By incorporating Split Software’s capabilities into its platform, Harness will be able to offer a software release platform where developers can not only release software, but run A/B tests and measure adoption of specific features. 

With the acquisition, Harness said it will deliver a feature management solution that combines core feature flagging capabilities, experimentation, feature flag workflows, governance, and the ability to
manage/archive stale feature flags. All of these capabilities will be integrated into the Harness
Software Delivery platform to help customers build, deploy, and release software while running
A/B tests to experiment and measure feature adoption, the company told SD Times.

Yet for all the advantages of feature experimentation, it has remained under-discussed and under-utilized widely in the software industry. “It’s an overlooked competitive advantage among companies looking to experiment often and iterate quickly,” said Jyoti Bansal, co-founder and CEO of Harness. “Based on how fast digital-native players are innovating, I believe feature experimentation will soon be table stakes in the standard developer lifecycle as customers become more vocal about having their feedback and needs quickly incorporated.”

Bansal noted one thing that has held this technology back from being so widespread is that it has historically only been available in point solutions that are not integrated deeply into the developer tool
stack. “This is what makes our acquisition and integration with Split so unique—we’re unlocking a seamless, end-to-end experience for developers to work solely from a single platform,” Bansal said.

Bansal called Split “the obvious choice for us as an established feature management platform… The market demand for a solution that’s integrated directly into the Software Development Lifecycle is massive. The timing couldn’t be better for our two companies to come together to deliver tremendous value for our customers.”

Brian Bell, CEO of Split, added: “The moment of feature release is a critical touchpoint between the developer and user. Our mission at Split has been to give development teams the confidence to accelerate with control and the freedom to innovate with ease. To further this mission, I couldn’t think of a better partner than Harness. Harness is automating and integrating every stage of software development. Together, we will have the most comprehensive software delivery platform on the market.”

Harness indicated that Split will be rolled into the Harness brand once it is fully integrated into the company’s platform. Financial terms of the transaction were not disclosed.

— With David Rubinstein

The post Harness announces plans to acquire feature management company Split Software appeared first on SD Times.

According to the company, the main benefit of this new CircleCI releases feature is that it can give developers greater confidence in their releases and reduce mean-time-to-recovery for issues. 

Key capabilities that will come with CircleCI releases include the ability to connect CI/CD with customer experiences, automated rollbacks, real-time service validation, and performance degradation prevention.

The releases dashboard shows a timeline of releases for all components (with details on each), a list of release environments, and a list of components and their associated projects. 

“If you look at every other deploy and release vendor on the market, they’re built to service centralized release and operations teams who want tighter control over deploys,” said Rob Zuber, CTO of CircleCI. “But this doesn’t reflect the reality of elite software teams who depend on developers to drive and deliver fast innovation. Our approach to CircleCI releases provides a developer-centric workflow that enables them to ship faster and monitor new features in production coupled with the safety net of quickly rolling back releases if something goes wrong.”

This feature is now available for all CircleCI customers at no additional cost. It currently supports Kubernetes, Amazon SageMaker, and Argo Rollouts. 

The company also plans to add support for Blue-Green deployments later this year.

The post CircleCI enables automated rollbacks in latest offering: CircleCI releases appeared first on SD Times.

It is introducing a new environments dashboard to pull in information about GitOps and Argo CD projects. Codefresh defines an environment as a cluster of applications, namespaces in a single cluster, or namespaces in different clusters.

During a webinar demoing the new feature today, Kostis Kapelonis, senior developer advocate at Codefresh, explained that some of the negatives of using Argo CD alone are that it doesn’t have a concept of environments and doesn’t have context of applications, such as the fact that applications may be a part of a larger product.

This new dashboard provides a single-screen experience that shows environments from left to right, from development to testing to production. It offers developers the ability to define what applications a product contains and to assign products to an environment. 

Codefresh explained that having a single-screen environment means that developers won’t have to switch between multiple windows for the terminal, GitHub, and an IDE when managing environments or pushing applications to production. 

According to Kapelonis, the new environment manager also helps project managers better understand which features are in which environments. 

And in addition to providing a high level view of deployments, developers can also drill down deeper into specific applications with a timeline view that shows how applications have advanced through different environments, Kapelonis explained. 

“As businesses and DevOps teams grow, Argo CD instances split, and microservices multiply, managing the lifecycle of each application across environments becomes complex and arduous,” said Dan Garfield, co-founder and chief open-source officer at Codefresh. “The new Codefresh capabilities instill clarity and GitOps governance across hundreds of applications deploying to thousands of locations – with a unified, intuitive single-screen experience.”

The post Codefresh releases new dashboard that provides more details on software development life cycle appeared first on SD Times.

According to OpsMx, recent application security efforts across the industry have been focusing on the application development process. While the company acknowledges this is an important part of application security, it can be difficult to then enforce security policies because responsibilities are spread between distributed development teams with differing toolsets and operating models. 

“A deployment firewall gives organizations a simpler, more effective way to enforce their own software delivery process,” said Gopal Dommety, CEO and founder of OpsMx. “Organizations know what they need to do for application security and release compliance, but are too often stuck with siloed data and scattered teams operating on an honor system. The deployment firewall combines rich data sets and good intentions to make security policies actionable.”

With the release of Deployment Firewall, companies now have a firewall that can evaluate applications against a range of policies and block its release if it doesn’t meet all the requirements. Qualifications it uses to determine if a release should go through include manifest files, vulnerability scans, artifact integrity, infrastructure readiness, release quality and performance, and operational controls. 

OpsMx provides a set of firewall rules, and these can be extended or customized by customers.

These rules can also be used to check compliance with popular frameworks, including NIST 800, PCI, and HIPAA. 

The tool also provides the option to simulate deployments before they are ready to be deployed, which allows applications to be checked for compliance ahead of time. 

Deployment Firewall is a part of the OpsMx Deploy Shield product, and can be added to existing Jenkins, Argo, and Spinnaker implementations. The company also plans to add support for GitHub Actions and GitLab in the future.  

The post OpsMx’ Deployment Firewall moves security into CI/CD pipeline appeared first on SD Times.

Copado 1 enables DevOps teams to automate, extend and customize their DevOps processes by offering CI/CD, data deployments, monitoring, agile planning, testing, compliance and omnipresent AI right out of the box. It delivers a comprehensive set of features that streamline development and testing across various Salesforce Clouds including MuleSoft and Heroku. The Copado 1 platform coupled with Copado’s API-first architecture and the Copado DevOps Exchange makes it one of the most extensible DevOps platforms for Salesforce.

Low-code admins and full stack developers can collaborate effectively across pipelines with Copado 1, while leveraging automation and best practices to improve speed and quality. As a result, organizations can:

• automate manual work, increasing productivity by 20%
• leverage integrated and intelligent testing to reduce bugs by 3x
• consolidate all SDLC workstreams for 20% faster development

“The quality assurance transformation journey we’ve had with Copado has decreased our amount of manual work and increased the pace of releases,” said Juha Vaitilo, CSO & Quality Assurance and Testing Practice Lead for Sogeti. “To achieve these results, we built processes across all development lifecycles with the Copado 1 platform.”

Additionally, Copado 1 provides access to the Copado AI Companion, the only AI DevOps assistant for Salesforce that optimizes user story planning, deployment pipelines, robotic test automation and other platform features. Across every stage of the software delivery lifecycle the Copado 1 platform leverages the power of generative AI to help teams develop with speed and deliver with confidence.

Business analysts, developers, administrators, QA engineers and others can use Copado 1 to:

• increase visibility through version control and agile planning
• improve quality with automated testing, compliance and security
• release faster with automated CI/CD
• boost innovation and measurable business impact through value stream mapping, analytics and collaboration
• strengthen resilience from advanced learning, AI and self-healing capabilities

“Customers come to Copado to make development less painful, with reduced risk and higher quality,” said Ted Elliott, Chief Executive Officer at Copado. “By realizing increased DevOps maturity, companies find more business value. That’s why Copado 1 is such a game changer – it gives our customers the ability to execute to the best of their abilities. The combination of our award-winning DevOps platform, proven best practices and AI-enabled knowledge base is accelerating time to value – and getting us one big leap closer to realizing the promise of everyone going home for dinner on release days.”

Copado 1 is designed to meet the needs of customers of all sizes. In addition to the primary Copado 1 offering which includes access to the platform’s full breadth of capabilities, Copado Express will offer access to the core DevOps functionality. All features are built on the end-to-end Copado 1 platform which allows customers to easily grow and scale with Copado.

Copado will be at Dreamforce 2023 as a groundbreaker sponsor in booth 1300 with custom demos in the Trailblazer Forest, an expert panel with Salesforce on AI, theater sessions with customers enGen, FOX and S&P Global, DevOps Exchange demos, Copado Community activities and more.

Salesforce, Dreamforce, Heroku, MuleSoft and others are among the trademarks of Salesforce, Inc.

The post Copado Launches the Copado 1 Platform, the First Turnkey End-to-End DevOps Solution for Enterprise SaaS appeared first on SD Times.

Prisma Cloud focuses on safeguarding the CI/CD environment and effectively shielding against potential open-source vulnerabilities using software composition analysis, according to the company in a blog post. 

“A major challenge in securing CI/CD pipelines is visibility. The myriad of third-party tools and applications running in development environments makes it almost impossible for security teams to determine if they are correctly configured,” said Ankur Shah, senior vice president of Prisma Cloud at Palo Alto Networks. “The integration of Cider’s capabilities secures the CI/CD environment and gives Prisma Cloud customers the ability to analyze individual tools, visualize how they interact with applications and each other, and identify and remediate risks.”

The CI/CD Security module empowers collaboration between DevOps and security teams, leading to enhanced security outcomes throughout the application life cycle, the company explained. 

When integrated into the existing Prisma Cloud platform, which comprises features such as Secrets Scanning, Software Composition Analysis, and Infrastructure as Code Security, it allows organizations to bolster security and risk prevention across the entire software delivery pipeline. 

According to Palo Alto Networks, this integration facilitates a comprehensive and holistic security approach that surpasses the capabilities of individual, isolated solutions.

The post Palo Alto Networks announces CI/CD security features appeared first on SD Times.

This feature is now generally available and is accessible to any team that is part of a managed organization with public repositories and GitHub Enterprise Cloud users. They can activate this feature on their respective repositories and start streamlining their team’s pull requests immediately. 

The merge queue is specifically designed for high-performance teams in which multiple users regularly commit to a single branch. According to GitHub, before the introduction of the merge queue, engineers had to try merging directly onto an already active branch, potentially leading to code conflicts and a repetitive cycle of rework.

GitHub’s merge queue eliminates that possibility by creating a temporary branch that includes the latest changes from the base branch, the changes from other pull requests already in the queue, and the changes from your pull request. 

Once this is done, continuous integration begins, with the understanding that all required status checks must pass before the branch, representing the associated pull requests, is merged. In essence, the merge queue acts as the ultimate branch traffic controller, GitHub explained. 

The post GitHub merge queue now available appeared first on SD Times.

With the need to continuously integrate that comes along with modern application development, the pipeline has had to expand in order to account for tasks like low-code development, security, and testing while teams are still trying to prioritize the acceleration of releases. 

How it was vs. how it is

“Early CI/CD was really about how you build and package an application, and then the CD portion came in and it became how you get this application out to a place,” said Cody De Arkland, director of developer relations at the feature management platform provider LaunchDarkly. “But now in the modern world you have all of these declarative platforms like Kubernetes and other cloud native things where we’re not just dropping a set of files onto a server anymore, we’re going through and building this self-contained application stack.”

He explained that although the addition of declarative platforms and the repeatable process offered by the cloud has, overall, made CI/CD more simple, teams have also had to manage added complexities because developers now must be sure that the application or feature they have built also has all of the necessary aspects for it to run. 

To account for the potential for heightened complications, De Arkland said that CI/CD tools have greatly matured, particularly in the past four years.

“A lot of these concepts have become much more first class… As the space has evolved and UX has become more important and people have become more comfortable with these concepts… a lot of the sharp edges are being rounded out and CI/CD tooling has gotten to a place where so much of this is so much easier to implement,” he said. 

According to Andrew Davis, senior director of methodology at the DevOps platform company Copado, another one of the ways that CI/CD practices have evolved is in the way that developers are spending their time.

He explained that one of the key demands of modern development is for teams to respond to the need for bug fixes or incremental updates incredibly quickly so that end users experience minimal negative effects.

“There’s an expectation to use the developer’s time in the most efficient way possible, so continuous integration puts a lot of energy into making sure that developers are all staying in sync with each other,” Davis said.

He went on to say that with the increased prevalence of CI/CD, there has been a spike in the need for developers to hone specialized skills and techniques to address the entirety of modern application development needs.

These skills include things like new options for building infrastructure in the cloud and managing it in the CI/CD pipeline, and managing the development process for low-code applications and SaaS platforms. 

Cloud native CI/CD

Despite the need to master new skills, De Arkland said that the move to cloud native has made organizations’ ability to adopt newer CI/CD processes much simpler due to the repeatable nature of the cloud. 

He said that with the cloud, templated configurations are usually default, and when you can apply these configurations through a template, it becomes an artifact that exists next to the application code, making it much easier to replicate. 

“It’s less about cloud itself making it easier – and more that when you do it in cloud, you get to lean on the same ‘declarative’ approaches that many other platforms align with… CTOs and CIOs are a great example, they understand the ground floor concepts of the container, but they don’t understand the deeper underpinnings,” he said. “When you have predictability, that makes enterprises a little bit less scared to adopt these things.”

He explained that while cloud native CI/CD  processes still require the implementation of certain crucial checks, the removal of the unknown variables equips organizations with a new sense of confidence in their processes and, therefore, the product they are delivering to end users.

However, despite the numerous benefits, cloud native CI/CD also comes with heightened risks, according to David DeSanto, chief product officer at GitLab. This is because organizations may move into the cloud without realizing that the public nature of the cloud could expose their intellectual property or their artifacts. He cited an example of this happening a few years ago, when a security company was inadvertently releasing early versions of its products because they didn’t realize that the package was public on the internet. 

Stretching the pipeline 

Furthermore, CI/CD processes have had to mature in order to accommodate the needs of shifting left, which has put some strain on the pipeline.

DeSanto explained that as more advanced capabilities have been added into the pipeline, not only has the pipeline itself had to evolve, but the capabilities too.

“If you take a traditional application security scanner and you put it in a CI/CD pipeline, it could make the pipeline take hours, if not days or a week to complete,” DeSanto said. “And obviously, if your goal is to reduce time to market, you can’t have your pipeline taking longer than you have to push out whatever change you’re looking to do.”

He expanded on this, saying that security and testing companies looking to be accepted into the CI/CD space have had to reevaluate their tooling so that these features can be introduced into the pipeline without irreparably impacting efficiency. 

Copado’s Davis went on to say that although testing has always been a part of the pipeline in one way or another, now developers are being tasked with examining their tests and determining where in the process certain tests should be run in order to maintain quality and efficiency.

“The expectation is that you have a full battery of tests, so that means that you have to begin to triage your tests in terms of which can run quickly and up front versus which are the more comprehensive tests [to run later],” said Davis.

To make this choice, Davis explained that developers must assess different aspects of the tests. The first being the risk associated with each test. He said that areas that directly impact revenue or cause the most damage to end users are where the priority should be placed.

Next, he said that the order of tests should be determined based on the relevance to the area of the application that is being changed. 

“And the way that would work is if the developer is making a change in a particular aspect of the code base, you can identify which tests are relevant to that and which ones are fast to run,” Davis said. “Then you run…the tests that are most likely to detect an error in the development and the ones that run quickly, immediately to get very fast feedback and then changes can be made immediately.” 

He also went on to explain that he believes the shifting left of security processes and the security controls that have been embedded into the pipeline as a result are both wholly positive changes. 

LaunchDarkly’s De Arkland also touched on this, saying that in the past, security had been viewed as something adjacent to the pipeline rather than something that is inherent to it.

He explained that as the concept of DevSecOps has become a more first-class conversation, the CI/CD space has become cognizant of these concepts as well. 

De Arkland said that the conversation around which stage of the pipeline should interface with security tooling and how organizations can update communication rules to take the way a container or platform is operating into account have been major talking points around the integration of security into the pipeline.

“Whereas CI/CD used to be just about building software and dropping it on a place, it is really now becoming all of these adjacent tasks that have also lived alongside of it,” he said.

Platform engineering is helpful, but not the death of DevOps

Cody De Arkland, director of developer relations at LaunchDarkly, also spoke about platform engineering, and how its emergence has changed CI/CD processes.

He explained that, particularly in terms of the different interaction points between systems, platform engineering teams can help when it comes to applications that span several different areas inside of an organization.

“As we have applications spanning things like security and run time and build time and doing software releasing as opposed to just CI/CD builds, you need to be able to respond to that across all of these domains,” he said. “I think platform engineers are really the ones who are going to help stitch that all together… and really understand the context of managing all those things across.”

David DeSanto, chief product officer at GitLab, added that platform engineering plays an enormous role in an organization’s approach to a multi-cloud or multi-platform strategy because it allows for the creation of a unified platform that is agnostic to the cloud platform.

He explained that this gives organizations flexibility, transparency, and the ability to follow regulatory compliances more easily.

“There is a lot of movement in Fintech and financial regulations that they cannot be single cloud, and without a good platform engineering strategy that could mean that you’re building two completely separate CI/CD pipelines,” DeSanto said.

Andrew Davis, senior director of methodology at Copado did, however, stress that the claim that DevOps has died and platform engineering is its successor is a bit of an overstatement.

He said that platform engineering can make it simpler for organizations to adopt CI/CD processes and spin up pipelines that include whatever quality and compliance controls are necessary, but its purpose is not to replace DevOps as a whole. 

“I would tend to think of CI/CD as one of the critical capabilities offered by development platforms and platform engineering,” Davis said. “So the platform engineering team makes sure that if a new team is spinning up, they can easily create their own CI/CD pipeline, and they can automate the process of plugging into a company’s security controls.”

He said that by treating these different development tools as products that the company is investing in, it has the potential to reduce the burden placed on the individual developer to figure these things out for themselves. 

Speeding up delivery 

Davis also said that while they can result in an initial slowing down of processes as team members get the hang of things, including well done security controls in the CI/CD pipeline allows developers to get feedback on code more quickly, therefore, accelerating the remediation of issues. 

Even with this, though, the addition of all of these extra tasks may lead to organizations struggling to accelerate the delivery of their products due to unforeseen bottlenecks arising in the pipeline.

Davis said that the tension that exists between the desire to deliver more quickly and the need to be thorough with all of the necessary security checks and tests has become increasingly more prevalent as the pipeline has matured.

“It is effectively impossible to prevent all risks, and so you need to understand that each of those compliance controls are there to reduce risk, but they come at a cost,” he explained. “You have to balance that goal of risk reduction with the cost of speed, and as a result, the cost to innovation.”

The most secure option is oftentimes not the one that can deliver the most speed, and so striking that balance where both sides can be satisfied is key to a successful CI/CD pipeline.

DeSanto Then explained that organizations need to be approaching CI/CD in a way that prioritizes balancing the overall risk against the reward. This means that companies need to be able to determine if it is too risky to run a certain test or scan on the feature branch or the developer’s branch, and if it is, these should only be run as the changes are merged in. 

He continued, saying that finding the right tools makes a world of difference when it comes to pipeline evolution. “You may have a security scanner or a load testing tool or a unit testing tool that maybe is not meant for the way you’re now operating, and it could be as simple as swapping out that tool,” DeSanto said.

De Arkland also believes that as artificial intelligence technology continues to advance, more organizations may start turning to AI tools to find this balance, and make it sustainable. He said that while it is not fully here today, he can see a future where someone tells a system the desired steps to execute and the AI delivers an asset that represents that pipeline. 

“A good example of this is building APIs using OpenAI’s AI engine. You don’t write the API calls, you just give it the intentions,” De Arkland explained. “Then, it gives you back a spec that you would implement in your application… so I think we’re close to a time when pipelines are treated the same way.”

This isn’t to say that AI would be replacing the need for human developers in this process; rather, it could work in conjunction with them to work towards optimal delivery time.

DeSanto also said that with generative AI becoming more commonplace, some organizations have already found a place for it in their pipelines. He noted that AI is already being used to automate the process of getting a pipeline configuration created, identifying where configuration mistakes may lie, and analyzing logs to seek out certain patterns. 

He also stated that AI has great potential to change the DevSecOps space, as it can be applied to observability tools and make it so organizations can sniff out an issue much earlier in their processes. 

The post Are CI/CD pipelines bursting at the seams? appeared first on SD Times.

With the GrammaTech CodeSonar static application security testing (SAST) platform, ArmorCode users gain improved safety and security vulnerability intelligence for integrating application security capabilities into CI/CD pipelines.

“Unifying application security tools and intelligence to orchestrate operations across developer pipelines is central to preventing safety and security vulnerabilities from reaching market ready products,” said Katie Norton, senior research analyst of DevOps and DevSecOps at IDC. “Together, GrammaTech CodeSonar and ArmorCode can enable customers to automate end-to-end DevSecOps workflows instead of stitching together often siloed processes.”

According to the companies, this integration provides users with a centralized, 360 degree view of vulnerabilities in the CI/CD pipeline and orders them by priority level for remediation. 

This is intended to help companies apply DevSecOps practices to span physically distributed development environments and comply with standards based coding practices such as MISRA for automotive products.  

Furthermore, ArmorCode’s AppSecOps platform works to unify vulnerability management to cut back on response time for the detection and remediation and the disruption of the software release cycle.

“As organizations across industries adopt DevSecOps to accelerate the delivery of software, the number of security vulnerabilities have increased exponentially. Furthermore, the security teams responsible for protecting the business are struggling to manage the risk and to keep pace with the speed of delivery,” said Mark Lambert, chief product officer at ArmorCode. “This integration between GrammaTech CodeSonar and ArmorCode delivers the visibility and workflow automation these teams need to ship secure software and ship it fast.” 

The post GrammaTech and ArmorCode partner to deliver vulnerability management orchestration appeared first on SD Times.

“Integrating Harness and Jira Software through Harness CI and Feature Flags provide users what they need most today: a consolidated view of issues across different environments in the development lifecycle,” said Richard O’Connell, head of partner growth at Atlassian. “From the creation of a Jira ticket to the deployment in different environments, all users – from project managers to non-technical users – are able to understand and digest the latest deployment information, without the need to navigate to another tool.”

Harness CI dramatically reduces pipeline execution time by automatically caching well-known directories for Java & Node.js. It is also available in hybrid and fully self-managed offerings for organizations with highly specific regulatory and implementation requirements.

The solution is built off of Drone, an open-source continuous integration solution and it uses containers to drop pre-configured steps into pipelines to add popular plugins or custom ones.

Harness Feature Flags simplified release management and workflows while creating visibility into how changes are being rolled out to customers all within Jira. Users can see which feature flag controls a change, whether the change has been released to users, and what percentage of users getting access to it. 

The new integrations are now available in the Atlassian Marketplace. 

The post Harness announces new Jira integrations appeared first on SD Times.