How DevOps teams can get ready to explore DORA [Q&A]

It's essential for businesses to get security, privacy and governance right -- not only to prevent breaches, but also comply with increasing numbers of regulations.

DevOps Research and Assessment (DORA) best practices are the gold standard for spotting vulnerabilities across both cloud and mainframe environments and improving development efficiency.

We spoke to Puneet Kohli, president of application modernization at Rocket Software, to learn how teams can prepare to meet DORA standards.

BN: What is the DORA framework?

PK: DevOps Research and Assessment (DORA) is the longest-standing and most extensive research program in its domain. It's highly regarded in the DevOps community for its comprehensive and academically rigorous approach to studying DevOps practices and their impact on organizational performance. The DORA framework offers a comprehensive set of capabilities and metrics to evaluate and enhance software delivery and operational performance. It focuses on key metrics like deployment frequency, lead time, change failure rate, and mean time to recover. Rooted in extensive research across industries and organization sizes, the framework guides organizations in assessing and improving their DevOps practices, leading to better software delivery and operational performance. These practices also help organizations enhance reliability, security, and compliance throughout the software delivery pipeline. Essentially, the DORA framework serves as a roadmap for organizations aiming to boost their technological capabilities and achieve significant business results through efficient software delivery practices.

BN: How important is it for this to be applied across all teams, development and cybersecurity?

PK: The application of the DORA framework across all teams within an organization, including both development and cybersecurity, is paramount. It is common to perceive these teams and their workflows as separate entities, but they are intricately intertwined. Implementing this framework ensures that all aspects of the software delivery lifecycle, from development to deployment and security, are optimized for performance and efficiency. This integration fosters collaboration and alignment, breaking down silos and ensuring that all teams are working towards common goals. By adopting these practices, organizations can create a culture of sharing risk, increasing cooperation, and establishing psychological safety.

Integrating this framework across teams also mitigates potential bottlenecks and silos, saving time and resources. It enables organizations to prioritize security considerations early in the development process, leading to the creation of more secure and resilient software products. For example, collaborating on 'policy-as-code' -- translating policies and compliance requirements into machine-readable formats -- enhances trust between teams and instills confidence in the changes being deployed. From a leadership perspective, fostering a culture of continuous improvement and collaboration starts with awareness and education on its importance. Transformational leadership plays a crucial role in creating a blameless environment that encourages experimentation and learning, giving practitioners the trust and autonomy to make decisions. Engineers need visibility into the business and the freedom to solve complex problems effectively. By adopting a holistic approach to culture, both top-down and bottom-up perspectives are essential for driving meaningful change across all teams and maximizing organizational performance.

BN: Does DORA help drive delivery as well as ensuring compliance?

PK: By emphasizing metrics such as deployment frequency, lead time, and change failure rate, the DORA framework promotes efficient and reliable software delivery practices. These metrics enable organizations to streamline their delivery pipelines, reduce lead times, and enhance the frequency of deployments, ultimately leading to faster and more responsive delivery of software changes. Engaging in a flexible infrastructure and following Continuous Integration/Continuous Delivery (CI/CD) practices, which are central to the DORA framework, helps lower the risk of errors and bottlenecks in the delivery process -- facilitating smoother and more efficient software delivery. Employing these practices also helps organizations meet compliance requirements throughout the software delivery lifecycle, as they provide flexibility to deploy updates and patches across various environments while maintaining security compliance through automated testing, validation, and rapid response mechanisms.

Organizations must embed security considerations into the development and deployment processes to mitigate risks, adhere to regulatory standards, and safeguard sensitive data. Shifting security reviews 'left' in the software development lifecycle allows for early detection and remediation of security issues, reducing the likelihood of compliance breaches. Implementing automated security testing, codifying compliance requirements, continuously monitoring for security and compliance drift, and leveraging comprehensive monitoring and observability solutions further help in properly adhering to regulatory standards.

BN: What role does automation have to play in meeting the framework requirements?

PK: Automation, encompassing both deployment and test processes, is an important part of meeting the framework set by DORA. Deployment automation, in particular, facilitates agile and dependable software delivery by expediting the deployment process, mitigating human error, and furnishing prompt feedback on software quality. Through the utilization of automated deployment scripts, organizations can seamlessly configure environments, package software, and execute deployment tests, ensuring consistent transitions across various deployment environments. This not only accelerates the delivery cycle but also enhances the reliability and predictability of software releases, in line with the objectives of DORA's framework.

Simultaneously, test automation plays an indispensable role in ensuring the integrity and functionality of software throughout its lifecycle. By integrating automated tests such as unit tests and acceptance tests into the continuous delivery pipeline, teams gain swift insights into the impact of changes, enabling the timely identification and resolution of potential issues. Test automation not only elevates the overall quality of software but also contributes to enhanced stability, reduced team burnout, and diminished deployment complexities. Aligning with DORA's research on high-performing organizations, the strategic integration of deployment and test automation fosters a culture of agility, reliability, and continuous improvement within software development practices.

BN: How can companies measure success in implementing DORA?

PK: Companies can measure success in implementing the DORA framework by evaluating changes in the key performance metrics outlined in the guidelines, such as deployment frequency, lead time, change failure rate, and mean time to recover. These metrics provide quantifiable indicators of software delivery and operational performance, allowing organizations to assess the effectiveness of their implementation efforts over time. By tracking these metrics regularly, companies can identify areas of improvement, monitor progress, and benchmark their performance against industry standards and best practices outlined by DORA.

In addition to performance metrics, companies can also measure success in implementing DORA by assessing the adoption and maturity of DevOps practices within their organization. This includes evaluating the extent to which automation, collaboration, and continuous improvement principles are ingrained in the organizational culture and workflows. Companies can conduct surveys, interviews, and internal assessments to gather feedback from teams and stakeholders, gauging their perception of the effectiveness and impact of DORA implementation efforts.

Ultimately, success in implementing DORA is measured by the ability of organizations to achieve tangible improvements in software delivery performance, operational efficiency, and overall business outcomes. By aligning with the principles and practices advocated by the DORA framework and continuously striving for improvement, companies can drive meaningful change and realize the full potential of DevOps within their organization.

Image credit: WrightStudio/depositphotos.com