“We can’t share anything on public internet before completing security audit.”
“All changes made to an environment must be approved by managers.”
“Applications can be updated only during predefined times.”
Familiar statements … right? You might be wondering why I mentioned testing explicitly at the title. In fact, testing is implicitly included in all steps. Security audit is also just one kind of testing. Tester(s) are quite often the ones who get the blame if applications can’t go live due to the detection of bugs. So it’s preventing “everything nice”.
Luckily, there are some companies that think differently. In those companies it’s enough that the code is in version control and automated tests pass to install new version to production. Without any human intervention. Also improvements or fixes for the application can be made quicker. It’s enough to notice something that needs to be changed (improvement, error) in the application and tell that to product team. The feature can be fixed or implemented to production much faster than most people can expect.
So, the good part is that we clearly see quick fixes and new features. This can be also seen as a problem. So first thing to do is to trust each other. E.g. that developers do not make mindless implementations, and are able to fix things successfully. And also that business people can make decisions, without getting approvals from some steering groups or committees.
So, in a nutshell:
- Trust people and let them do things that they’re good at
- Trust that people are doing things the correct way and verifying that the results of their work, works.
- Help people by removing obstacles instead of creating those.
- Use time for doing things, not for building (manual) safety nets.
All this is part of DevOps, so why not to try that yourselves?