trial launches are.

Security is an integral part of the end to end life cycle. Insights from the security code scan, vulnerability assessments, and security testing help identify the security-related enhancements needed for the application.

These insights help the application teams to identify the opportunities to modernize the application. Modernization involves multiple approaches, and the insights help to determine which modernization approach is best suited based on value vs. effort analysis.

The teams may not have all the information I mentioned above, in which case maturing the DevSecOps and SRE practices adaption in the application or interviewing application experts are potentially good points to start.

If the team velocity is a challenge, approaches like CI, CD, modularizing the application so that each module can be built and deployed independently (e.g., as Microservices), removing redundant functions and data are potential approaches.

If the code quality is poor, improving the readability of the code, error handling, reducing the complexity are potential approaches.

If there are too many deployment issues, focusing on environment parity, having a repeatable deployment process, reducing manual intervention are potential approaches.

Log files, monitoring information provide insights on run time behavior of the application and help to identify the areas that need be improved, e.g., approaches include - improved error handling, retries, opportunities for automated remediated. This information also helps to validate the hypothesis and adjust the direction accordingly.

If there are vulnerabilities, performance issues, resource utilization issues, support issues, upgrading to a newer version of the stack, or adapting open-source software are potential approaches.

If there are resource utilization issues, time to market issues, scalability issues, developer and tester productivity issues, containerization is a potential approach.

I have shared a few examples of insights from DevSecOps and SRE and using them to define potential approaches for modernization. What are your thoughts on using DevSecOps and SRE data to identify modernization approaches and prioritize them? How far are you through this journey?