SafetyDetectives spoke with Jim Douglas, CEO & President of Armory.io, about the challenges of continuous deployment, methods for ensuring their apps protect client data, how he sees AI evolving in the next few years, and more.
Thank you for taking some time to answer some questions. Can you introduce yourself and talk about your role at Armory?
My official role is president and CEO of Armory. Unofficially, I’m the company’s chief cloud-native wonk. As a long time software industry veteran, I’ve lived through the software design evolution (modular, MVC, SOA, REST, Microservices) and all the ‘latest’ development methodologies (waterfall, agile / scrum, DevOps, GitOps). I joined Armory to pursue the mission of enabling companies to embrace a cloud-native software approach by automating best practices for continuously deploying code at scale.
Can you talk about Armory? Who is your ideal client, and what are your main services?
Put simply: Armory is helping companies deliver value to their customers faster while meeting their demanding expectations of stability and reliability. We enable Platform Engineering and DevOps teams to reliably, efficiently and safely deploy software at high velocity and scale to achieve this result. Armory delivers this value with our developer-first declarative and flexible continuous deployment solutions. Ultimately, our aim is to shift the industry’s focus to what really matters: writing great code. Delivering value to customers shouldn’t be a ‘hold your breath’ moment. By automating best practices and making continuous deployment simple and efficient, Armory allows teams to focus all their energy on creating great products. We work with thousands of developers, from large-scale enterprises to high-growth startups.
What are some of the biggest challenges of continuous deployment?
Probably the #1 challenge developers face today, in general, is the underlying minutiae of writing code and ensuring there are not fatal quality issues — and not discovering issues for the first time in production. We have an Armory t-shirt that says ‘Not afraid to commit’ that is always a crowd giveaway favorite at trade shows because of the reality of my statement above. Developers should be able to trust their deployment solution to automatically identify bugs, security and/or compliance issues and roll back to a previous code state while minimizing lost progress. Unfortunately, many DevOps teams continue to use manual approaches to deploying code or relying on automation (e.g. CI tools) that wasn’t built or optimized for continuous deployment. The end result is that their customers are the first to identify issues.
Additional stumbling blocks for CD include antiquated processes that increase software’s blast radius. The idea of continuous deployment inherently implies a sense of ephemerality and change — yet many DevOps teams continue to release code en masse, exposing the bulk of their customers to faulty launches. Progressive rollouts and canary deployments address this issue by minimizing blast radius and allowing developers to isolate errors before they affect business continuity.
How do you ensure that your apps and software will protect your client’s data?
Protecting our client’s data is priority number one. Armory’s CD solutions are SOC 2 Type 2 certified, which means all data protocols have been independently audited and verified by privacy experts. Furthermore, to prevent bad actors from infiltrating our systems, Armory conducts quarterly vulnerability scans and annual penetration tests. These processes are vetted and orchestrated by leading independent security firms. In addition, our customers often turn to us for best practices for automating security and compliance checks into their deployment scenarios (i.e., automating DevSecOps).
How do you see the role of AI in software development evolving in the 3 – 5 years?
Enthusiasm for the application of AI in all industries has reached a fever pitch over the past year. Software development is no exception. The use of AI in software development is still nascent and a lot of the potential applications for it are still speculative. However, there are several areas where I believe it can and will have a big impact. Throughout time, engineers have become more productive by obscuring complexity through abstraction. This has occurred both on the vertical plane and the horizontal plane. To put this in the context of software development, we have continuously developed new languages that abstract the complexity of writing code and have created automation to improve workflows and processes (i.e., vertical and horizontal abstractions, respectively).
Experimentation with Natural Language Processing (NLP) tools to accelerate coding is picking up momentum rapidly. The adoption/use of GitHub’s Co-Pilot is a perfect example of this trend. In addition to triggering suggestions based on code you write, the tool can generate code for you based on a natural language description of what you want to implement. The overall quality of code generated by such tools is still insufficient to achieve the productivity gains envisioned for them. However, they will evolve quickly as the data sets expand and the algorithms learn. I fall into the camp of believing they will have an impact sooner rather than later.
We see a similar application for NLP in continuous deployment as well. We’re presently transitioning from imperative tools, where we specify and direct the flow of a process — to a declarative approach, where we specify the expected result and core logic without directing the control flow. The next natural evolution is the ability to describe results in a natural language and be able to trust underlying automation to perform the necessary tasks to achieve the proper outcome.
One of the nearest term opportunities is the application of various AI techniques for improving testing and code reviews. There are already some promising tools available in this domain today.
What are some misconceptions that companies have about cybersecurity?
Historically there has been great tension between the security team and the engineering and operations teams. The security team was viewed as an impediment to releasing code, and the responsibility for security was delegated to the chief information security officer (CISO) or security team. The evolution of CI/CD is changing how organizations prosecute security. Responsibility for security should be shared across the entire team, following the principle of shifting left. Developers need to write secure code, operations need to maintain a secure infrastructure, and the security team needs to provide guidance and oversight — and all of these steps need to be mapped and automated in a DevSecOps workflow.