Last week, in How to Diagnose Poor Software & Data Dependency Management, we laid out the telltale symptoms of ineffective, insufficient and/or incomplete software and database dependency management. After looking at a number of scenarios including PCI DSS compliance, Shadow IT governance, and ServiceNow upgrades, we were left asking ourselves:
o Why aren’t good dependency management practices baked into each and every scenario? And
o Why do some organizations struggle more than others to get this under control?
This week, we’re going to dig a little deeper into these questions and take a closer look into specific factors that drive-up dependency management cost and confusion. Once identified, these factors can be neutralized – accelerating development velocity, improving software quality, and reducing risk and expense in both development and operations.
The obstacles to effective dependency management can be found in an organization’s past, in its present, and in its rush to move into the future. This is important to appreciate as it points to the stark reality that dependency management is not a short-term operational requirement; it will remain a perennial necessity because it is integral to technology evolution itself – it is not an artifact of one particular technology generation or another.o The past gives us technical debt, legacy systems, and, if we’re not careful, unsupported systems and applications. All of these throw off unknown and unmanaged software, database and API dependencies.
o Today, development organizations are under unprecedented pressure to produce more features more explicitly linked to business value in shorter cycles with higher quality all while ensuring the highest levels of security, resilience, and compliance. These pressures amplify the criticality of effective dependency management and the demand for reliable and automated means of tracking, managing and reporting on the material dependencies across existing and planned business system components.
o Modernization and Digital Transformation dominate corporate and institutional roadmaps. All of these have implementation plans dependent upon accurate, up-to-the-minute inventory, architecture, and runtime dependency mappings. Further, compliance and regulatory obligations are extending their reach farther upstream from production into how software is written, built and deployed. With the inclusion of terms such as “reasonable”, “well-understood“, “state-of-the-art”, and “effective means”, regulations such as GDPR and compliance standards such as PCI DSS or HIPAA are incorporating these evolving development practices into financial, privacy and consumer compliance obligations – all by indirect reference versus explicit prescription. This means that, not only is effective dependency management an important tool to improve development productivity, it is rapidly evolving into a required practice itself.
Obstacles, Impediments and Landmines
While the pressure from an organization’s Past, Present and Future may produce exploding volumes of unknown and unmanaged dependencies and the increasing concern over these gaps, there are also underlying organizational, operational and societal conditions that exacerbate the urgency to get these dependencies under control and, as a consequence, the growing need to minimize the time and expense required to do so.
o Heterogeneous architectures
o Diverse technologies
o Third-party software
o Open Source software
o Shadow IT
o Services and applications
o Servers, containers, VM’s, & nodes
Missing, incomplete or unusable information
Lack of institutional knowledge
o Staff turnover
o Outsourced work
o High precision
Automation, Resilience and Integration
Accurate and timely access to software, database, and API dependency information is an essential capability for developers, architects, auditors, operations, and senior management setting directions and assuming risk.The evidence is overwhelming and available to everyone (making this a well-known and widely accepted risk from a regulatory and auditor’s perspective).
o The collection, validation and reporting of dependencies must be integrated across technology and DevOps boundaries to provide a single source of runtime truth.
Producing this information cannot be accomplished manually; trusted and resilient automation is required.
What architectural and feature set requirements would an automated dependency management platform need to meet in order to reduce these pressures and neutralize the obstacles, impediments, and landmines that have made effective software and database dependency management so expensive and difficult to master?