Getty Images/iStockphoto

Can 'shift left' in DevOps pipelines go too far?

More and more functionality, from security to cost management, is now packed into DevOps pipelines -- but if done improperly, "shift left" can create more problems than it solves.

A plethora of CI/CD toolchains now builds in "shift-left" features, but as with many other aspects of DevOps practices­, organizational maturity -- or lack thereof -- can turn tools into obstacles.

In recent weeks, DevOps pipeline vendors have rolled out a steady stream of updates to software delivery toolchains that build in features at the early stages of the development process, before code changes reach production deployment. This approach is called shift left because it emphasizes the left side of a typical DevOps workflow diagram.

When approached correctly, the shift-left approach has compelling benefits -- software flaws are much more difficult and expensive to fix the further along they are in the delivery process, especially once they reach production. Thus, shift left, developer accountability for how apps perform in production, and DevOps pipelines are here to stay. Pipeline vendors also tout the fact that their ready-made shift-left plugins require developers and DevOps pros to do less integration work.

However, some organizations mistake shift left for "let's make developers do everything," and sow chaos in the form of developer burnout and slowed velocity, IT practitioners said.

"It should not mean 'developers now have a new job' -- that's the way some organizations are handling it, and that's not right," said Chris Riley, senior manager of developer relations at marketing tech firm HubSpot. "Some organizations get into this 'NoOps' mindset, but if they try to implement all that stuff without doing automation and expecting developers to just change how they operate, that's going to be a problem."

Shift left DevOps pipelines
Shift-left tools target the early stages of DevOps pipelines, typically listed on the left side of workflow diagrams, as shown here

The risk of a shift-left 'hairball'

Some IT pros said they find vendors oversell their shift-left products' benefits for developer experience, without taking the operational maturity of the organization into account.

"You ask who their [target] users are and start to wonder if they're looking for a guy with a big red 'S' on his chest," said Jim Ford, chief architect at a fintech company, GAIN Credit, based in San Diego. "Nine times out of 10, their story there is a little bit aspirational -- my polite way of saying unrealistic."

Then, Ford said, there's the sheer number of overlapping "shift left" tools and vendors trying to sell them, which creates its own problems.

Harness.io, for example, last month acquired ChaosNative, creators of an open source chaos engineering project, with the goal of shifting the practice of random testing for failures into CI/CD pipelines. The vendor added two more shift-left modules on March 22, which build security test orchestration and site reliability engineering into pipelines as well. Also on March 22, GitOps vendor Weaveworks made its first integration of policy-as-code shift-left tooling generally available, based on its acquisition of Magalix in January.

The next week, on March 29, a French startup called Cycloid added a predictive financial operations (FinOps) utility to its DevOps automation product. That same day, app security vendor Contrast Security announced a partnership with Red Hat to embed its shift-left tools within the OpenShift platform. Red Hat already offered similar integrations from partners such as Snyk and its 2021 acquisition of StackRox.

Other DevOps products from vendors that range from GitLab and GitHub to CloudBees and JFrog embed their own "shift left" features into "end to end" software delivery toolchains, as pre-built DevOps platforms gain popularity in the industry. Cloud providers, too, build shift-left features into their own pipeline tools.

"The other problem I have is redundancy of tooling," Ford said. "You have pricing that pushes the client toward a platform purchase ... but do I get rid of the one that I'm getting free from Amazon? It becomes another chance to get into a little bit of a hairball."

Striking a shift left balance

All of this adds up to a need for DevOps engineering teams that curate shift-left tools to make them easy to use for developers, and for organizations to treat DevOps pipelines as products, HubSpot's Riley said.

If you're truly thinking in terms of DevOps, you're treating your delivery chain itself as an application that you deliver to your developers.
Chris RileySenior manager of developer relations, HubSpot

"If you're truly thinking in terms of DevOps, you're treating your delivery chain itself as an application that you deliver to your developers," he said. "The DevOps engineering team should operate against a backlog, take feature requests, and work with developers to decide the highest-priority things to be built into the delivery chain."

Such a significant change in organizational strategy won't happen overnight and trying to add too many tools too quickly can be counterproductive. Companies still maturing in their DevOps process find that shift-left tools are best rolled out gradually.

"These additional responsibilities may impact the overall velocity of a team, and therefore we would not roll them out across all teams in parallel," said Martin Eggenberger, chief architect at jobs website Monster.com. Monster is exploring VMware CloudHealth FinOps and application security testing shift left tools from Sonarqube and JFrog.

"Any shift-left technology is typically being piloted with a single team," Eggenberger said. "Subsequently, we expand the technology to a set of teams, and if it proves successful and cost-efficient, we'll push it across the global tech and delivery organization."

A shift-left approach that piles responsibility onto a team of mythical full-stack developer supermen might work for greenfield apps or companies with a relatively small codebase, but as organizations grow, that can turn into a recipe for developer overwhelm. Splitting up the work in different ways may also become necessary as shift left evolves.

"We need to make sure that adding new types of work also comes with a narrower scope of work," said Ben Kehoe, cloud architect at a tech company he asked not be named because he isn't authorized to represent it in the press. "If you're making developers responsible for more of the lifecycle of a particular line of code, you need to make them responsible for fewer lines of code."

Finally, DevOps pros must also avoid overfocusing on preproduction shift-left practices -- developers' ability to respond to incidents quickly through the same pipelines is often overlooked, experts said.

"How quickly can I fix something if it goes wrong?" said Larry Carvalho, an independent analyst at Robust Cloud. "Shift-left security is becoming more important because of supply chain concerns, but the ability to be agile in responding to threats is more important."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Next Steps

What we can learn from the top DevOps articles of 2022

Dig Deeper on IT systems management and monitoring