Who is the Company

An American corporation with revenue of over $15B engaged in designing, manufacturing, marketing, and servicing of equipment used in chip manufacturing.

The Challenge

In 2021, the company initiated a comprehensive security audit through an external vendor as part of their software controls review process. The audit identified several critical security vulnerabilities that required immediate attention.

To mitigate these issues, the client needed to implement an automated CI/CD pipeline across all their applications, incorporating DevSecOps tools such as SonarQube and Synopsys Black Duck to ensure optimal security measures.

However, the client faced a significant challenge in implementing these changes given the numerous applications spread across various business units, with source code for hundreds of projects hosted on Bitbucket.

While some of the applications had automated processes in place, they lacked integration with security tools. Many other projects had no automation at all. The lack of automation and integration with security tools not only increases the risk of potential security breaches but also results in a slower response time to identified vulnerabilities, leading to potential downtime, loss of revenue, and reputational damage.

The client was also experiencing difficulties maintaining consistency and transparency across their numerous applications, leading to inefficiencies and redundancies in their software development process.

To address these challenges, the client realized they needed to streamline their software development process, integrate automation, and harden their security measures in an easily extendable and scalable way.

Given the complexity of the requirements, the development of a robust CI/CD solution was a challenging task. Nevertheless, the GSPANN team successfully developed an easy, reusable, and extendible solution that simplified the entire project.

In brief, the company was looking for:

  • An automated, integrated solution for all of their applications that would ensure optimal security measures.
  • Integration with existing tools and systems, such as Bitbucket and Jira, to minimize disruption to existing workflows.
  • Improved collaboration and communication across development teams to accelerate the development process and ensure all stakeholders are aligned.
  • A way to streamline their software control review process and address the critical security vulnerabilities identified in the recent audit.
  • A comprehensive DevSecOps solution to ensure all applications were secure, reliable, and efficient.
  • A more agile and flexible development process that would allow the company to respond more quickly to changing market conditions and customer needs.

The Solution

The client uses Jenkins, a widely used open-source tool known for its exceptional CI/CD capabilities. The GSPANN team worked closely with the client to utilize the concept of multi-branch pipelines and implemented the use of shared libraries within Jenkins. Shared libraries, written in Groovy, are a collection of reusable code that can be utilized across multiple Jenkins files/pipelines.

This approach streamlined the CI/CD pipeline. It improved its efficiency by enabling the sharing of common code and functions across projects, eliminating redundancies, and embodying the "Don't Repeat Yourself" (DRY) principle.

Not only code but shared libraries are also used to share important resources such as credentials, environment variables, and configuration settings. This helps simplify the configuration process as the same settings can be used across multiple pipelines without the need for manual configuration in each. This approach also ensures consistency among team members, making it easier to track and maintain the pipelines effectively.

The integration of shared libraries into the pipelines was made simple through the addition of a line of code in the project's Jenkins file. This ease of integration allowed developers to create their own CI/CD pipelines, eliminating the need to rely on DevOps teams for new pipeline creation. As a result, the turnaround time for creating new pipelines were significantly reduced and sparked interest in adoption among other teams within the organization.

  • Multi-branch Pipelines: Adoption of multi-branch pipelines to improve efficiency and streamline the CI/CD process.
  • Shared Libraries: Implementation of shared libraries to share code, resources, and configuration settings across multiple projects.
  • Improved Configuration Process: Streamlining the configuration process by eliminating manual configuration for each pipeline.
  • DIY CI/CD Pipeline Creation: Allowing developers to create a DIY CI/CD pipeline and reducing the need for DevOps teams to create new pipelines.
  • Adoption Across Teams: Triggered interest in adopting shared libraries and multi-branch pipelines across other teams within the organization.
  • Efficient and Accelerated DevSecOps CI/CD: The implementation of Jenkins shared libraries has improved efficiency, streamlined, and accelerated the overall DevSecOps-enabled CI/CD implementation for these projects.

Business Impact

  • Improvements in Project Completion Time: The integration of this solution resulted in a substantial reduction in project completion time, with a remarkable 40% reduction compared to initial estimates.
  • Highly Adaptable and Modular Design: The solution was designed with versatility and modularity, allowing for seamless integration and implementation in new projects through its simple plug-and-play approach.
  • Increased Efficiency and Productivity: The creation of new pipelines was expedited, resulting in elevated efficiency and productivity.
  • Significant Accomplishment in Speed and Scalability: The team successfully implemented over 30 DevSecOps-enabled CI/CD pipelines in just four months, a substantial accomplishment in terms of both speed and scalability.
  • Positive Impact on Work Processes: This accomplishment is a testament to the effectiveness of the solution and its positive impact on the team's work processes.

Technologies Used

Groovy Scripting: Groovy is a dynamic programming language that runs on the Java Virtual Machine (JVM) and is used to write scripts for various applications.
Jenkins: Open-source automation server used for building, testing, and deploying software.
SonarQube: SonarQube is a static code analysis tool which analyzes the source code and helps in identifying the code quality by detecting bugs and code smells.
Synopsys Black Duck: Black Duck is a software composition analysis (SCA) tool that helps teams manage the security, quality, and license compliance risks that come from the use of open-source and third-party code in applications.

Related Capabilities

Utilize Actionable Insights from Multiple Data Hubs to Gain More Customers and Boost Sales

Unlock the power of the data insights buried deep within your diverse systems across the organization. We empower businesses to effectively collect, beautifully visualize, critically analyze, and intelligently interpret data to support organizational goals. Our team ensures good returns on the big data technology investments with the effective use of the latest data and analytics tools.

Do you have a similar project in mind?

Enter your email address to start the conversation