‘You still have quite a bit of control coming from operations’: CloudBees CEO about DevSecOps and a pinch of AI in its future

‘You still have quite a bit of control coming from operations’: CloudBees CEO about DevSecOps and a pinch of AI in its future

CI/CD tooling provider CloudBees has kicked off its yearly user extravaganza, DevOps World, by priming users for what’s to come before the end of year, including infusing its projects with a bit of good old DevSecOps. CloudBees CEO Sacha Labourey sat down with DevClass before the event to shed some light upon the latest goings-on.

For those who aren’t totally up to speed with CloudBees’ current portfolio, the company has re-grouped its products under the categories software delivery automation (SDA) and software delivery management (SDM). SDA is the umbrella for CloudBees CI, which is based on the company’s flagship, automation server Jenkins, and CloudBees CD, building upon 2019 acquisition Electric Flow, along with some tools for feature flag management and build acceleration. 

Though they are still listed as separate products, Labourey sees SDA as a sort of unification of CloudBees CI and CD. “They each have their own slightly different audience and objectives,” Labourey told DevClass, “and so now we’re merging the two.” 

“A lot of [..] organisations might start from CI, but then they would go on to CD or sometimes it’s actually the other way around, it’s more that ops wants to get more velocity, like automating things, but then they’re gonna go and expand that to CI. By providing one package that has the same data model that shares everything, we get to install it one time [..] –  those are typically enterprise environments where there is quite a bit to configure in terms of security[..] and networking and storage. So we do it once and then we get to enable the full portfolio from that initial usage.”

When and if they end up in a single product remains to be seen, but until then CloudBees is busy improving on aspects such as security – a topic currently leaping to the forefront of DevOps teams’ consciousness. In fact the company used DevOps World to present users with some new capabilities that ride atop the DevSecOps wave.

Amongst other things CloudBees went through a DoD certification for CloudBees CI to make sure the product meets governmental security standards, and worked on integrations for security automation applications such as Snyk or Sonatype. “We’ve also increased the feature set when it comes to role-based access control, to be a lot more fine grained.” Explaining why this tends to pop up in DevOps products all over the map, Labourey says that for most organisations “it’s almost Dev pause Ops”.

“So you still have quite a bit of control coming from operations. And so being able to be very fine-grained in how you define those access rights, we can do what is very important to give the trust in those organizations to adopt DevOps in a coordinated fashion.” CloudBees also extended the capabilities to audit pipelines present in CloudBees CD (CCD) to CI “so you get to know exactly who has initiated what pipeline, when it did he run, and what did it do”. Similar is true for the backup, restore, and recovery functionalities which are used in CCD and have now landed in CloudBees CI.

SDM is still a fairly new addition to the CloudBees portfolio and will see the release of its first two modules in Q4 of 2020. “We see software delivery as two layers,” Labourey told us. “The bottom layer is kind of the factory where CI/CD takes place, so that is software delivery automation, and then how you manage this factory is software delivery management.” 

Having something like this also plays to some desire for control in a world changed by automation. “What you used to control very well now is kind of chaotic because you have lots of changes left and right. And so what we do is what we suck as much information as possible from a lot of different tools – not CloudBees tools necessarily. And we put that into that data model.” 

The similarity to other services doesn’t escape Labourey, who described SDM as “sharing a lot with Salesforce”. 

On top of the data available modules with specific objectives are built, the first two of which are meant to focus on developer productivity and feature management. Engineering productivity is said to measure and normalise (for better comparability) the time a developer spends on what, and while this might sound intimidating to some, 

Labourey sees it more from an helpful angle that could also alleviate some problems. “It’s not so much are you doing your job well or not, but are we spending a lot of time in an interrupt, or fixing urgent issues or things like that, and can we optimise the flow and so on.”

The feature management feature is based on another CloudBees acquisition called Rollout, which is the reason feature flag capabilities make an appearance in the company’s products now. “Feature management essentially raises this to the next level,” Labourey told DevClass. “It really makes it into a tool for the product owners to make sure they can group a number of those triggers and decide when they want to enable it to whom and then also analyse some of the signals back to see whether that’s being successful or not.”

Looking forward, SDM could become even more Salesforce-y with custom reports and implementations that extend and connect different data models. But that’s not all. “We’ve also started experimenting with AI. It’s pretty interesting to analyze the pull request and the comments. You can get the sentiment of different teams and see if a sentiment is trending positively or negatively.” 

This can help focus a manager’s attention and jump in before someone decides to leave the ship. Analysing JIRA instances and tasks could help in a similar way, making it easier to decide if something can be closed or not.

“Also since it’s available as software as a service we’re also thinking about potentially in the future creating average data, essentially baseline data from all times. So you can see how you compare against similar organisations and whether you’re good or maybe less good than others. So you can compare yourself in an anonymous fashion.” 

Gamification of DevOps, anyone?