Secure Software Factory Q&A: CloudBees

As a public sector solutions aggregator, DLT Solutions creates effective go-to-market strategies that its technology vendors and channel partners can leverage to deliver optimal business-oriented solutions to government, healthcare and education customers.

More specifically, within the tech domain that I manage at DLT (Application Lifecycle and our rapidly expanding DevSecOps practice), we’ve built a modern reference architecture using DevSecOps principles to create the DLT Secure Software Factory. This software factory provides a framework of automation tools to consistently deploy high-quality, scalable, resilient and secure software throughout an application’s lifecycle.

The end result is a customer-specific, mission-oriented experience which aligns with some of the major initiatives from the current Administration as well as priorities stated in many agencies’ strategic plans, such as:

  • Desire for a “bundled software solution”
  • Government-wide initiative to secure the software supply chain
  • Alignment with Government-wide IT modernization and digital transformation efforts

A key component within DLT’s Secure Software Factory is , a technology company building the first end-to-end continuous software delivery system that enables organizations to balance strong governance with developer freedom.

I recently had a chance to sit down with Ben Chicoski, director of business development within the North American public sector team at CloudBees, to discuss all things DevSecOps and the increasing evolution of how people are developing and deploying software in the public sector arena.

I’m happy to share our discussion (Q&A) below:

Who is CloudBees? What problems does CloudBees address?

The demand for speed and innovation is all around us. We help organizations accelerate the delivery of worthy software from concept to value. Our CTO created Jenkins, which is the world’s most popular tool for continuous integration. Our flagship product, CloudBees Core, is built on top of Jenkins – consider it a “supercharged Jenkins” – so we’re very fortunate to have an unparalleled and incredibly proficient user community. We created CloudBees Core as a tonic for Jenkins’ limitations. Jenkins is open source, which comes with certain risks that many organizations aren’t willing to accept. While Jenkins is excellent for small-scale development, when your development scales up and becomes mission-critical, you really need something that’s enterprise-grade. That’s where CloudBees Core comes in.

Describe the technology areas CloudBees plays in.

Customers use our technology in use cases with lots of different names: DevSecOps, software delivery, continuous integration (CI)/ continuous delivery (CD), application modernization, release management, etc. Whatever you call the area, we’re building the first end-to-end system for continuous software delivery. That system has three interrelated facets:

  1. Everything starts with CI. It’s the process of automatically integrating code from multiple development streams into a shared repository.
  2. Next comes CD, which applies the Scientific Method to software development. It’s a process that enables you to continuously have secure and tested code in a production-ready state at all times.
  3. Producing the software is just one part of the equation, though. Applications need to be packaged up and released in the right way. Application Release Orchestration (ARO) is the discipline that enables DevOps teams to automate deployments, manage CI/CD pipelines, and orchestrate the release workflows. That’s what our product called CloudBees Flow specializes in.

What role does CloudBees play in DLT’s Secure Software Factory?

There’s a rich diversity of tools in DLT’s Secure Software Factory, each performing its own function. We orchestrate those tools by weaving them into automated workflows. Additionally, one of the great things about what DLT has done is to align with the government’s paradigm shift toward the bundled solution approach when procuring software. We at CloudBees are very excited about what DLT is doing, as it’s outside the norm of what we typically see in the channel and distribution model. DLT isn’t just performing a transactional role here, you bringing legitimate technical expertise to the table, with the recognition that agencies want solutions, not widgets. DLT’s pioneering, and investing in, the DevSecOps model as it should be done – not just parroting a buzzword.

What areas of the government are seeing success with CloudBees?

With the newfound government-wide push for IT Modernization, citizen-facing digital services, website modernization, and the fact that so many programs rely on producing functional and secure software, DevOps practices are steadily being adopted across government – and the vast array of systems integrators in the surrounding ecosystem. At the same time, the need for speed is bumping up against the mindset – realistic or not – that security will block it. Agencies are often unsure of how to make speed a reality in a world where compliance matters a lot. 

Fortunately, DevSecOps is our most prominent use case, and we have compelling examples of agencies bringing security in to crank up their software factories. DLT recognizes that DevSecOps unites teams around a shared objective: continuous production of software that is worthy of release.

In your mind, what does it mean for software to be worthy of release?

By “worthy” I mean functional, relevant and secure. There’s a host of different tools that can satisfy each of those aspects (e.g., a scanner to ensure code is secure). Then, in the spirit of DevOps, you need a capability to automate and orchestrate that diversity of tools. That’s why customers pick CloudBees. 

DLT is in a key position as an aggregator of so many of these enabling technologies that contribute to those three aspects of being worthy. And DLT has been a tremendous partner of ours.

Let’s talk about Credibility and Cost Justification. Why does the government decide to invest in CloudBees?

I remember seeing one study showing that developers spend ~40% of their time NOT developing. That’s partly because they’re spinning their wheels with DIY Jenkins or waiting on the open source community for a response to a technical question. What a waste of creative firepower and taxpayer dollars. Do you want your developers spending time on Google researching the compatibility and security of Jenkins plugins? Of course not. You – and they – want to avoid that waste and redirect that intellectual capital toward more valuable priorities like building awesome software.

Bottom line, through automation and easier management, we’re helping customers slash their labor burden and increase end user satisfaction. We have real data from 200+ customers about the cost savings and efficiency gains they’ve made by investing in CloudBees, and the results are pretty striking. For example, Accenture cut their Jenkins maintenance by 80% and their deployment times by 90%. On average, customers saved ~$3,500 per developer, per year. That means customers and partners don’t view us as a cost but instead recognize us as a profit center.

What are the best ways a government agency can procure CloudBees?

The easiest way is from our close partners, like DLT. We’re available on the major government contracts like GSA Schedule 70, CIO-CS, DoD ESI and SEWP. Contact CloudBees or DLT to learn how to procure our solutions under these contracts.