The DevOps loop and "Release on Demand"

Updated version and translated into English

The DevOps loop

If you were to google "devops loop", the majority of hits would most likely be different version of the following image:

The idea of the DevOps loop is to describe the development lifecycle as an infinite loop, from planning to production via feedback then back to planning and so on. You probably never reflect about each individual step in the loop but rather think they are descriptive and in the correct order.

In the work I do with spreading the gospel of secure development I often use the DevOps loop as a tool to illustrate how to add activities related to security into the development lifecycle:

• In “Plan” we work with C-I-A and Privacy-requirements, and perform threat modeling.

• In “Code” we work with pull-request/peer-review.

• In “Build” we scan for the use of known vulnerable external components (SCA) and use static code analysis (SAST) in our build pipeline.

• In “Test” we work with security related test cases, maybe derived from a penetration test, with the intent of “how do we prevent this from happening again”.

You get the idea. But when we look at “Release” and “Deploy”, for me it gets problematic. Maybe not so much with mapping activities, but does the “Release” step really come prior to “Deploy” in a modern development lifecycle?

Release on demand

Out of curiosity for SAFe (Scaled Agile Framework), I participated in a "Leading SAFe" training during spring 2020 and there we talked about "Release on Demand" in the section where they describe how to "Build a Continuous Delivery Pipeline with DevOps". The idea with "Release on Demand" is to separate "deploy to production" from "release" so that the value of what you do is made available when needed.

“Release on Demand - Making value available when it's needed”

In the DevOps loop used in the training material, the order of the “Release” and “Deploy” steps was reversed:

and suddenly the initial callenge I had with the ordering of the “Release” and “Deploy” steps is gone.

• In “Deploy” we move new functionality into the production environment but it is not yet made available to customers, rather hidden behind feature flags, or we use canary releases to test the new functionality on a limited amount of users initially.

• In “Release” we make the new functionality available to all customers when the timing is right. Maybe immediately or at a strategically better moment later on.

The new ordering of the steps in the DevOps loop suddenly feels spot on to me.

But why is the incorrect order still dominating in images you find when googling?

It is probably related to how software delivery looked like when the loop was initially created (around 2009). Much of software was “Released” and packaged and then delivered to customers and “Deployed” into their environment. This was before the majority of software was delivered as web based solutions and SaaS became the dominant way of buying software. I also think that people hasn’t put that much thought into if the order of Release and Deploy (as maybe I have).

So to wrap up, I present the correct version of the DevOps loop with a couple of security related activities mapped out:

/Mats Persson - Security consultant at Omegapoint, Mats LinkedIn profile - 2023-01-02