As a teenager, I remember having a passing interest in hacking. Perhaps this came from watching the movie Sneakers. Whatever the origin, the fancy passed quickly because I prefer building stuff to breaking other people’s stuff. Therefore, what I know about hacking pretty much stops at understanding terminology and high level concepts.
Consider the term “zero day exploit,” for instance. While I understand what this means, I have never once, in my life, sat on discovery of a software vulnerability for the purpose of using it somehow. Usually when I discover a bug, I’m trying to deposit a check or something, and I care only about the inconvenience. But I still understand the term.
“Zero day” refers to the amount of time the software vendor has to prepare for the vulnerability. You see, the clever hacker gives no warning about the vulnerability before using it. (This seems like common sense, though perhaps hackers with more derring do like to give them half a day to watch them scramble to release something before the hack takes effect.) The time between announcement and reality is zero.
Increased Deployment Cadence
Let’s co-opt the term “zero day” for a different purpose. Imagine that we now use it to refer to software deployments. By “zero day deployment,” we thus mean “software deployed without any prior announcement.”
But why would anyone do this? Don’t you miss out on some great marketing opportunities? And, more importantly, can you even release software this quickly? Understanding comes from realizing that software deployment is undergoing a radical shift.
To understand this think about software release cadences 20 years ago. In the 90s, Internet Explorer won the first browser war because it managed to beat Netscape’s plodding release of going 3 years between releases. With major software products, release cadences of a year or two dominated the landscape back then.
But that timeline has shrunk steadily. For a highly visible example, consider Visual Studio. In 2002, 2005, 2008, Microsoft released versions corresponding to those years. Then it started to shrink with 2010, 2012, and 2013. Now, the years no longer mark releases, per se, with Microsoft actually releasing major updates on a quarterly basis.
Zero Day Deployments
As much as going from “every 3 years” to “every 3 months” impresses, websites and SaaS vendors have shrunk it to “every day.” Consider Facebook’s deployment cadence. They roll minor updates every business day and major ones every week.
With this cadence, we truly reach zero day deployment. You never hear Facebook announcing major upcoming releases. In fact, you never hear Facebook announcing releases, period. The first the world sees of a given Facebook release is when the release actually happens. Truly, this means zero day releases.
Oh, don’t get me wrong. Rumors of upcoming features and capabilities circulate, and Facebook certainly has a robust marketing department. But Facebook and companies with similar deployment approaches have impressively made deployments a non-event. And others are looking to follow suit, perhaps yours included.
Conceptual Impediments to Zero Day Deployments
If what I just said made you spit your drink at the screen, I understand. Perhaps your deployment and release process takes so long that the thought of shrinking it to a day made you laugh. Or perhaps it terrified. Either way, I can understand that it may seem quite a leap.
You may conceive of Facebook and other practitioners so alien to your own situation that you see no path from here to there. But in reality, they almost certainly do the same things you do as part of your longer process — just optimized and automated.
Impediments take a variety of forms. You might have lengthy quality assurance and vetting processes, perhaps that require many iterations between the developers and quality assurance. You might still be packaging software onto DVDs and shipping it to customers. Perhaps you run all sorts of checks and analytics on it. But all will fall under the general heading of requiring manual intervention or consuming a lot of time.
To get to zero day deployments, you need to automate and speed up considerably, and this can seem daunting.
What’s Common Today
Some good news exists, though. The same forces that let the Visual Studio team see such radical improvement push on software shops across the board. We all have access to helpful techs.
For instance, the overwhelming majority of organizations now have continuous integration via dedicated build machines. Software developers commit code, and these things scoop it up, compile it, and package it up in a deployable package. This activity now happens on the order of minutes whereas, in the past, I can remember shops where this was some poor guy’s entire job, and he’d spend days on each build.
And, speaking of the CI server, a lot of them run automated test suites as part of what they do. Most commonly, this means unit tests. But they might also invoke acceptance tests and even more exotic things like smoke, GUI, and functionality tests. You can thus accept commits, build the software, run a bunch of test, and get it ready to deploy.
Of course, you can also automate the actual deployment as well. It stands to reason that, if your build machine can ball it up into a deliverable, it can deliver that deliverable. This might be harder with physical media involved, but as more software deliveries happen over networks, more of them get automated.
What We Need Next
With all of that in place, why don’t we have more zero day deployments? What’s missing?
Again, discounting the problem of physical media, I’d say quality checks present the biggest issue. We can compile, run automated tests, and deploy automatically. But does this guarantee acceptable production behavior?
What about the important element of code reviews? How do you assure that, even as automated tests pass, the application isn’t piling up mountains of technical debt and impeding future deployments? To get to zero day deployments, we must address these issues.
Don’t get me wrong. Other things matter here as well. Zero day deployments require robust production checks and sophisticated “oops, that didn’t work, rollback!” capabilities. But I think that nothing will matter more than automated quality checks.
Each time you commit code, you need an intelligent analysis of that code that should fail the build as surely as failing tests if issues crop up. In a zero day deployment context, you cannot afford best practice violations. You cannot afford slipping quality, mounting technical debt, and you most certainly cannot afford code rot. Today’s rot in a zero day deployment scenario means tomorrow’s inability to deploy that way.