Shilpa Aphale and KrishnaKanth B N

If scale is a challenge for your DevSecOps transformation, then this is the session for you.

Good day to all from me and my colleague, KrishnaKanth. I'm Shilpa, delivery manager for Infosys IT, with 22 years of experience in .NET, SAP, and open source technologies. In addition to my portfolio, I also anchor DevSecOps for Infosys IT.

Hi, I'm KrishnaKanth, senior technology architect at Infosys, with around 15 years of experience on Java/J2EE development, SDLC and DevSecOps tools consulting, and presently, I am leading the Infosys DevSecOps Platform development and implementation.

So today, myself and Shilpa are going to share how we went about Mission DevSecOps at Infosys IT, the challenges that we faced and how we overcame it, and what kind of benefits we saw.

Shilpa Aphale

We represent Infosys, an organization with around 249,000 employees and $13 billion US revenue across 46 countries. Our mobile app, InfyMe, itself gets 10 million hits daily. With this scale, systems become the digital backbone for the organization.

Our vision for Infosys as a live enterprise is to position our 240K-plus workforce at the sensing, feeling, and responding core of the company with the ability to seamlessly interact with and continuously learn from our ecosystems. To realize this vision, we are reimagining our employee experience, our core business processes, and all our enabling IT systems and infrastructure. This means focusing on the personal productivity, nurturing zero latency in the processes, ensuring just-in-time data for decision-making, driving hyper-productivity, and facilitating continuous learning to instill new patterns of sentient behavior. The book for Live Enterprise transformation is available online.

When the pandemic struck, quick turnaround for the changes in processes for work from home was an acid test for live enterprise. Our systems and processes had to undergo quick changes for work from home. Infosys IT enabled the changes through DevSecOps automation with quick turnaround and quality deliverables.

To understand how we did this at scale, we need to understand the digital transformation and agile DevSecOps journey of Infosys IT.

We started our digital transformation journey in 2017. We were primarily .NET and SAP shop with manual functional testing and homegrown release tools. There were 200-plus web applications to be transformed. For digital transformation, speed of delivery was important, and logically, first step was to move from waterfall model to agile.

We had a tailored agile program for Infosys IT and the business partners. More than 1,000 employees were trained during this program, followed by agile assessment framework definition and the agile certifications. We have 50-plus certified Scrum Masters.

We were clear that DevOps was needed, as the old homegrown release tools and the manual testing would hinder the speed of digital transformation.

The next important step was to standardize the technologies for digital transformation. Movement from .NET to open source was clear direction. We had identified seven new open source technologies for digital transformation. There were 200 applications with more than 1,000 pipelines, 6,000 builds per month, and 50,000 test cases per month.

Automation for DevSecOps had to keep up with the speed at which new technologies were being standardized. Ease of adoption for DevSecOps was a critical ask to manage the scale.

As we were continuously learning and evolving the new tech stack, we needed agility to add new technologies and change tools for CI, CD, and CT on the fly. With the agility and speed, we also needed governance with common habits and routines across teams, visibility of adoption to DevSecOps practices, and ability to measure the results.

This was a critical decision point for us, and we asked ourselves: how do we scale DevSecOps adoption across thousands of components? Are technology changes disrupting DevSecOps automation setup? How do we cope up with the constantly changing tools? And how do we govern this DevSecOps transformation at scale? Are you also facing the same challenges?

At this juncture, Infosys DevSecOps Platform gave us ability for ease of use, scalability, and good governance platform. KrishnaKanth, over to you for the solution that helped Infosys IT to transform at scale.

KrishnaKanth B N

Thanks, Shilpa. Thanks for sharing the challenges in the Infosys IT landscape.

So when we talk about DevSecOps adoption, and that too at scale, there are some challenges that we typically see. So it is easy to set up a DevSecOps pipeline for one team. The team can acquire the required skills, they can choose the tools that are best suited for them, and they can write the scripts and automation that they need.

But when talking about an entire portfolio with thousands of components, each having their own types of delivery processes, cutting across diverse tools and technologies, it becomes very challenging to standardize and govern the implementation of processes and tools.

Without standardization and governance, heavy investment is needed to set up and maintain multiple tool integrations, customize the processes, and also maintain isolated implementations as well. To add to this, the diversity in systems makes it very difficult to gain visibility into the problems, the performances of development, QA, and all teams involved in the value stream. Any small change that is required will lead to lot of manual interventions and impact in several areas.

So what Infosys IT needed was an enterprise-grade platform, and Infosys DevSecOps Platform was for that. So what is Infosys DevSecOps Platform, or IDP? So it is an enterprise-grade, cloud-first DevSecOps solution that provides a platform approach for distributed, agile, and DevSecOps transformation with quality, speed, and at scale.

Automation across the agile software delivery life cycle was key for Infosys IT to rapidly evolve, innovate, and to adopt modern engineering practices. IDP helped Infosys IT adopt SDLC automation and also achieve higher levels of agile and DevSecOps maturity. So let us see how.

So firstly, let us look at how IDP helped in simplifying and accelerating adoption. The platform comes with no-code DevSecOps pipelines for over 25-plus technologies, and it has integration with over 85-plus industry-standard, open source, and commercial tools. For novice users, the platform comes with an abstract, de-skilled, simplified visual interface to configure and deal with pipelines. The entire DevSecOps pipeline can be configured in a scriptless fashion, and the predefined templates in the platform standardize the engineering practices. And the telemetry, the insights, the metrics that come out of the platform guide the user and teams in improving the habits, routines, and also making the behavior and processes more sentient. So this made it significantly easy for Infosys IT to onboard thousands of components at ease.

Secondly, with tools and technology landscape undergoing major transformation to suit the new age application architectures, it became imperative for the platform to be ready to support any new entry into the tools or technology landscape. While the platform already supported a rich set of integrations with tools and technologies, which actually helped teams migrate from old to new tools and technologies, the platform also offered a highly extensible plugin framework that allowed teams to onboard newer tools and technologies rapidly.

The platform is cloud native, and it also supports DevSecOps in a hybrid cloud ecosystem as well. Infosys IT has several applications with deployment targets spread across on-premise as well as cloud infrastructures. IDP helped in touchless deployments across these hybrid environments. And IDP in itself is a microservices-based platform, and it runs on a scalable container orchestration platform like Kubernetes.

Lastly, in the governance area, IDP's granular role-based access controls helped in onboarding various Infosys IT stakeholders into a common DevSecOps workflow. And that made them actively participate in shift-left security and compliance-related actions.

The platform has logging, telemetry, and reporting built into it, due to which it makes the automation completely auditable and SOX-compliant. The ML insights in the platform offer predictions and recommendations on various areas, such as developer analytics, infrastructure utilization, release risk, application hotspots, anomalies, and various others. IDP in itself is built on live enterprise principles, and it possesses capabilities to act as a key enabler towards a sentient DevSecOps tooling ecosystem.

So this is how IDP plays a vital role in a DevSecOps tooling ecosystem. So it complements the existing tooling investments, and it elevates the teams to move from pipeline-based tooling into an enterprise-grade DevSecOps platform. It helps in making systems, processes, and experiences more sentient with Infosys Live Enterprise Framework principles such as proximity to source, zero latency, instant simulation, guided practices, among many others.

The plug-and-play capabilities and the modular nature of IDP helped Infosys IT to use certain capabilities of the platform as they moved in their DevSecOps journey. The teams that started with pipeline-based tooling were guided through the platform to move into a higher maturity state that is characterized by cognitive automation, enhanced and codified SecOps and DataOps practices, entire value stream management analytics, environments management, and metrics-driven visibility and governance.

And this journey is also characterized by self-service mode for teams to onboard themselves without the need to learn or acquire DevSecOps skills or to depend on DevSecOps experts outside the team. The platform also democratizes extensibility, and it makes it possible for teams to extend the platform capabilities in a self-service mode.

The platform approach also standardized the tools, it automated the processes, and it shifted left the security practices, making the applications more secure. By the virtue of the platform integrating with multiple tools, it provided a single unified pane for visibility across the value stream. IDP takes a tools- and technology-agnostic approach to cater to the needs of enterprise teams, and this was put to best use in Infosys IT as it was adopted across legacy, package, mobile, data, cloud, and hybrid application areas.

Let us now see some glimpses of how IDP made the Infosys IT agile and DevSecOps processes more systems, more sentient and live. Okay, so first is how IDP enabled faster decision-making with minimal steps in the flow. The platform presents relevant data at point of use for decision-making for different personas. So what we see here are a few dashboards for application leads, developers, architects, and Scrum Masters. Some of these metrics in the dashboard are also baked into the performance management system, thereby establishing a transparent DevSecOps culture and also driving healthy team performance and productivity. These views are hyper-personalized, and they are customizable to provide one-stop access to information across the SDLC landscape.

So IDP also helped in reducing closure time of workflows. So all human touch points in the DevSecOps processes were minimized, and the end-to-end DevSecOps pipeline offers zero-touch automation capability, and it provides instant amplified feedback for action in the form of metrics dashboards for different personas.

So the platform also enabled users with what-if kind of scenarios in the flow. It also suggests alternatives and recommendations to optimize costs and to mitigate risks. Here are a few examples of agile velocity and defect trend forecast for a team. On the right side is the infrastructure utilization, its actual infrastructure's actual utilization data and predicted data. And to the right bottom is an indicative cost savings in infrastructure if the recommendations were to be implemented. So this is based on the forecast of usage and the actual utilization.

Next is feedback and data that are captured at crucial flows and user interactions across the platform interface. So this data is used to improve the platform, and it is also used to improve the usage of the platform. So this data is used to derive overall maturity as well as overall DevSecOps compliance across teams. So every micro frontend or the UI component and all the key transactions are followed up with a feedback prompt to capture the user-specific feedback, and the telemetry graph provides a measure of overall user sentiment on each feature of the platform.

IDP also provides easy access to knowledge and expertise to help teams make the right decision in the flow and based on the data analysis, the platform nudges the users to perform actions as well.

The last and the most critical of the challenges and the key area to be addressed was security. So we briefly touched upon this in one of the earlier slides. So here, the platform provided multiple capabilities to address security and compliance from different dimensions.

So firstly, the platform provides something known as golden templates feature that can be enforced at portfolio levels. So these templates contain predefined steps and stages of the pipeline that cannot be modified by application teams. So not only they accelerate the application onboarding, but they primarily help in governing the way DevSecOps pipelines need to be implemented in a consistent manner across the portfolio.

Secondly, the portfolio leads can also set gating thresholds for code quality, test coverage metrics, and other metrics as well, which can apply to all applications and pipelines under the portfolio. These thresholds can be accompanied with even the frequencies to set how often the tools need to be run mandatorily for each team, so that the feedback can be proactive and timely.

Then, as we understand by now, IDP already integrates with multiple tools, many of which are security-related. Say code scanning, container scanning, open source compliance, privacy checks, penetration tests, et cetera. And as part of deployment process as well, there are secure integrations with Ansible, Kubernetes, Terraform for pre- and post-deployment validations as well.

The platform also offered separate and granular permissions for different personas such as application leads, release managers, environment owners, developers, QA engineers, auditors. All of them come to this unified interface to automate the entire DevSecOps process.

So next, observability is one key principle of the Live Enterprise framework, and we have powerful telemetry and logging that helps us extract audit reports for executions, deployments, configurations, user access management, and various other dimensions. So we also used external vault to store all sensitive information required for pipelines. This means the pipelines are not coupled with data or inputs, and the data is entirely externalized from the pipelines, which makes the pipelines more generic and reusable.

Then we also have approval mechanisms for various environment owners, release managers, QA leads to review metrics and to approve deployments to higher environments. So these approval steps can be added at any point in the pipeline and to even invite external stakeholders to be part of the same pipeline, which can give an immersive experience for continuous delivery.

Lastly, as an additional check in the governance flow, we also integrated the platform with our homegrown release management solution. So this means that along with the default security capabilities that the platform offered, say, role-based governance, approval-based workflows, et cetera, the platform had an additional check which will allow the production deployments to happen only if the release management system validates the token approval. So these aspects helped us immensely to help the DevSecOps automation scale and as well become more secure, and the delivered applications also were a lot secure because of these capabilities.

So back to you, Shilpa, to talk about how we adopted IDP in the journey and to talk about results and outcomes.

Shilpa Aphale

Thank you, KK.

So this way, IDP was adopted for this massive transformation of agile and DevSecOps practices at scale at Infosys IT. In the initial phase, applications, including the new technologies chosen for the modernization, were rapidly onboarded for basic CI comprising of build automation, with code quality checks enabled with tools like Lint and SonarQube. Automated deployments were configured for lower environments.

In the next phase, we targeted integration with homegrown release management solution and also extended the CI capabilities to perform cloud and container-based deployments, along with automated database and infrastructure deployments.

During this shift, many tools were realigned on the fly thanks to the ready support the platform had for multiple industry-standard tools. Multiple container orchestration platforms were evaluated, experimented, and finalized with ease. Likewise, Artifactory, governance tools, security tools underwent rationalization alongside the CI/CD/CT journey without any impact on the DevSecOps automation.

Now, we already have seven new technologies fully onboarded with over 200 applications and 1,000-plus pipelines performing over 300 releases per month. The automation consistently rolls out with 50,000 automated tests that run as part of pipelines.

As next steps, the journey continues with enabling SRE capabilities. Our target is to make applications more resilient with self-healing and auto-remediation techniques, and also use more ML-based insights and recommendations for more automated and accurate decision-making.

So how did this platform approach help Infosys IT in its transformation at scale? Here are the results. The touchless end-to-end automation adopted for our DevOps of over seven technologies on over 200 applications has resulted in two times productivity increase. Thousands of pipelines running in the platform with over 150,000 builds happening through the platform till date has shown four times increase in velocity and 75% improvement in lead time. This also has brought down turnaround time significantly in services testing, regression testing, and cloud releases.

Few other metrics of interest are the improvement of code quality and continuous testing adoption by around 20%, and also increase in automated deployments by four times.

With platform-led transformation of IT, we were able to implement the process changes needed for pandemic work from home within few days for our mobile platform, InfyMe. 94% of Infosys employees were enabled within the few days with work from home. Quick turnaround due to this transformation at scale helped our organization to align to changes needed for the pandemic quickly.

This is our Mission DevSecOps at scale with platform approach. Stay safe, stay healthy. Thank you so much for your patient hearing.