<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Expeditious Software</title><description>Enterprise DevOps services</description><link>https://es.nl/</link><item><title>Software Supply Chain Security in 2026: SBOMs, SLSA, and What the Cyber Resilience Act Now Demands</title><link>https://es.nl/2026/software-supply-chain-security-sbom-slsa-cyber-resilience-act/</link><guid isPermaLink="true">https://es.nl/2026/software-supply-chain-security-sbom-slsa-cyber-resilience-act/</guid><description>Software supply chain security in 2026: what an SBOM is, how SLSA build provenance differs, and exactly what the EU Cyber Resilience Act demands - and by when.</description><pubDate>Tue, 07 Jul 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;For most of the last decade, &quot;application security&quot; meant scanning the code your own team wrote. That framing is now the smaller half of the problem. The code you ship is overwhelmingly code you did not write - transitive open-source dependencies, base images, build plugins, CI runners - and that is precisely where attackers have moved. If you run delivery for a regulated Benelux team, software supply chain security has stopped being a maturity nicety and become a compliance deadline with a date on it. This is what the terms actually mean, what the EU is about to require, and where the engineering work lands.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/ci_cd_illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/ci_cd_illustration-600w.webp 600w, /content/uploads/2025/06/ci_cd_illustration-1120w.webp 1120w, /content/uploads/2025/06/ci_cd_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;CI/CD pipeline diagram showing build, test and security stages where SBOM generation and build provenance are produced between commit and deployment&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Why the software supply chain became the attack surface&lt;/h2&gt;

&lt;p&gt;The threat is not theoretical, and it is not shrinking. Sonatype&apos;s tenth annual State of the Software Supply Chain report, published in January 2026, found more than &lt;strong&gt;454,000 new malicious open-source packages&lt;/strong&gt; during 2025, pushing the cumulative total of known and blocked malware past &lt;strong&gt;1.233 million packages&lt;/strong&gt; - a 75% year-on-year increase in open-source malware. Over the same period, developers pulled &lt;strong&gt;9.8 trillion open-source downloads&lt;/strong&gt; across the four largest registries, up 67% (&lt;a href=&quot;https://www.globenewswire.com/news-release/2026/01/28/3227372/0/en/Sonatype-Research-Reveals-OSS-Malware-Grows-75-as-Yearly-Open-Source-Downloads-Surpass-9-8-Trillion.html&quot;&gt;Sonatype, 2026&lt;/a&gt;). The two numbers together are the whole story: consumption is exploding, and attackers have industrialised the practice of poisoning the well rather than picking a lock.&lt;/p&gt;

&lt;p&gt;The failure mode is distinct from a classic vulnerability. A CVE in a library is an accident you can patch; a malicious package is a deliberate payload that ran &lt;em&gt;inside your build&lt;/em&gt; the moment a developer typed &lt;strong&gt;install&lt;/strong&gt;. Typosquatting, dependency confusion, and compromised maintainer accounts all reach production through the same trusted pipe you use every day. That is why the industry stopped talking about &quot;vulnerable dependencies&quot; and started talking about supply chain &lt;em&gt;integrity&lt;/em&gt;: the question is no longer only &quot;does this component have a known flaw&quot; but &quot;do I actually know what is in my software, and can I prove how it was built.&quot;&lt;/p&gt;

&lt;h2&gt;What an SBOM is - and what it does not tell you&lt;/h2&gt;

&lt;p&gt;A Software Bill of Materials (SBOM) answers the first half of that question. It is a formal, machine-readable inventory of every component in a software product - libraries, packages, versions, licenses, and metadata - typically expressed in one of the two dominant formats, &lt;a href=&quot;https://slsa.dev/&quot;&gt;SPDX&lt;/a&gt; or CycloneDX. When a new critical vulnerability lands in a widely used library, the organisations that can answer &quot;are we affected, and where&quot; within hours are the ones holding current SBOMs. The ones grepping through repositories by hand are still answering that question days later, which in an incident is the same as not answering it.&lt;/p&gt;

&lt;p&gt;The trap is treating an SBOM as a compliance artifact rather than an operational one. A &quot;paper SBOM&quot; generated once at release and filed away is nearly worthless, because your dependency graph and the vulnerabilities in it change daily. An SBOM is only useful if it is regenerated on every build and continuously matched against vulnerability and exploitability data. And it has a hard limit: an SBOM tells you &lt;strong&gt;what&lt;/strong&gt; is in the box, not &lt;strong&gt;how the box was assembled&lt;/strong&gt;. It cannot tell you whether the build itself was tampered with - whether the artifact in your registry is actually the artifact your source produced. That gap is what the next control exists to close.&lt;/p&gt;

&lt;h2&gt;SBOM vs SLSA: proving how the software was built&lt;/h2&gt;

&lt;p&gt;SLSA - Supply-chain Levels for Software Artifacts, pronounced &quot;salsa&quot; - is a vendor-neutral framework, now stewarded through the OpenSSF, that addresses build integrity rather than component inventory. Where an SBOM is a list, SLSA is a chain of custody. Its core mechanism is &lt;strong&gt;provenance&lt;/strong&gt;: verifiable, tamper-evident metadata that records how an artifact was built, from which source, by which builder, so a consumer can confirm the binary in production genuinely came from the reviewed source and an untampered pipeline (&lt;a href=&quot;https://slsa.dev/&quot;&gt;SLSA, OpenSSF&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;SLSA is structured as progressive build levels rather than a single bar to clear:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Build L1&lt;/strong&gt; - provenance exists: the build process generates a record of how the artifact was produced. Basic, but it makes tampering detectable in principle.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Build L2&lt;/strong&gt; - provenance is signed and generated by a hosted build service, so it cannot be trivially forged on a developer laptop.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Build L3&lt;/strong&gt; - the build platform is hardened so that provenance is unforgeable and the build runs in an isolated, non-falsifiable environment. This is the level that meaningfully defends against a compromised build system.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The practical reading for a delivery lead: SBOM and SLSA are complementary, not competing. The SBOM tells you and your auditors what shipped; SLSA provenance lets a consumer &lt;em&gt;verify&lt;/em&gt; that what shipped was built the way you claim. Mature programmes generate both from the same pipeline, on every release, and treat a missing or unsigned provenance the way they treat a failing test - as a release blocker, not a warning.&lt;/p&gt;

&lt;h2&gt;What the EU Cyber Resilience Act requires - and by when&lt;/h2&gt;

&lt;p&gt;For Benelux teams, the reason this is now a roadmap item rather than a research topic is the EU Cyber Resilience Act (CRA). It applies to virtually any &quot;product with digital elements&quot; placed on the EU market - hardware and software - and it turns several of the practices above from good hygiene into legal obligation. The CRA &lt;strong&gt;entered into force on 10 December 2024&lt;/strong&gt;, and its timeline is staged (&lt;a href=&quot;https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act&quot;&gt;European Commission&lt;/a&gt;):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;11 September 2026&lt;/strong&gt; - the reporting obligations begin. Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA and national CSIRTs, with a 24-hour early warning and a 72-hour follow-up.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;11 December 2027&lt;/strong&gt; - the main obligations apply in full: secure-by-design requirements, vulnerability handling across the support period, conformity assessment, CE marking, and the duty to provide security updates.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The SBOM is written into that regime. Under the CRA, manufacturers must create and maintain a software bill of materials covering, at minimum, the &lt;strong&gt;top-level dependencies&lt;/strong&gt; of the product, in a commonly used machine-readable format such as SPDX, CycloneDX, or SWID. It does not have to be published, but it must sit in the product&apos;s technical documentation and be handed to market surveillance authorities on request (&lt;a href=&quot;https://anchore.com/sbom/eu-cra/&quot;&gt;Anchore, EU CRA SBOM overview&lt;/a&gt;). If your product touches the EU market, &quot;we could produce an SBOM if asked&quot; is no longer a defensible position; the machinery has to already exist and run continuously, because vulnerability reporting on a 24-hour clock is impossible without it.&lt;/p&gt;

&lt;h2&gt;How to build this into the pipeline instead of bolting it on&lt;/h2&gt;

&lt;p&gt;The teams that will absorb the CRA without drama are the ones treating supply chain security as pipeline plumbing, not a pre-audit scramble. Four moves do most of the work. First, &lt;strong&gt;generate the SBOM in CI on every build&lt;/strong&gt; and store it as a first-class artifact alongside the binary, so inventory is a byproduct of shipping rather than a separate project. Second, &lt;strong&gt;enforce curation at the front door&lt;/strong&gt;: automated policy that blocks dependencies which are suspiciously new, unmaintained, or carry incompatible licenses stops a large share of malicious-package attacks before they ever enter a build. Third, &lt;strong&gt;emit signed build provenance&lt;/strong&gt; and verify it at deploy time, climbing toward SLSA Build L3 on the pipelines that matter most. Fourth, &lt;strong&gt;wire SBOM data to exploitability context&lt;/strong&gt; - VEX and reachability - so your team spends its hours on the vulnerabilities that are actually reachable in your product, not on a wall of undifferentiated &quot;high&quot; scores.&lt;/p&gt;

&lt;p&gt;None of this is exotic tooling anymore; the frameworks are mature and the formats are standardised. What it requires is the same discipline that separates elite delivery from the rest - encoding the control once, in the platform, so every team inherits it rather than reinventing it. The CRA has simply put a date on when that discipline stops being optional. September 2026 is the first of those dates, and it is closer than a typical platform migration takes to land.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.globenewswire.com/news-release/2026/01/28/3227372/0/en/Sonatype-Research-Reveals-OSS-Malware-Grows-75-as-Yearly-Open-Source-Downloads-Surpass-9-8-Trillion.html&quot;&gt;Sonatype Research Reveals OSS Malware Grows 75% as Yearly Open Source Downloads Surpass 9.8 Trillion (10th Annual State of the Software Supply Chain)&lt;/a&gt; - Sonatype, January 2026&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://slsa.dev/&quot;&gt;SLSA - Supply-chain Levels for Software Artifacts&lt;/a&gt; - OpenSSF, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act&quot;&gt;Cyber Resilience Act&lt;/a&gt; - European Commission, Shaping Europe&apos;s digital future, 2024-2026&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://anchore.com/sbom/eu-cra/&quot;&gt;EU CRA SBOM Requirements: Overview and Compliance&lt;/a&gt; - Anchore, 2026&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/software-supply-chain-security-sbom-slsa-cyber-resilience-act/&quot;&gt;Software Supply Chain Security in 2026: SBOMs, SLSA, and What the Cyber Resilience Act Now Demands&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How the Software Delivery ROI Calculator Works: Who It Is For, Our Sources, and How to Read the Results</title><link>https://es.nl/2026/software-delivery-roi-calculator-methodology/</link><guid isPermaLink="true">https://es.nl/2026/software-delivery-roi-calculator-methodology/</guid><description>The methodology behind the Expeditious Software Delivery ROI calculator: who it is for, the DORA and industry research it is built on, and how to interpret the range, the FTE equivalent, and the DORA profile it produces.</description><pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Every ROI calculator on the internet has the same problem: it is built to produce a big number, not an honest one. We built ours the other way around. The &lt;a href=&quot;/roi-calculator/&quot;&gt;Software Delivery ROI calculator&lt;/a&gt; exists to help an engineering leader frame the size of a delivery-improvement opportunity in euros, using conservative assumptions grounded in public research, so the figure survives scrutiny from a CFO rather than collapsing under it. This article explains exactly who it is for, what data sits behind every default, and how to read what it gives you back.&lt;/p&gt;

&lt;h2&gt;Who this calculator is for&lt;/h2&gt;

&lt;p&gt;It is built for the person who has to justify investment in delivery: a Director or Head of Software Engineering, a platform or DevOps lead, a VP of Engineering or CTO, typically at an organisation with fifty or more engineers. If you are the one being asked &quot;what would we actually get for this?&quot; in a budget meeting, this is your tool. It is deliberately not a procurement questionnaire. It asks for six inputs you already know or can estimate in a minute, all of them phrased in the language you already report upward: team size, fully-loaded cost per engineer, and your four &lt;a href=&quot;https://dora.dev/guides/dora-metrics/&quot;&gt;DORA&lt;/a&gt; metrics (deployment frequency, lead time for changes, change failure rate, and time to restore service).&lt;/p&gt;

&lt;p&gt;The output is designed to be a one-page artifact you can forward to your team and your finance function without editing. That is the whole point: a defensible, sourced starting figure that opens a conversation, not a vanity number that ends one.&lt;/p&gt;

&lt;h2&gt;What it measures: three value drivers&lt;/h2&gt;

&lt;p&gt;The calculator estimates the annual value of closing the gap between your current delivery performance and a realistic target, across three drivers. We chose these three because they are the ones most directly supported by evidence, and we deliberately excluded softer levers (retention, brand, morale) that are real but too easy to inflate.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Reclaimed engineering time.&lt;/strong&gt; Low-performing delivery quietly taxes every engineer through toil, rework, and waiting on slow builds and environments. Improving your DORA profile returns a share of that capacity to building product. Incident and failure cost is counted separately, in the next driver, so the two never overlap. This is the largest and most defensible driver.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced failure and incident cost.&lt;/strong&gt; Fewer failed changes and faster recovery mean less remediation labour and less customer-facing downtime. We cost the labour every time and treat downtime as an optional, conservative add-on.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Faster delivery (opportunity).&lt;/strong&gt; Some reclaimed capacity is redirected to revenue-generating work. This is the softest of the three, so it is the smallest and is clearly labelled as an estimate.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;The sources behind the numbers&lt;/h2&gt;

&lt;p&gt;Every default in the model carries a citation. Here is where the important ones come from and how we use them.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Performance bands and targets:&lt;/strong&gt; the &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 Accelerate State of DevOps report&lt;/a&gt; from Google&apos;s DORA programme. The four metrics and the recovery-time bands come from here. DORA is peer-reviewed, independent, and the industry standard, which is why we anchor to it rather than to any vendor. Two honest caveats: DORA&apos;s bands are re-derived each year by cluster analysis of self-reported data (they are not fixed constants), and DORA&apos;s 2025 report reframed the Elite/High/Medium/Low tiers into team archetypes. The four keys themselves remain the standard, so we keep the widely-understood tier labels for clarity while treating the exact thresholds as approximate.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;That delivery improvements carry a financial value:&lt;/strong&gt; DORA&apos;s 2026 &lt;a href=&quot;https://dora.dev/ai/roi/report/&quot;&gt;ROI of AI-Assisted Software Development&lt;/a&gt; report sets out an official value chain running from engineering capabilities, through the DORA metrics, to financial outcomes. We cite it for that structure - it is DORA&apos;s own confirmation that moving these metrics has a euro value - rather than for its AI-adoption or J-curve model, because this tool estimates the value of improving delivery, not the ROI of adopting AI tools.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;How much capacity delivery friction consumes:&lt;/strong&gt; Stripe&apos;s &lt;a href=&quot;https://stripe.com/files/reports/the-developer-coefficient.pdf&quot;&gt;Developer Coefficient&lt;/a&gt; found engineers lose roughly 42% of their week to maintenance and technical debt, and the &lt;a href=&quot;https://queue.acm.org/detail.cfm?id=3595878&quot;&gt;DevEx research&lt;/a&gt; (Noda, Forsgren, Storey and Greiler, ACM Queue 2023) characterises the friction, feedback-loop delay, and context-switching cost underneath that. Google&apos;s &lt;a href=&quot;https://sre.google/sre-book/eliminating-toil/&quot;&gt;SRE guidance&lt;/a&gt; on capping toil at 50% frames the ceiling. Being precise about this: the Stripe figure is a 2018 self-reported average with no breakdown by performance tier, and the DevEx paper frames friction qualitatively rather than as a single percentage. So the per-band &quot;delivery drag&quot; curve is our own conservative assumption, calibrated to sit &lt;em&gt;below&lt;/em&gt; Stripe&apos;s 42% aggregate, not a measured gradient.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cost of an engineer, in euros:&lt;/strong&gt; a fully-loaded mid-level Dutch engineer at roughly EUR 104,000 per year. That is a gross base of about EUR 80,000 (from &lt;a href=&quot;https://www.levels.fyi/Salaries/Software-Engineer/Netherlands/&quot;&gt;Levels.fyi&lt;/a&gt; and Hays benchmarks, already including the statutory 8% holiday allowance) multiplied by about 1.30 for the genuine Dutch &lt;em&gt;employer&lt;/em&gt; burden: unemployment (AWf), disability (Aof/WIA), the health-insurance-act contribution (Zvw) and a modest pension share, per &lt;a href=&quot;https://www.deel.com/blog/netherlands-payroll-taxes/&quot;&gt;Deel&lt;/a&gt; and the Belastingdienst. We deliberately exclude the 27.65% national insurance (volksverzekeringen), because that is withheld from the employee, not paid by the employer. Divided across roughly 1,880 full-time-equivalent working hours a year. You can override this to match your own numbers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cost of downtime and incidents:&lt;/strong&gt; figures from &lt;a href=&quot;https://www.pagerduty.com/newsroom/study-cost-of-incidents/&quot;&gt;PagerDuty&lt;/a&gt; and ITIC. Their headline downtime numbers (often quoted above USD 300,000 per hour) reflect large enterprises in critical sectors and overstate a mid-market reality by a wide margin, so downtime in our model is optional, defaults to a conservative EUR 25,000 per hour, and can be switched off entirely. When it is off, the reliability driver falls back to remediation labour only, which is always defensible.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The wider ROI evidence base:&lt;/strong&gt; Forrester&apos;s Total Economic Impact studies of internal developer platforms (for vendors such as Cortex, GitLab and Red Hat) report three-year ROI figures from roughly 220% to 700%, and McKinsey&apos;s &lt;a href=&quot;https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/developer-velocity-how-software-excellence-fuels-business-performance&quot;&gt;Developer Velocity Index&lt;/a&gt; links top-quartile engineering practice to materially faster revenue growth. We treat the Forrester numbers as an optimistic ceiling (they are vendor-commissioned) and the McKinsey link as narrative, not as a multiplier, because it is a correlation. Independent &lt;a href=&quot;https://nucleusresearch.com/&quot;&gt;Nucleus Research&lt;/a&gt;, which finds that roughly two thirds of the technology deployments it studies clear 200% three-year ROI, is the neighbourhood our conservative figures land in.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;How to read your results&lt;/h2&gt;

&lt;p&gt;The result is presented as a range and a set of supporting figures, on purpose.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;The range (conservative to typical).&lt;/strong&gt; No single number is honest here, so we show two. Both discount the raw model, because in practice not all of the theoretical value is captured. Read the conservative end as the number you would be comfortable defending to a skeptic, and the typical end as a reasonable expectation for an engagement that goes well.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Engineering hours and the FTE equivalent.&lt;/strong&gt; The same value expressed as capacity: how many hours you would reclaim, and roughly how many full-time engineers that represents. This is often the more persuasive framing for a leader who thinks in headcount rather than budget lines.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Your DORA profile, today to target.&lt;/strong&gt; Each metric shows your current band and the target we assume: a realistic one-band improvement (a High team&apos;s target is Elite, never a multi-band leap). Only a team already at Elite on a metric sees no uplift there, which is correct: we do not manufacture a return that is not there. Each of the four metrics is valued on its own, so a single weak metric still shows value even when the others are strong.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The optional inputs.&lt;/strong&gt; Setting a downtime cost adds the reliability upside for revenue-critical systems. Entering an expected budget unlocks an annual ROI percentage and a payback period. Both are off by default so the headline stays grounded.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;What the calculator is not&lt;/h2&gt;

&lt;p&gt;It is an estimate, not a promise, and it is not a substitute for measuring your own systems. Gartner&apos;s own research is the useful check here: it estimates that around three quarters of DevOps initiatives fail to meet expectations, usually for organisational rather than technical reasons. The value in this model is real, but realising it depends on the engagement, not the spreadsheet. That is exactly why the conservative end of the range exists, and why the honest next step is to ground these numbers in a short assessment of your actual delivery pipeline rather than to treat the estimate as settled.&lt;/p&gt;

&lt;h2&gt;Try it&lt;/h2&gt;

&lt;p&gt;Move the sliders to your reality and see the range for your team on the &lt;a href=&quot;/roi-calculator/&quot;&gt;ROI calculator&lt;/a&gt;. If the numbers look interesting, the right next move is to make them specific. &lt;a href=&quot;https://book.es.nl/appointment/1&quot;&gt;Book a call&lt;/a&gt; and we will ground them in how your teams actually ship.&lt;/p&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/software-delivery-roi-calculator-methodology/&quot;&gt;How the Software Delivery ROI Calculator Works: Who It Is For, Our Sources, and How to Read the Results&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Platform Engineering vs DevOps: What an Internal Developer Platform Actually Buys You</title><link>https://es.nl/2026/platform-engineering-vs-devops-internal-developer-platform/</link><guid isPermaLink="true">https://es.nl/2026/platform-engineering-vs-devops-internal-developer-platform/</guid><description>Platform engineering vs DevOps for senior teams: what an internal developer platform really is, golden paths, the DORA tradeoff, and when a platform team pays off.</description><pubDate>Tue, 30 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&quot;Platform engineering&quot; is the term every vendor deck reached for over the last two years, which is exactly why senior engineers are right to be suspicious of it. The fair question - the one engineering directors keep asking in budget meetings - is whether this is a genuine shift or DevOps with a new logo. The honest answer is that it is neither hype nor rebrand: it is a specific, measurable response to a failure mode that mature DevOps organisations reliably hit at scale. This article walks the actual distinction, what an internal developer platform is, what the data says it costs and buys, and when standing up a platform team is justified rather than fashionable.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/engineering_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/engineering_illustration-600w.webp 600w, /content/uploads/2025/05/engineering_illustration-1120w.webp 1120w, /content/uploads/2025/05/engineering_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of a platform engineering team building shared self-service tooling and golden paths for product developers&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Is platform engineering just DevOps rebranded?&lt;/h2&gt;

&lt;p&gt;No, and the cleanest way to see why is to look at what each one optimises. DevOps is a culture and a set of goals - collaboration, flow, shared ownership of delivery - and its industry scorecard is the DORA research programme. It tells you to align people and process so value moves quickly from idea to production, but it deliberately leaves the &lt;strong&gt;how&lt;/strong&gt; to each team. Platform engineering is product-driven infrastructure that supplies that &quot;how&quot; once, for everyone. Red Hat frames it precisely: platform engineering &quot;extends DevOps practices by providing standardized tools, services, and workflows so development teams can build software solutions more efficiently,&quot; and it exists so that &quot;DevOps teams don&apos;t have to do everything on their own&quot; (&lt;a href=&quot;https://www.redhat.com/en/topics/platform-engineering/platform-engineering-vs-devops&quot;&gt;Red Hat&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;The failure mode it targets is specific. At scale, every squad implements DevOps differently. Team A standardises on Jenkins, Team B on GitLab CI, Team C on a pile of bespoke scripts. Each builds its own deployment path, its own secrets handling, its own monitoring. The result is not autonomy - it is duplicated effort, inconsistent security posture, and a cognitive load that quietly taxes every engineer. Platform engineering treats that sprawl as a product problem: build one paved road, make it the easiest path, and let teams stay on it by choice rather than mandate. DevOps is the goal; the platform is how you reach it without each team reinventing the substrate.&lt;/p&gt;

&lt;h2&gt;What an internal developer platform actually is&lt;/h2&gt;

&lt;p&gt;An internal developer platform (IDP) is, in Red Hat&apos;s words, &quot;a standardized set of self-service tools and technologies that developers need to create and deploy code,&quot; curated so developers work &quot;without managing underlying infrastructure directly.&quot; Two ideas do most of the work here, and both are worth getting precise about.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Golden paths (or paved roads)&lt;/strong&gt; - reusable, automated workflows that take a developer from intent to running service without hand-rolling the plumbing. A golden path turns &quot;high-level blueprints into reusable solutions that abstract away the underlying complexities of cloud networking and container orchestration.&quot; Think: a single command or template that provisions a new service with logging, tracing, CI, security scanning and a deploy pipeline already wired in.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Self-service&lt;/strong&gt; - the platform lets teams &quot;independently provision environments, databases, and pipelines&quot; through a portal, so they are not waiting on a ticket to a central ops queue. This is the load-bearing property. A platform that still routes every environment request through a human is not a platform; it is a help desk with better branding.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The distinction that matters for buyers: a real IDP is opinionated and self-service. It encodes the organisation&apos;s standards into the path of least resistance, then gets out of the way. If your &quot;platform&quot; is a wiki page of approved tools, you have documentation, not a platform.&lt;/p&gt;

&lt;h2&gt;What the data says: productivity up, throughput and stability at risk&lt;/h2&gt;

&lt;p&gt;This is where senior engineers should resist the marketing and read the research. The 2024 DORA report - based on a global survey of more than 39,000 professionals - found that an internal developer platform improves individual productivity, team performance, and overall organisational performance. But it also found a real cost: platforms can &lt;strong&gt;decrease change throughput and stability&lt;/strong&gt; when implemented without care, which is the opposite of what most teams assume they are buying (&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;DORA, 2024&lt;/a&gt;). The mechanism is intuitive. A platform adds a layer of abstraction and a central team; if that team becomes a bottleneck, or the paved road does not actually fit how teams work, you have traded distributed friction for centralised friction.&lt;/p&gt;

&lt;p&gt;DORA&apos;s mitigation is the part teams skip: &lt;strong&gt;user-centricity and developer independence&lt;/strong&gt;. Platforms designed around what internal developers actually need, with genuine self-service, are where the productivity gains land and the throughput penalty shrinks. The lesson for a director is blunt - a platform team that ships what it finds convenient, rather than what product teams need, will produce the stability hit without the productivity upside. Treat the platform as a product with internal customers, or do not build it.&lt;/p&gt;

&lt;h2&gt;Do you need a platform team?&lt;/h2&gt;

&lt;p&gt;Adoption is real but far from universal, and that gap is the useful signal. The 2025 DORA report found that &lt;strong&gt;90% of organisations have adopted at least one internal platform&lt;/strong&gt; (&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Google Cloud / DORA, 2025&lt;/a&gt;), yet the CNCF and SlashData Q1 2026 Technology Radar found that only &lt;strong&gt;28% of organisations have a dedicated platform engineering team&lt;/strong&gt; responsible for those internal platforms, with the most common model - reported by &lt;strong&gt;41% of organisations&lt;/strong&gt; - being multi-team collaboration rather than a standalone function (&lt;a href=&quot;https://www.cncf.io/announcements/2026/03/24/cncf-and-slashdata-report-finds-platform-engineering-tools-maturing-as-organizations-prepare-for-ai-driven-infrastructure/&quot;&gt;CNCF / SlashData, 2026&lt;/a&gt;). In other words: most organisations have a platform; far fewer have a team whose product is the platform.&lt;/p&gt;

&lt;p&gt;The honest test for whether you need a dedicated team is scale and duplication, not trend-following. You have a case when multiple product teams are independently solving the same infrastructure problems, when onboarding a new service takes days of bespoke setup, or when your security and compliance posture varies team by team because each wired its own pipeline. Below that threshold - a handful of teams, one or two deploy patterns - a dedicated platform team is overhead that will hunt for a problem to justify itself. Gartner&apos;s widely cited forecast that 80% of software engineering organisations will run platform teams by 2026 is real momentum, but momentum is not a reason; duplicated toil is.&lt;/p&gt;

&lt;h2&gt;How to measure a platform without fooling yourself&lt;/h2&gt;

&lt;p&gt;The most damning finding in the recent research is not technical: a large share of platform teams do not measure their own success at all. A platform is an internal product, so measure it like one. Track adoption (what fraction of services and teams are actually on the paved road, voluntarily), the DORA delivery metrics before and after for teams that onboard, developer-experience signals such as time-to-first-deploy for a new service, and the throughput and stability numbers DORA warns about - so you catch the central-bottleneck failure early rather than in a postmortem. If adoption is mandated rather than chosen, that is itself a metric: it means the path is not yet the easiest one, and developers are routing around it.&lt;/p&gt;

&lt;p&gt;For Benelux teams under DORA the regulation, NIS2, and the EU Cyber Resilience Act, there is a second dividend worth naming. A golden path is the cleanest place to encode controls once - SBOM generation, signed builds, mandatory scanning, audit logging - and have every team inherit them by default instead of each squad re-implementing compliance unevenly. &quot;We documented the policy&quot; is not an answer an auditor accepts; &quot;every service is provisioned through a pipeline that enforces it&quot; is. That is the strongest pragmatic case for platform engineering in a regulated context: it turns scattered, best-effort compliance into a property of the paved road.&lt;/p&gt;

&lt;h2&gt;The bottom line&lt;/h2&gt;

&lt;p&gt;Platform engineering is not better than DevOps and it does not replace it. It is the pragmatic implementation of DevOps goals at a scale where letting every team build its own substrate stops being autonomy and starts being waste. Build an internal developer platform when duplication is real, treat it as a product with self-service and golden paths as non-negotiables, measure adoption and the DORA tradeoff honestly, and use the paved road to make compliance a default rather than a documentation exercise. Do that and the platform earns its team. Skip the discipline - build for the platform team&apos;s convenience, mandate adoption, measure nothing - and you will get DORA&apos;s stability penalty with none of the productivity it was supposed to buy.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-assisted Software Development&lt;/a&gt; - Google Cloud / DORA, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud, 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.cncf.io/announcements/2026/03/24/cncf-and-slashdata-report-finds-platform-engineering-tools-maturing-as-organizations-prepare-for-ai-driven-infrastructure/&quot;&gt;CNCF and SlashData Report Finds Platform Engineering Tools Maturing&lt;/a&gt; - CNCF / SlashData (Q1 2026 Technology Radar), March 2026&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.redhat.com/en/topics/platform-engineering/platform-engineering-vs-devops&quot;&gt;Platform engineering vs. DevOps&lt;/a&gt; - Red Hat, 2025&lt;/li&gt;
&lt;/ul&gt;
&lt;/content&gt;
&lt;/invoke&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/platform-engineering-vs-devops-internal-developer-platform/&quot;&gt;Platform Engineering vs DevOps: What an Internal Developer Platform Actually Buys You&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Infrastructure as Code in 2026: Drift, Policy, and the Terraform vs OpenTofu Decision</title><link>https://es.nl/2026/infrastructure-as-code-drift-policy-terraform-vs-opentofu/</link><guid isPermaLink="true">https://es.nl/2026/infrastructure-as-code-drift-policy-terraform-vs-opentofu/</guid><description>Infrastructure as Code for senior teams: what it really is, why drift breaks production, what policy as code buys regulated teams, and Terraform vs OpenTofu.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most organisations now say they &quot;do Infrastructure as Code,&quot; and most of them are only partly telling the truth. Firefly&apos;s 2025 State of Infrastructure as Code found that while &lt;strong&gt;72% of organisations use IaC, only about one-third have codified more than 75% of their infrastructure&lt;/strong&gt; (&lt;a href=&quot;https://www.firefly.ai/blog/the-maturing-state-of-infrastructure-as-code-in-2025&quot;&gt;Firefly, 2025&lt;/a&gt;). The gap between those two numbers is where outages, failed audits, and surprise cloud bills live. For an engineering director at a regulated Benelux team, the interesting question is no longer &quot;should we adopt IaC&quot; but &quot;what does mature IaC actually require, and which tool do we standardise on now that the ecosystem has split.&quot; This article answers the questions teams are actually searching for.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2026/06/ext-datacenter-racks.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-datacenter-racks-600w.webp 600w, /content/uploads/2026/06/ext-datacenter-racks-1120w.webp 1120w, /content/uploads/2026/06/ext-datacenter-racks.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Interior of a data center showing multiple rows of tall metal server racks - the physical infrastructure that Infrastructure as Code provisions and manages declaratively.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;What is Infrastructure as Code, really?&lt;/h2&gt;

&lt;p&gt;Infrastructure as Code means defining your servers, networks, databases, and cloud resources in machine-readable definition files that you version, review, and apply through automation - rather than clicking through a console. The distinction that matters in practice is &lt;strong&gt;declarative versus imperative&lt;/strong&gt;. An imperative approach scripts the steps (&quot;create this VPC, then this subnet, then attach this gateway&quot;). A declarative approach describes the desired end state and lets the tool compute the diff between what exists and what you asked for. Terraform, OpenTofu, AWS CloudFormation, and Pulumi are all primarily declarative, which is why they dominate: the tool owns the reconciliation logic, not your runbook.&lt;/p&gt;

&lt;p&gt;That declarative model is the whole point. It gives you a single source of truth that doubles as documentation, a pull-request workflow for infrastructure changes, and a reproducible way to stand up identical staging and production environments. It is also what makes the next problem - drift - both detectable and fixable, which it simply is not when infrastructure lives in someone&apos;s memory and a series of manual console clicks.&lt;/p&gt;

&lt;h2&gt;Why does configuration drift keep breaking production?&lt;/h2&gt;

&lt;p&gt;Configuration drift is the divergence between the state your code declares and the state actually running in the cloud. It happens for mundane reasons: an engineer makes an emergency change in the console during an incident, an auto-scaling group rewrites a value, a managed service updates a default, or two teams edit overlapping resources. Each individual change is small. The cumulative effect is an environment your IaC no longer describes - so the next `apply` either reverts a fix someone made by hand or fails outright.&lt;/p&gt;

&lt;p&gt;Drift is dangerous precisely because it is invisible until you act on stale assumptions. The defence is &lt;strong&gt;continuous drift detection&lt;/strong&gt;: a scheduled job that compares declared state against live state and flags every divergence, rather than discovering it during a high-pressure deploy. This is also where the &quot;only one-third have codified most of their estate&quot; statistic bites. If two-thirds of your infrastructure was created by hand and never imported into code, drift detection has nothing to compare against, and the manual provisioning that Firefly&apos;s report flags - roughly &lt;strong&gt;30% of teams still deploy Terraform manually&lt;/strong&gt; rather than through a pipeline - is exactly the behaviour that reintroduces drift faster than you can remediate it (&lt;a href=&quot;https://www.firefly.ai/blog/the-maturing-state-of-infrastructure-as-code-in-2025&quot;&gt;Firefly, 2025&lt;/a&gt;). The fix is unglamorous: import existing resources into code, route every change through CI/CD, and treat a drift alert as a defect, not a curiosity.&lt;/p&gt;

&lt;h2&gt;What does policy as code actually buy a regulated team?&lt;/h2&gt;

&lt;p&gt;For a regulated team, the strongest argument for IaC is not speed - it is governance. Because infrastructure is now code in a pull request, you can attach &lt;strong&gt;policy as code&lt;/strong&gt;: machine-enforced rules that run in the pipeline before anything reaches production. Open Policy Agent (OPA) and HashiCorp Sentinel are the common engines. A policy can refuse any storage bucket without encryption at rest, block a security group that opens port 22 to the internet, deny resources deployed outside EU regions, or require a cost-centre tag on everything. The rule is evaluated automatically on every change, and the result is recorded.&lt;/p&gt;

&lt;p&gt;That last point is what auditors care about. Instead of &quot;we have a policy that says encryption is required,&quot; you can demonstrate &quot;this control is enforced in code, every proposed change is evaluated against it, and here is the immutable history of every pass and fail.&quot; It turns a written policy into an executed control with an audit trail - the difference between a compliance aspiration and a compliance fact. Given that 45% of respondents in Firefly&apos;s survey named security and compliance risk as a major IaC challenge, policy as code is the part of the discipline that converts that risk from a liability into a strength.&lt;/p&gt;

&lt;h2&gt;Terraform vs OpenTofu: which should you standardise on?&lt;/h2&gt;

&lt;p&gt;This is the question that changed since most teams last revisited their IaC strategy, and it deserves a clear-eyed answer. In 2023 HashiCorp relicensed Terraform from an open-source licence to the Business Source License. The community responded by forking the last open-source version into &lt;strong&gt;OpenTofu&lt;/strong&gt;, now governed under the Linux Foundation. OpenTofu reached a stable release in January 2024 and has matured fast: by early 2025 it had reported more than 300% year-over-year growth in registry usage and tripled its contributor base to over 160, while shipping features Terraform users had requested for years - most notably &lt;strong&gt;native end-to-end state encryption&lt;/strong&gt; (&lt;a href=&quot;https://www.infoworld.com/article/3852167/opentofu-becomes-the-real-deal.html&quot;&gt;InfoWorld, 2025&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;The corporate picture also shifted: &lt;strong&gt;IBM completed its $6.4 billion acquisition of HashiCorp on 27 February 2025&lt;/strong&gt;, folding Terraform into a larger hybrid-cloud portfolio (&lt;a href=&quot;https://newsroom.ibm.com/2025-02-27-ibm-completes-acquisition-of-hashicorp,-creates-comprehensive,-end-to-end-hybrid-cloud-platform&quot;&gt;IBM, 2025&lt;/a&gt;). Terraform remains the incumbent by a wide margin - it was used by &lt;strong&gt;17.8% of all developers&lt;/strong&gt; in the 2025 Stack Overflow Developer Survey, well ahead of any other dedicated IaC tool (&lt;a href=&quot;https://survey.stackoverflow.co/2025/technology&quot;&gt;Stack Overflow, 2025&lt;/a&gt;) - so this is not a story of one tool replacing the other.&lt;/p&gt;

&lt;p&gt;The pragmatic decision rule: the two are still largely interchangeable at the HCL level, so the choice turns on your constraints, not on syntax. If you already run HCP Terraform or depend on Sentinel and enterprise support, staying put is reasonable and low-risk. If you are starting greenfield, want to avoid the BSL and any future licensing surprise, or specifically value features like native state encryption for a DevSecOps posture, OpenTofu is now a credible default rather than a gamble. The one thing not to do is treat the fork as irrelevant: pick deliberately, document why, and avoid drifting into a mixed estate where half your modules assume one tool and half assume the other.&lt;/p&gt;

&lt;h2&gt;Is Infrastructure as Code worth it, and what does &quot;good&quot; look like?&lt;/h2&gt;

&lt;p&gt;The data answers the worth-it question by omission: when 72% of organisations use IaC and 80% run multi-cloud environments, IaC has stopped being a competitive edge and become table stakes (&lt;a href=&quot;https://www.firefly.ai/blog/the-maturing-state-of-infrastructure-as-code-in-2025&quot;&gt;Firefly, 2025&lt;/a&gt;). The teams pulling ahead are not the ones that &quot;have Terraform&quot; - they are the ones that closed the coverage gap. Mature IaC, concretely, looks like this: nearly all infrastructure is codified and version-controlled; every change goes through a pull request and a pipeline, never the console; drift detection runs continuously and a divergence is treated as a bug; policy as code enforces security, residency, and cost rules automatically with a recorded audit trail; and the choice of Terraform or OpenTofu is a deliberate, documented standard rather than an accident of whoever set up the first module.&lt;/p&gt;

&lt;p&gt;None of that is exotic. It is the difference between infrastructure you can reason about, prove to an auditor, and rebuild after a disaster, and infrastructure that merely happens to be running today. For high-scale teams under regulation, that difference is the entire return on investment.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.firefly.ai/blog/the-maturing-state-of-infrastructure-as-code-in-2025&quot;&gt;The Maturing State of Infrastructure as Code in 2025&lt;/a&gt; - Firefly, June 17, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoworld.com/article/3852167/opentofu-becomes-the-real-deal.html&quot;&gt;OpenTofu becomes the real deal&lt;/a&gt; - InfoWorld, March 24, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://newsroom.ibm.com/2025-02-27-ibm-completes-acquisition-of-hashicorp,-creates-comprehensive,-end-to-end-hybrid-cloud-platform&quot;&gt;IBM Completes Acquisition of HashiCorp, Creates Comprehensive, End-to-End Hybrid Cloud Platform&lt;/a&gt; - IBM Newsroom, February 27, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://survey.stackoverflow.co/2025/technology&quot;&gt;2025 Stack Overflow Developer Survey: Technology&lt;/a&gt; - Stack Overflow, 2025&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/infrastructure-as-code-drift-policy-terraform-vs-opentofu/&quot;&gt;Infrastructure as Code in 2026: Drift, Policy, and the Terraform vs OpenTofu Decision&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Observability vs Monitoring: What Senior Engineers Need to Know in 2026</title><link>https://es.nl/2026/observability-vs-monitoring-what-senior-engineers-need-to-know/</link><guid isPermaLink="true">https://es.nl/2026/observability-vs-monitoring-what-senior-engineers-need-to-know/</guid><description>Observability vs monitoring for senior engineers: the real difference, the three pillars, why OpenTelemetry just won, and how to keep the bill honest.</description><pubDate>Mon, 15 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most teams say they &quot;monitor production&quot; and assume that means they will know what is wrong when something breaks. At low scale that assumption usually holds. Across dozens of services, ephemeral infrastructure and third-party dependencies it quietly stops being true - and the gap between monitoring and observability is exactly where incident timelines blow out. For directors running regulated, high-throughput platforms in the Benelux this is not a vocabulary debate. It decides whether your on-call engineer can answer a question nobody anticipated at 02:00, or is stuck staring at a dashboard that only knows the failures someone predicted in advance. Here is the distinction that actually matters, what changed in 2026, and where the money goes.&lt;/p&gt;

&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-noc-monitoring.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-noc-monitoring-600w.webp 600w, /content/uploads/2026/06/ext-noc-monitoring-1120w.webp 1120w, /content/uploads/2026/06/ext-noc-monitoring.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;A telecom network operations centre: rows of engineers at workstations with multiple monitors, facing a large wall of screens showing live network dashboards, topology maps and status indicators.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:Batelco_Network_Operations_Centre_(NOC).JPG&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Masdestructive&lt;/a&gt;, CC BY-SA 3.0, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;Observability vs monitoring: what is the actual difference?&lt;/h2&gt;

&lt;p&gt;Monitoring is the practice of collecting predefined signals and alerting when they cross thresholds you set in advance. It tells you &lt;strong&gt;that&lt;/strong&gt; something is wrong against a list of failure modes someone already imagined: CPU above 90%, error rate over 1%, queue depth climbing. Observability is the ability to ask &lt;strong&gt;arbitrary, new questions&lt;/strong&gt; of your system&apos;s outputs without shipping new code to answer them. OpenTelemetry&apos;s own primer puts it cleanly: &quot;Observability lets you understand a system from the outside by letting you ask questions about that system without knowing its inner workings&quot; (&lt;a href=&quot;https://opentelemetry.io/docs/concepts/observability-primer/&quot;&gt;OpenTelemetry docs&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;The practical line is the type of failure each one handles. Monitoring answers &lt;strong&gt;known-unknowns&lt;/strong&gt; - the problems you predicted and instrumented for. Observability targets &lt;strong&gt;unknown-unknowns&lt;/strong&gt; - the failure you have never seen, in a code path no dashboard was built around. Monitoring tells you the checkout error rate spiked. Observability lets you slice that spike by customer tier, region, build version and a feature flag you never pre-aggregated, then jump straight to the failing request. Monitoring is an output; observability is a property of the system. You do not buy it, you instrument for it.&lt;/p&gt;

&lt;h2&gt;What are the three pillars of observability - and is three still the right number?&lt;/h2&gt;

&lt;p&gt;The canonical model is three signals. Using OpenTelemetry&apos;s definitions: a &lt;strong&gt;log&lt;/strong&gt; is a timestamped message emitted by a service; a &lt;strong&gt;metric&lt;/strong&gt; is an aggregation over time of numeric data about your infrastructure or application; and a &lt;strong&gt;trace&lt;/strong&gt; records the path of a single request as it propagates through multiple services, assembled from individual units of work called &lt;strong&gt;spans&lt;/strong&gt; (&lt;a href=&quot;https://opentelemetry.io/docs/concepts/observability-primer/&quot;&gt;OpenTelemetry docs&lt;/a&gt;). Metrics tell you something changed, logs tell you what happened at a point, traces tell you where in a distributed call the time or the error actually went.&lt;/p&gt;

&lt;p&gt;In theory every serious team runs all three. In practice most run two. Grafana Labs&apos; 2025 Observability Survey of 1,255 respondents found metrics in use at 95% of organisations and logs at 87%, but distributed tracing at only 57% and continuous profiling at 16% (&lt;a href=&quot;https://grafana.com/observability-survey/2025/&quot;&gt;Grafana Labs, 2025&lt;/a&gt;). That is a problem, because tracing is the pillar that answers &quot;which downstream call slowed the request down&quot; - the question microservice incidents hinge on. The &quot;three pillars&quot; framing is itself now contested: profiling is emerging as a fourth signal, and critics argue the model nudges teams toward three siloed tools instead of correlated data. The point was never the count. It is correlation - a metric that lets you pivot to the exact trace and logs for the same request beats three disconnected stores you have to join by hand.&lt;/p&gt;

&lt;h2&gt;Is observability just monitoring rebranded?&lt;/h2&gt;

&lt;p&gt;It is a fair skeptic&apos;s question, because vendors have happily blurred the two. The honest answer is no. The word comes from control theory: a system is observable if you can infer its internal state purely from its external outputs. That is a much higher bar than &quot;we have dashboards.&quot; A useful field test for any platform: can a new engineer answer a question nobody anticipated, using telemetry that already exists, without deploying new instrumentation? If yes, you have observability. If every novel question requires a new metric and a new release, you have monitoring with good marketing.&lt;/p&gt;

&lt;p&gt;The reason this matters more in 2026 than it did five years ago is structural. Architectures have fragmented into many small services on ephemeral infrastructure, and AI-assisted development is increasing change volume - which means more of your failures are genuinely novel. Pre-defined dashboards cover a shrinking fraction of the failure space, so the ability to interrogate raw telemetry after the fact stops being a luxury and becomes the difference between a 20-minute incident and a three-hour one.&lt;/p&gt;

&lt;h2&gt;Why OpenTelemetry just became the default&lt;/h2&gt;

&lt;p&gt;The biggest shift this year is governance, not technology. OpenTelemetry graduated from the Cloud Native Computing Foundation on 11 May 2026, with the foundation describing it as the &quot;de facto&quot; standard for open-source observability and the second-highest-velocity CNCF project after Kubernetes, with more than 12,000 contributors from over 2,800 companies (&lt;a href=&quot;https://www.cncf.io/announcements/2026/05/21/cloud-native-computing-foundation-announces-opentelemetrys-graduation-solidifying-status-as-the-de-facto-observability-standard/&quot;&gt;CNCF, 2026&lt;/a&gt;). Graduation is CNCF&apos;s signal of production maturity, and for a cross-cutting instrumentation standard that signal carries weight with risk and procurement teams.&lt;/p&gt;

&lt;p&gt;The reason directors should care is lock-in. OpenTelemetry decouples instrumentation from the backend: you instrument your code once against a vendor-neutral API, then choose - or switch - your observability backend without re-instrumenting. That removes the single biggest source of pain in observability spend, where changing vendors used to mean re-wiring every service. Adoption already reflects this. Enterprise Management Associates found 48% of organisations using OpenTelemetry, 25% planning to, and 25% still evaluating, with more than 61% calling it a very important or critical enabler of observability (&lt;a href=&quot;https://www.elastic.co/resources/observability/report/ema-opentelemetry&quot;&gt;EMA / Elastic&lt;/a&gt;). The friction is honest, too: that same research flags implementation complexity, cost and a shortage of skilled people as the leading barriers, so treat an OTel rollout as a real engineering programme, not a config change.&lt;/p&gt;

&lt;h2&gt;Why observability gets expensive - and how to keep the bill honest&lt;/h2&gt;

&lt;p&gt;Observability has a cost problem that catches teams off guard. In Grafana&apos;s 2025 survey, 74% named cost their top priority when selecting tooling, &quot;cost too high&quot; (37%) and &quot;unpredictable costs&quot; (29%) ranked among the biggest concerns, and observability now averages 17% of total infrastructure spend, with a median of 10% (&lt;a href=&quot;https://grafana.com/observability-survey/2025/&quot;&gt;Grafana Labs, 2025&lt;/a&gt;). Telemetry volume grows super-linearly with traffic, and most of the bill is logs - the noisiest, most redundant signal - where you pay to ingest, store and index data you will mostly never query.&lt;/p&gt;

&lt;p&gt;The fix is to treat telemetry as a budgeted product rather than exhaust. Sample traces intelligently, set retention per signal by its actual value instead of one blanket default, and push aggregation and filtering to the edge - the OpenTelemetry Collector exists precisely so you can drop or aggregate before you pay to store. Tie the data you keep to questions you actually ask in incidents and audits. The teams that stay solvent measure cost per service and per signal, not one opaque platform line item.&lt;/p&gt;

&lt;h2&gt;What this means for a regulated Benelux team&lt;/h2&gt;

&lt;p&gt;The through-line is the question each capability lets you answer. Monitoring satisfies &quot;are we up?&quot; Observability satisfies &quot;why did this specific transaction fail, for this customer, on this build&quot; - which is exactly what incident reviews, SLAs and auditors demand. The practical agenda for 2026 is short: standardise on OpenTelemetry to kill backend lock-in, push past the comfortable metrics-and-logs baseline into distributed tracing, and govern cost from the first day rather than after the first surprise invoice. Observability without a cost model is just a bigger bill. Monitoring without observability is a faster way to stay blind to the failures you never predicted.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.cncf.io/announcements/2026/05/21/cloud-native-computing-foundation-announces-opentelemetrys-graduation-solidifying-status-as-the-de-facto-observability-standard/&quot;&gt;Cloud Native Computing Foundation Announces OpenTelemetry&apos;s Graduation&lt;/a&gt; - CNCF, 2026&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://grafana.com/observability-survey/2025/&quot;&gt;Observability Survey Report 2025&lt;/a&gt; - Grafana Labs, 2025 (1,255 respondents)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.elastic.co/resources/observability/report/ema-opentelemetry&quot;&gt;Taking observability to the next level: OpenTelemetry&apos;s emerging role in IT performance and reliability&lt;/a&gt; - Enterprise Management Associates / Elastic&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://opentelemetry.io/docs/concepts/observability-primer/&quot;&gt;Observability Primer&lt;/a&gt; - OpenTelemetry documentation&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/observability-vs-monitoring-what-senior-engineers-need-to-know/&quot;&gt;Observability vs Monitoring: What Senior Engineers Need to Know in 2026&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>The SDLC Reckoning in Semiconductor Engineering: Why Delivery Discipline Now Decides Who Ships</title><link>https://es.nl/2026/sdlc-devops-platform-engineering-semiconductor/</link><guid isPermaLink="true">https://es.nl/2026/sdlc-devops-platform-engineering-semiconductor/</guid><description>Why AI, toil, IP attacks, the EU CRA, and hardware/software co-development make platform engineering discipline the deciding factor for semiconductor teams.</description><pubDate>Thu, 11 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;For a semiconductor engineering organisation, the software delivery problem is no longer adjacent to the hardware problem. It is the hardware problem. A modern multi-die part coordinates firmware, EDA scripting, driver stacks, embedded software, verification environments, and HPC infrastructure across dozens of teams, and the discipline of how that software is built, validated, and released now sets the ceiling on how fast and how safely silicon reaches the fab. The core tension facing engineering directors at ASML scale is this: the levers that promise speed (AI assistance, more tooling, more parallelism) actively degrade delivery reliability unless the underlying platform and SDLC foundations are mature. Speed without discipline is not throughput. It is accumulated risk that surfaces during the most expensive part of the cycle.&lt;/p&gt;

&lt;h2&gt;AI is an amplifier, not a fix, for delivery stability&lt;/h2&gt;
&lt;p&gt;AI coding assistance is now effectively universal. The &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;2025 DORA report&lt;/a&gt;, drawn from roughly 5,000 professionals, found that 90% of respondents use AI at work and over 80% report productivity gains. That is the headline most executives latch onto. The finding that matters more for a director accountable for delivery is the second half: AI adoption shows a &lt;strong&gt;positive relationship with throughput and a negative relationship with software delivery stability&lt;/strong&gt;. DORA&apos;s own framing is that AI is an amplifier. It magnifies whatever foundation already exists, so teams with weak version control, thin automated testing, slow feedback, and large batch sizes see AI push change-failure rate and instability the wrong way.&lt;/p&gt;
&lt;p&gt;The mechanism is visible in the numbers. As AI raises change volume, &lt;a href=&quot;https://www.faros.ai/blog/key-takeaways-from-the-dora-report-2025&quot;&gt;Faros AI&apos;s analysis of the DORA findings&lt;/a&gt; reports incidents per pull request up roughly 243% and PR review time up roughly 91% when change volume rises without controls. DORA&apos;s &lt;a href=&quot;https://dora.dev/insights/dora-2025-year-in-review/&quot;&gt;2025 year-in-review&lt;/a&gt; reinforces the point: high AI usage coexists with low trust in AI-generated code, and the lifecycle only benefits when the foundation is solid. For an org coordinating firmware and embedded software across many teams, that translates directly. More generated code with no corresponding improvement in test coverage, small batch sizes, and quality internal platforms means more regressions discovered later, when they cost the most. The remedy is not fewer AI seats. It is the platform and DevOps maturity that lets AI&apos;s throughput compound instead of destabilise.&lt;/p&gt;

&lt;h2&gt;Engineers lose a day a week to toil, and AI is not giving it back&lt;/h2&gt;
&lt;p&gt;The second structural drain is friction. The &lt;a href=&quot;https://www.atlassian.com/blog/developer/developer-experience-report-2025&quot;&gt;Atlassian Developer Experience Report 2025&lt;/a&gt;, covering 3,500 developers and managers across six countries, found that 50% of developers lose 10 or more hours per week and 90% lose 6 or more hours per week to organisational inefficiencies: waiting on builds, environment setup, finding documentation and APIs, and context-switching between tools. The trap is that 68% save 10 or more hours per week with AI but lose roughly the same amount straight back to process friction. Atlassian calls this a false economy, and the label is precise.&lt;/p&gt;
&lt;p&gt;In semiconductor engineering the toll is heavier than in a pure-software shop, because the friction is not just process overhead. It is long-running regression suites, formal-verification jobs, emulation and FPGA queues, and trillions of simulation cycles competing for HPC capacity. When the underlying time accounting already skews this far from coding, the gap compounds. Separately, &lt;a href=&quot;https://www.infoworld.com/article/3831759/developers-spend-most-of-their-time-not-coding-idc-report.html&quot;&gt;IDC research reported by InfoWorld&lt;/a&gt; found application development was only about 16% of developers&apos; time, with the rest going to operational and support tasks. The implication for an engineering director is a lead-time and cost argument, not a comfort one. Reclaiming a day per engineer per week is among the highest-ROI reliability investments available, and the lever is internal developer platforms and self-service tooling that make builds, environments, and verification jobs fast and frictionless, not additional AI licences layered onto a slow pipeline.&lt;/p&gt;

&lt;h2&gt;Chip IP is a nation-state target, and the toolchain is the attack surface&lt;/h2&gt;
&lt;p&gt;Chip designs, EDA files, and process data are among the most valuable intellectual property in existence, and they are under sustained, escalating attack. The &lt;a href=&quot;https://www.csoonline.com/article/4038979/silicon-under-siege-nation-state-hackers-target-semiconductor-supply-chains.html&quot;&gt;CloudSEK &quot;Silicon Under Siege&quot; findings reported by CSO Online&lt;/a&gt; put cyberattacks on the semiconductor industry up more than 600% since 2022, with confirmed ransomware losses exceeding $1.05B since 2018. The detail that should reframe SDLC security as a delivery concern is the vector. In July 2025, China-backed APT41 infiltrated at least six semiconductor organisations and exfiltrated hundreds of gigabytes of IP, and a 2023 TSMC-related production halt was estimated at a $256M loss.&lt;/p&gt;
&lt;p&gt;Critically, the attack surface now explicitly includes the software supply chain: compromised software updates and EDA-vendor breaches, not just the network perimeter. That means the engineering toolchain itself, the CI/CD pipeline that builds firmware and assembles design artifacts, is a primary target. Provenance of build artifacts, hardened pipelines, secrets management, signed and verified dependencies, and tightly controlled access to design repositories are no longer hardening niceties. They are table stakes. Security has to be built into the pipeline rather than bolted on after, which is squarely a DevSecOps and platform-engineering mandate that an engineering director, not just a CISO, owns.&lt;/p&gt;

&lt;h2&gt;The EU Cyber Resilience Act turns compliance into a pipeline problem&lt;/h2&gt;
&lt;p&gt;Regulation is closing the gap between intent and obligation. The EU Cyber Resilience Act covers products with digital elements sold into the EU, which captures much of the semiconductor and embedded-systems value chain, and its requirements are legally binding. Per &lt;a href=&quot;https://www.mend.io/blog/eu-cyber-resilience-act-compliance-guide/&quot;&gt;Mend.io&apos;s CRA compliance guidance&lt;/a&gt;, the Act mandates machine-readable SBOMs in CycloneDX or SPDX format, secure-by-design engineering, coordinated vulnerability disclosure, and security updates across the product lifetime. The timeline is concrete and near: reporting obligations begin 11 September 2026 with a 24-hour early warning and 72-hour full notification, full CE-mark conformity is required by 11 December 2027, and non-compliance can trigger fines up to EUR 15M or 2.5% of global annual turnover.&lt;/p&gt;
&lt;p&gt;At ASML scale, meeting this by hand is infeasible. The only workable model is SBOM generation, vulnerability scanning, and evidence collection embedded directly in the build and release pipeline, so that compliance artifacts are produced as a byproduct of every build rather than assembled retroactively under audit pressure. That converts a regulatory obligation into a platform-engineering and CI/CD automation problem, and the penalties make it delivery-blocking rather than optional.&lt;/p&gt;

&lt;h2&gt;Co-development complexity is moving the differentiation to software&lt;/h2&gt;
&lt;p&gt;The complexity itself is escalating. Modern chiplet and multi-die systems mix and match compute, memory, and I/O components across process nodes, and the product can no longer be validated only after silicon returns from the fab. &lt;a href=&quot;https://www.edge-ai-vision.com/2026/04/key-trends-shaping-the-semiconductor-industry-in-2026/&quot;&gt;HTEC&apos;s trends analysis&lt;/a&gt; describes 2026 as the year chiplet architecture goes from niche to mainstream, enabling customisation that was impractical with monolithic die designs. Pre-silicon validation, scaled on cloud and HPC, is fundamentally a software and infrastructure problem.&lt;/p&gt;
&lt;p&gt;The same analysis makes the strategic point sharper: software, not silicon, increasingly decides mainstream winners, the NVIDIA and CUDA pattern, while only 44% of semiconductor organisations have fully embedded AI across functions and 56% remain in pilots. Competitive advantage is shifting to the software ecosystem around the silicon, which means engineering orgs must run fast, reliable software delivery in lockstep with hardware. Platform engineering and CI/CD for hardware-adjacent software is a strategic differentiator, not a back-office function.&lt;/p&gt;

&lt;h2&gt;What good looks like&lt;/h2&gt;
&lt;p&gt;Across these five pressures the corrective work is consistent, which is the encouraging part. A disciplined semiconductor engineering org tends to share a recognisable profile:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;The foundation comes before the accelerant.&lt;/strong&gt; Strong version control, automated testing, small batch sizes, and fast feedback are in place first, so AI amplifies stability instead of eroding it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The internal platform absorbs the toil.&lt;/strong&gt; Self-service builds, environments, and verification jobs reclaim the lost day per engineer per week instead of handing it back to friction.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Security and compliance are pipeline byproducts.&lt;/strong&gt; Artifact provenance, signed dependencies, SBOM generation, and vulnerability evidence are emitted on every build, not reconstructed under audit or incident pressure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hardware-assisted verification is treated as first-class software infrastructure&lt;/strong&gt;, scaled and orchestrated with the same rigour as the production release pipeline.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;None of this is exotic. It is the unglamorous discipline of mature SDLC and platform engineering, applied to an environment where the cost of a late-discovered defect is measured in fab cycles and quarters rather than a redeploy. The throughput is available, the AI leverage is real, and the regulatory clock is running. What determines whether those forces compound or collide is the quality of the foundation underneath them, and that foundation is exactly the work an engineering director is accountable for getting right.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-Assisted Software Development - Google Cloud Blog (DORA)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/insights/dora-2025-year-in-review/&quot;&gt;DORA 2025: Year in Review - DORA (Google Cloud)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.faros.ai/blog/key-takeaways-from-the-dora-report-2025&quot;&gt;Key Takeaways from the DORA Report 2025 - Faros AI&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.atlassian.com/blog/developer/developer-experience-report-2025&quot;&gt;Atlassian Developer Experience Report 2025 - Atlassian&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoworld.com/article/3831759/developers-spend-most-of-their-time-not-coding-idc-report.html&quot;&gt;Developers spend most of their time not coding - IDC report (InfoWorld)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.csoonline.com/article/4038979/silicon-under-siege-nation-state-hackers-target-semiconductor-supply-chains.html&quot;&gt;Silicon Under Siege: Nation-state hackers target semiconductor supply chains - CSO Online (citing CloudSEK)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mend.io/blog/eu-cyber-resilience-act-compliance-guide/&quot;&gt;EU Cyber Resilience Act: 2026 Compliance Guide - Mend.io&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.edge-ai-vision.com/2026/04/key-trends-shaping-the-semiconductor-industry-in-2026/&quot;&gt;Key Trends Shaping the Semiconductor Industry in 2026 - Edge AI and Vision Alliance (reprinted from HTEC)&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/sdlc-devops-platform-engineering-semiconductor/&quot;&gt;The SDLC Reckoning in Semiconductor Engineering: Why Delivery Discipline Now Decides Who Ships&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Shipping Faster Without Grounding the Fleet: SDLC Discipline for High-Availability Travel Platforms</title><link>https://es.nl/2026/sdlc-discipline-high-availability-travel-platforms/</link><guid isPermaLink="true">https://es.nl/2026/sdlc-discipline-high-availability-travel-platforms/</guid><description>Why faster delivery is exposing fragility in travel and aviation platforms, and the SDLC, platform, and supply-chain discipline that keeps booking systems online at peak.</description><pubDate>Wed, 10 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you run engineering for a booking, reservations, or operations platform in travel, transport, or logistics, you are managing a contradiction that got sharper in 2025. Your throughput is up. Your delivery stability is not necessarily following. The same tooling that lets a team ship more changes per week also surfaces every weakness in how those changes are tested, gated, and observed, and in tightly coupled travel stacks a single bad change does not degrade gracefully. It grounds the operation.&lt;/p&gt;

&lt;p&gt;This is not a tooling problem to be bought away. It is a discipline problem in the software delivery lifecycle, and the data from the last twelve months is unusually clear about where the failures cluster. This piece walks through four concrete pressures, what the evidence says, and what disciplined teams actually do differently.&lt;/p&gt;

&lt;h2&gt;Faster delivery is exposing weak foundations, not fixing them&lt;/h2&gt;

&lt;p&gt;The 2025 DORA research, drawn from roughly 5,000 technology professionals, reports that 90% now use AI at work and over 80% see productivity gains. The uncomfortable finding sits next to it: AI has a &lt;strong&gt;positive&lt;/strong&gt; relationship with throughput and product performance but a &lt;strong&gt;negative&lt;/strong&gt; relationship with software delivery stability. DORA&apos;s framing is the part worth pinning to the wall: &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;AI is an amplifier, not a fixer&lt;/a&gt;. Strong systems get stronger; weak systems become more visibly unstable.&lt;/p&gt;

&lt;p&gt;The follow-up ROI analysis put a number on the downside. Across a 500-person model, change failure rate rose from 5% to 6% after AI adoption, and that single point translated to roughly &lt;a href=&quot;https://www.infoq.com/news/2026/05/dora-roi-ai-assisted-dev-report/&quot;&gt;$344,000 of downtime impact&lt;/a&gt;. The same analysis found productivity gains skew heavily toward simple greenfield work (35 to 40%) versus complex legacy code (around 10% or less), which is precisely the inverse of where most travel platforms spend their time. The implication for a director is direct: if your pipelines, automated test coverage, and feedback loops are not already mature, accelerating delivery will raise change-failure rate and rework before it raises anything you want. The foundations come first.&lt;/p&gt;

&lt;h2&gt;Tightly coupled stacks turn one dependency failure into a ground stop&lt;/h2&gt;

&lt;p&gt;Travel and aviation platforms run interconnected systems, reservations, crew and aircraft scheduling, departure control, payments, and supplier APIs, where a failure deep in one dependency can halt operations even when aircraft and crews are ready. 2025 made the cost of that coupling impossible to ignore. American Airlines&apos; June 27 outage &lt;a href=&quot;https://www.cnn.com/2025/08/29/travel/airline-aviation-technology-failures&quot;&gt;hit 40% of its flights&lt;/a&gt;. United&apos;s August 6 Unimatic failure, which handles weight-and-balance calculations, caused 1,086 delays and 201 cancellations across its hubs.&lt;/p&gt;

&lt;p&gt;The pattern repeated badly at Alaska Airlines, whose October 24 outage triggered a nationwide ground stop, 400-plus cancellations, and roughly &lt;a href=&quot;https://www.travelandtourworld.com/news/article/alaska-airlines-devastated-by-major-it-outage-over-four-hundred-flights-canceled-49000-passengers-stranded-in-nationwide-ground-stop/&quot;&gt;49,000 stranded passengers&lt;/a&gt; - its second fleet-grounding outage in four months. Legacy systems and tight coupling are cited repeatedly as root causes, not bad luck. The engineering response is architectural and unglamorous: decouple the monolith so search, booking, payment, ticketing, and CRM run independently and a slow supplier degrades one surface instead of all of them; design explicitly for 5x to 10x traffic spikes rather than average load; and treat real-time health checks as a first-class control, not an afterthought. Reference architecture work in this space attributes meaningful gains to exactly these moves - decoupled services supporting more concurrent users at peak, and real-time health checks materially reducing peak-hour downtime.&lt;/p&gt;

&lt;h2&gt;Toil and a platform-adoption gap drain the capacity resilience needs&lt;/h2&gt;

&lt;p&gt;The capacity to build that decoupling and observability is the same capacity most travel orgs are quietly burning on undifferentiated work. Platform-engineering analyses in 2026 put developers at 30 to 40% of their time on infrastructure tasks unrelated to business logic, and roughly 40% on tool configuration and troubleshooting. Platform engineering is the prescribed remedy, and adoption is near-universal: DORA reports &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;90% of organizations have adopted at least one platform&lt;/a&gt;, with a high-quality internal developer platform correlating directly with unlocking AI value.&lt;/p&gt;

&lt;p&gt;Adoption is not the same as value. Predictions for 2026 hold that around 80% of organizations will have platform teams while fewer than 30% see measurable developer-productivity gains, with many spending $500K to $2M per year on internal platforms their developers route around. The lesson for a director is that procurement is not the win. A platform earns its budget only when it is run as a product, with real users, user-centric scope, and governance, rather than as a mandated layer. DORA&apos;s decision to add a &lt;strong&gt;Rework Rate&lt;/strong&gt; metric is a tell: AI-driven rework is now a measurable, named drain on capacity, and it competes head-on with the resilience work you actually want done.&lt;/p&gt;

&lt;h2&gt;Compliance and supply-chain security are now delivery constraints, not side quests&lt;/h2&gt;

&lt;p&gt;Two pressures have moved from governance slideware into the critical path of delivery. The first is regulatory. The EU&apos;s Digital Operational Resilience Act &lt;a href=&quot;https://ogletree.com/insights-resources/blog-posts/the-eus-digital-operational-resilience-act-comes-into-effect/&quot;&gt;entered into application on 17 January 2025&lt;/a&gt;, with European Supervisory Authorities empowered to impose fines from that date. It mandates an ICT third-party risk-management strategy, a registry of all ICT contractual arrangements, mandatory contract provisions, and a digital-operational-resilience testing program that includes advanced, threat-led testing. It is scoped to financial entities, but travel platforms handling payments and their ICT vendors are increasingly pulled into the oversight of critical third-party providers and concentration risk. For a Benelux or wider European travel team, that means resilience testing and third-party governance are becoming auditable obligations, not internal best practice.&lt;/p&gt;

&lt;p&gt;The second pressure is the software supply chain underneath all of it. Sonatype&apos;s 2026 report logged &lt;a href=&quot;https://www.sonatype.com/state-of-the-software-supply-chain/introduction&quot;&gt;454,648 new malicious open-source packages&lt;/a&gt; in the past year, with the threat shifting from spam and stunts to sustained, often state-sponsored campaigns. Insecure CI/CD pipelines and lack of dependency visibility rank as top risks. The August 2025 S1ngularity attack made it concrete: a vulnerable GitHub Actions workflow in the Nx repository was exploited to steal an npm publishing token. Against 9.8 trillion annual component downloads, a large share of vulnerable Maven Central and NuGet releases carried CVSS 9.0+ scores. For a high-availability platform, dependency governance, signed artifacts, and pipeline hardening are no longer hygiene items you defer. They are preconditions for resilient delivery.&lt;/p&gt;

&lt;h2&gt;What good looks like&lt;/h2&gt;

&lt;p&gt;The teams that hold up under peak load and audit pressure share a recognizable set of practices:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Foundations before acceleration.&lt;/strong&gt; Mature pipelines, automated testing, and fast feedback loops are in place before AI-assisted delivery is scaled, so throughput gains do not arrive as change-failure spikes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Decoupling by design.&lt;/strong&gt; Booking, payment, ticketing, and supplier integration fail independently, with explicit headroom for 5x to 10x spikes and real-time health checks wired into routing decisions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Platform as product.&lt;/strong&gt; The internal platform has named users, measured adoption, and a roadmap, not just a budget line and a mandate.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Supply chain and resilience as gates.&lt;/strong&gt; Dependency provenance, pipeline secrets hygiene, and threat-led resilience testing are enforced in the SDLC, aligned to DORA-style obligations rather than bolted on after an incident.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;Closing the loop&lt;/h2&gt;

&lt;p&gt;None of the four pressures is solved by a product purchase. Each is a property of how a team designs, tests, ships, and governs change over time, which is to say each is an SDLC and platform-engineering discipline. The throughput is available to almost everyone now. What separates a platform that absorbs a peak from one that becomes the next ground-stop headline is whether the foundations underneath that throughput were built deliberately. That is the work, and it is the work worth investing in before the next peak season tests it for you.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Announcing the 2025 DORA Report — Google Cloud Blog&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2026/05/dora-roi-ai-assisted-dev-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;New DORA Report Claims Strong Engineering Foundations Drive AI Return on Investment — InfoQ&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.cnn.com/2025/08/29/travel/airline-aviation-technology-failures&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;IT outages are plaguing air travel. Here&apos;s what to know — CNN&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.travelandtourworld.com/news/article/alaska-airlines-devastated-by-major-it-outage-over-four-hundred-flights-canceled-49000-passengers-stranded-in-nationwide-ground-stop/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Alaska Airlines Devastated by Major IT Outage: Over Four Hundred Flights Canceled, 49,000 Passengers Stranded — Travel And Tour World&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://ogletree.com/insights-resources/blog-posts/the-eus-digital-operational-resilience-act-comes-into-effect/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;The EU&apos;s Digital Operational Resilience Act Comes Into Effect — Ogletree Deakins&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.sonatype.com/state-of-the-software-supply-chain/introduction&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;2026 State of the Software Supply Chain Report — Sonatype&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/sdlc-discipline-high-availability-travel-platforms/&quot;&gt;Shipping Faster Without Grounding the Fleet: SDLC Discipline for High-Availability Travel Platforms&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>DevOps Under DORA: Engineering Discipline for Regulated Financial Delivery</title><link>https://es.nl/2026/devops-under-dora-regulated-financial-delivery/</link><guid isPermaLink="true">https://es.nl/2026/devops-under-dora-regulated-financial-delivery/</guid><description>How high-scale financial engineering teams reconcile DORA, PCI-DSS and SOX change control with delivery velocity, AI instability, legacy toil and supply-chain risk.</description><pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Every engineering leader in financial services is now managing the same contradiction. The business wants the deployment cadence of a fintech challenger. The regulator wants documented, reproducible, defensible control over every change that touches a payment, a ledger, or customer data. For most of the last decade those two pressures were treated as a trade-off you negotiated quarter by quarter. Since DORA became mandatory across the EU, that negotiation is over: you are expected to demonstrate &lt;strong&gt;both&lt;/strong&gt; velocity and continuous operational resilience, and to prove it on demand with evidence. The teams handling this well are not the ones who picked a side. They are the ones who moved their controls into the pipeline.&lt;/p&gt;

&lt;p&gt;This piece is about the four pressures that actually constrain the SDLC in a regulated, high-scale finance environment right now, what the data says about each, and what disciplined teams do differently. None of it is theoretical. All of it shows up in the change-failure rate, the audit findings, and the attrition numbers.&lt;/p&gt;

&lt;h2&gt;AI is buying you throughput and selling you instability&lt;/h2&gt;

&lt;p&gt;The headline from the 2025 DORA / Accelerate State of DevOps report is genuinely good news, and it is a trap if you stop reading there. AI&apos;s relationship with software delivery throughput &lt;a href=&quot;https://redmonk.com/rstephens/2025/12/18/dora2025/&quot;&gt;reversed from negative in 2024 to positive in 2025&lt;/a&gt;, with 90% of respondents now using AI in their job at a median of two hours a day. Teams ship more. But instability is the one major delivery metric AI still makes worse: AI adoption correlates with more change failures, higher rework, and longer time to recover from failed deployments. DORA&apos;s framing is the part to internalize - AI is an amplifier of an organization&apos;s existing strengths and weaknesses, not a fix for them.&lt;/p&gt;

&lt;p&gt;For a generic SaaS team, a higher change-failure rate is a cost. For a bank operating under SOX segregation-of-duties requirements and DORA resilience obligations, shipping faster while change failures and rework climb is &lt;strong&gt;exactly the failure mode auditors and regulators penalize&lt;/strong&gt;. The 2026 State of Code survey explains the mechanism: the work has shifted from code creation to verification and debugging, and &lt;a href=&quot;https://www.sonarsource.com/state-of-code-developer-survey-report.pdf&quot;&gt;96% of developers do not fully trust the functional accuracy of AI-generated code&lt;/a&gt;, with only 4% completely agreeing that it is functionally correct. In a sector where verification is mandatory rather than optional, an unmitigated AI rollout doesn&apos;t relieve toil - it relocates it to the most expensive, most regulated stage of your pipeline.&lt;/p&gt;

&lt;h2&gt;Compliance has become a continuous, evidence-heavy tax on delivery&lt;/h2&gt;

&lt;p&gt;DORA changed the unit of compliance from the annual audit to the running system. Since it became mandatory on 17 January 2025, EU financial entities must &lt;a href=&quot;https://octopus.com/devops/grc/dora/&quot;&gt;prove operational resilience continuously&lt;/a&gt;: structured ICT-incident classification with standardized regulatory reporting, threat-led penetration testing and scenario drills with documented remediation, continuous third-party ICT risk monitoring with exit strategies, and independent audit evidence. This stacks on top of PCI-DSS, SOX, and GDPR rather than replacing any of them - and PCI-DSS, SOX and GDPR each &lt;a href=&quot;https://softwaremind.com/blog/devops-in-banking-benefits-challenges-best-practices/&quot;&gt;impose their own constraints on the SDLC&lt;/a&gt;, from encryption and continuous auditing of payment data to documented approvals and segregation of duties for every code change.&lt;/p&gt;

&lt;p&gt;The penalties make this a board-level number, not an engineering footnote. DORA non-compliance carries fines up to 2% of annual worldwide turnover or EUR 1 million for institutions, and up to EUR 5 million for critical ICT providers. Hogan Lovells, reviewing the landscape six months in, found the &lt;a href=&quot;https://www.hoganlovells.com/en/publications/the-eu-digital-operational-resilience-act-dora-top-7-challenges-for-it-vendors&quot;&gt;compliance journey far from complete&lt;/a&gt;, with entities still reworking governance, incident-response and business-continuity arrangements. The predictable result is governance becoming the dominant velocity constraint. One bank executive told Deloitte that elevated compliance oversight &lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/financial-services/future-of-software-engineering-in-banks.html&quot;&gt;&quot;definitely impacted our team&apos;s overall velocity.&quot;&lt;/a&gt; This is why mature teams are moving to governance as code: automated policy gates and audit-ready evidence generated by the pipeline, instead of spreadsheets and approval tickets reconstructed under deadline.&lt;/p&gt;

&lt;h2&gt;Legacy plus change-control bureaucracy is where your capacity goes&lt;/h2&gt;

&lt;p&gt;The reason this is hard is structural, not cultural. Mainframes still &lt;a href=&quot;https://softwaremind.com/blog/devops-in-banking-benefits-challenges-best-practices/&quot;&gt;process roughly 68% of global production IT workloads&lt;/a&gt;, and most banking IT budgets go to legacy maintenance rather than innovation - while fintech competitors release weekly. You cannot rip the core out, so the constraint is permanent and must be engineered around.&lt;/p&gt;

&lt;p&gt;Underneath that, technical debt is a continuous drain on the exact engineers you most want building new capability. Deloitte&apos;s numbers are blunt: &lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/financial-services/future-of-software-engineering-in-banks.html&quot;&gt;33% of developer time goes to technical-debt maintenance, and 78% of engineers say legacy systems negatively affect morale&lt;/a&gt; - which is an attrition driver, not just a sentiment metric. Layer manual handoffs through tickets and approval boards on top, and a large fraction of your capacity is consumed before anyone writes a feature. The consensus remedy is platform engineering - paved roads, internal developer portals, embedded compliance, and automated quality gates that produce smaller, auditable changes which are easier to test, roll back, and prove to an auditor. The direction of travel is clear enough that Gartner projects &lt;strong&gt;80% of large software-engineering organizations will have platform-engineering teams by 2026, up from 45% in 2022&lt;/strong&gt;. The payoff is concrete: Software Mind cites Capital One cutting development environment build time from three months to minutes.&lt;/p&gt;

&lt;h2&gt;The software supply chain is now an audit obligation, not a scan&lt;/h2&gt;

&lt;p&gt;Open-source components make up 80-90% of modern applications and sit underneath nearly every financial system, and the threat against them is escalating sharply. Sonatype&apos;s 2026 report recorded &lt;a href=&quot;https://www.sonatype.com/blog/what-the-2026-state-of-the-software-supply-chain-report-reveals-about-regulation&quot;&gt;more than 1.2 million malicious packages blocked&lt;/a&gt;. Triage is harder than it looks on a dashboard: 65% of new vulnerabilities lack severity scores, so you cannot simply gate on CVSS. And AI introduces a new vector directly into the dependency graph - roughly 27% of AI dependency suggestions are invalid or risky hallucinations.&lt;/p&gt;

&lt;p&gt;Regulation has converged to meet this. SBOMs, secure-by-design attestation under the EU Cyber Resilience Act and US NIST SSDF/CISA guidance, and demonstrable oversight of third-party software risk now appear directly in procurement cycles and audit practice - reinforced by DORA&apos;s ICT third-party mandates. CRA penalties reach 2% of global revenue, and software-assurance regulation is converging globally rather than staying region-specific. For a finance engineering director, the implication is specific: SBOM generation, dependency provenance, and continuous vulnerability gating have to be standing, audit-ready parts of the pipeline, not a periodic scan someone runs before a release.&lt;/p&gt;

&lt;h2&gt;What good looks like&lt;/h2&gt;

&lt;p&gt;The teams absorbing all four pressures without grinding to a halt share a recognizable shape:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Controls live in CI/CD, not in tickets.&lt;/strong&gt; Segregation of duties, change approval, and policy checks are enforced and logged by the pipeline, so the audit artifact is a byproduct of shipping rather than a separate reconstruction effort.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AI output is gated by verification, not trust.&lt;/strong&gt; Given that 96% of developers don&apos;t fully trust AI-generated code, the change-failure rate and rework metrics are watched directly, and AI is rolled into teams that already have strong testing - because it amplifies what&apos;s there.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Changes are small, reversible, and provable.&lt;/strong&gt; Smaller auditable deployments with real rollback are both the resilience story DORA wants and the velocity story the business wants.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Supply-chain evidence is continuous.&lt;/strong&gt; SBOMs and provenance are generated every build, and gating accounts for the 65% of vulnerabilities with no severity score and the risk of hallucinated dependencies.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;The discipline is the strategy&lt;/h2&gt;

&lt;p&gt;None of these four pressures is solvable by a tool purchase or a one-time program. They are properties of operating regulated, high-scale software, and they compound: AI instability lands hardest on legacy-heavy estates, compliance load is heaviest where change control is most manual, and supply-chain risk is widest where provenance is weakest. The common thread in every team that handles them is the same - a disciplined SDLC where resilience and auditability are engineered into the delivery platform rather than bolted on at review time. That is unglamorous, and it is the work. The institutions that treat platform engineering and governance-as-code as core delivery infrastructure are the ones turning DORA from a tax into a baseline they already meet.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;https://redmonk.com/rstephens/2025/12/18/dora2025/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;DORA 2025: Measuring Software Delivery After AI (RedMonk analysis of Google Cloud / DORA 2025 State of DevOps Report)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.sonatype.com/blog/what-the-2026-state-of-the-software-supply-chain-report-reveals-about-regulation&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;What the 2026 State of the Software Supply Chain Report Reveals About Regulation (Sonatype)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://octopus.com/devops/grc/dora/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;What Is The Digital Operational Resilience Act (DORA)? 2025 Guide (Octopus Deploy)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/financial-services/future-of-software-engineering-in-banks.html&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;How should banks respond to the current disruption in software engineering? (Deloitte Insights)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://softwaremind.com/blog/devops-in-banking-benefits-challenges-best-practices/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;DevOps in Banking: Benefits, Challenges &amp; Best Practices (Software Mind)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.hoganlovells.com/en/publications/the-eu-digital-operational-resilience-act-dora-top-7-challenges-for-it-vendors&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;The EU Digital Operational Resilience Act (DORA): top 7 challenges for IT vendors (Hogan Lovells)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.sonarsource.com/state-of-code-developer-survey-report.pdf&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;2026 State of Code Developer Survey: navigating the AI verification bottleneck (Sonar)&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/devops-under-dora-regulated-financial-delivery/&quot;&gt;DevOps Under DORA: Engineering Discipline for Regulated Financial Delivery&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>The Retail Delivery Squeeze: Shipping Faster Without Breaking Peak</title><link>https://es.nl/2026/retail-delivery-velocity-vs-stability-peak-engineering/</link><guid isPermaLink="true">https://es.nl/2026/retail-delivery-velocity-vs-stability-peak-engineering/</guid><description>How high-scale retail engineering teams keep release velocity and peak-season stability from pulling in opposite directions, grounded in DORA, DBIR and SRE data.</description><pubDate>Fri, 05 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Every retail engineering org runs on a calendar that works against it. The window where you most need to ship - new omnichannel features, pricing experiments, checkout changes before the fourth quarter - is the same window where a bad change is most expensive. For most of the year you can absorb a regression. In the run-up to Black Friday you cannot. This is the structural tension that defines retail software delivery: maximum release pressure landing exactly when the cost of instability peaks. The teams that handle it well do not resolve the tension by choosing speed or stability. They invest in the engineering foundations that let both rise together, and they treat reliability, security and capacity as constraints inside the pipeline rather than work to be done later. The data from the last two years makes a clear case that this is now a foundations problem, not a tooling one.&lt;/p&gt;

&lt;h2&gt;AI is amplifying your delivery capability, in both directions&lt;/h2&gt;

&lt;p&gt;The headline finding from the &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;2025 DORA report&lt;/a&gt; is that AI-assisted development is now near-universal - 90% of developers use AI tools and over 80% report productivity gains - but AI adoption retains a &lt;strong&gt;negative&lt;/strong&gt; relationship with software delivery stability unless strong controls are in place. AI does not create capability; it amplifies whatever capability already exists. Teams with mature internal platforms, automated testing and tight feedback loops convert AI into speed and stability. Teams without those foundations get their existing chaos magnified, because more code is now flowing through review gates and pipelines that were never designed for that throughput.&lt;/p&gt;

&lt;p&gt;The cost is quantifiable. An &lt;a href=&quot;https://www.infoq.com/news/2026/05/dora-roi-ai-assisted-dev-report/&quot;&gt;InfoQ analysis of DORA&apos;s ROI modeling&lt;/a&gt; shows change failure rate rising from 5% to 6% after AI adoption, modeled at roughly -$344,000 of instability cost for a 500-person organization. The same modeling found the largest productivity gains - 35 to 40% - on simple greenfield tasks, dropping to 10% or less on complex legacy code, which is precisely where most retail platforms live. For an engineering director, the practical reading is that AI throughput without platform investment buys you a higher change failure rate during your highest-pressure release window. The lever that matters is not the AI tool; it is internal platform quality, workflow clarity and team alignment. Notably, DORA found 90% of organizations have already adopted at least one internal platform - so the differentiator is no longer whether you have one, but how good it is.&lt;/p&gt;

&lt;h2&gt;Toil is rising again, and it is eating the capacity you need for peak&lt;/h2&gt;

&lt;p&gt;The people who keep high-scale retail systems reliable - real-time inventory sync, dynamic pricing, checkout, fulfilment routing - are spending more of their week on manual, repetitive work, not less. The &lt;a href=&quot;https://www.catchpoint.com/learn/sre-report-2025&quot;&gt;Catchpoint SRE Report 2025&lt;/a&gt; found that median time SREs spend on operational toil rose from 25% to 30%, the first increase in five years, and crucially it rose &lt;strong&gt;despite&lt;/strong&gt; widespread AI adoption. Automation changed the shape of the work; it did not remove the load.&lt;/p&gt;

&lt;p&gt;This matters on two fronts that compound each other. The first is capacity: engineers buried in toil cannot do the resilience hardening that peak season demands. The second is pressure. In the same survey, 41% of practitioners report often or always feeling pressure to prioritize releases over reliability, and 53% agree that &quot;slow is the new down&quot; - degraded performance is now treated as an outage by customers and the business. Put those together and you have a system that is structurally biased toward shipping over hardening, staffed by the exact senior SREs whose burnout and attrition you can least afford going into a high-stakes quarter. Toil reduction is not a quality-of-life nicety here; it is the mechanism that frees the capacity to engineer for peak.&lt;/p&gt;

&lt;h2&gt;Peak-season resilience has to be engineered in, not provisioned on the day&lt;/h2&gt;

&lt;p&gt;The reason this all becomes acute in the fourth quarter is the raw economics of downtime at scale. Industry research summarized by &lt;a href=&quot;https://www.thecommerceteam.com/news-insights-events/peak-season-is-here----are-your-systems-ready-for-the-outage-you-cant-see&quot;&gt;The Commerce Team&lt;/a&gt; puts the cost of peak-season downtime at retail sites at roughly £4,000 per minute - about £240,000 per hour - before secondary costs like trust erosion and customer churn. A single outage during that window can erase the margin of an entire campaign.&lt;/p&gt;

&lt;p&gt;The stakes scale with the calendar: per the &lt;a href=&quot;https://www.rudrainnovative.com/blog/e-commerce-platform-development-guide&quot;&gt;2026 e-commerce scalability guide&lt;/a&gt;, Black Friday 2025 generated $11.8B in US online spend and Cyber Monday $14.25B. The architectural answers the industry is converging on are well understood: MACH/headless architecture (which the same guide credits with cutting page-load times by around a third versus monolithic stacks), microservices, predictive autoscaling, aggressive caching, and load-testing to 5 to 10x normal traffic. The problem is not knowing what to build; it is that this work is exactly what gets crowded out by feature delivery and rising toil. The framing that lands with a director is risk-adjusted ROI: when an hour of peak downtime costs six figures, observability, capacity planning and resilience engineering done ahead of peak have an unusually high and measurable return. Resilience is a property you build into the system over the preceding quarter, not a configuration you reach for on the day the traffic arrives.&lt;/p&gt;

&lt;h2&gt;Security and EU compliance are now gates inside the pipeline&lt;/h2&gt;

&lt;p&gt;The fourth constraint is the one that has hardened fastest from advisory to obligation. The &lt;a href=&quot;https://www.reversinglabs.com/blog/verizon-2025-dbir-third-party-risk&quot;&gt;Verizon 2025 DBIR&lt;/a&gt;, across 12,195 confirmed breaches, found the share of breaches involving a third party &lt;strong&gt;doubled from 15% to 30%&lt;/strong&gt; year over year. The supply chain - the exact surface retail depends on for payments, commerce platforms and integrations - is deteriorating fastest. The report also found exposed secrets in public repositories sitting unremediated for a median of 94 days, with a third of leaked secrets tied to dev and CI/CD environments. That is a SDLC failure mode, not just a security one.&lt;/p&gt;

&lt;p&gt;European retailers face this against a stacked regulatory backdrop. Per &lt;a href=&quot;https://www.schellman.com/blog/cybersecurity/european-compliance-nis2-cra-dora&quot;&gt;Schellman&apos;s EU compliance analysis&lt;/a&gt;, DORA became applicable in January 2025; the Cyber Resilience Act drives security-by-design across the product lifecycle, with reporting obligations from 11 September 2026 and core requirements from 11 December 2027; and NIS2 transposition, due 17 October 2024, was complete in only about 14 of 27 member states by mid-2025, with infringement proceedings against the rest. The combined effect is that secure SDLC, incident reporting, change logging and third-party assurance move from good practice to legal requirement. Bolted on at the end, these obligations destroy lead time. Automated into the platform - secret scanning, SBOM generation, policy-as-code gates, dependency provenance - they become a fast, repeatable part of the pipeline.&lt;/p&gt;

&lt;h2&gt;What good looks like&lt;/h2&gt;

&lt;p&gt;The four pressures above share a single root cause and a single answer. Disciplined teams treat the platform as the place where speed, reliability, security and compliance are reconciled, rather than negotiated case by case. Concretely:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Feedback loops over throughput.&lt;/strong&gt; Fast, automated testing and deployment so that AI-accelerated volume is caught before it reaches production, holding change failure rate flat as velocity rises.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Toil as a tracked budget.&lt;/strong&gt; Treat operational load as a metric with a ceiling, and fund automation against it, so reliability capacity is protected ahead of peak rather than consumed by it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Resilience proven, not assumed.&lt;/strong&gt; Load-test to a realistic multiple of peak, rehearse failure, and validate autoscaling and caching weeks before the traffic arrives - not on the day.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance and security as code.&lt;/strong&gt; Secret scanning, SBOMs, dependency provenance and policy gates embedded in the pipeline, so regulatory obligations cost lead time once, at build time, instead of repeatedly in review.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;The throughline&lt;/h2&gt;

&lt;p&gt;None of these four challenges is solved by buying a tool. The DORA finding that AI amplifies existing capability is the general case: every one of these pressures rewards teams with strong foundations and punishes those without. For a high-scale, regulated retail platform in Europe, the disciplined path is to make the platform the system of record for how you ship - where velocity, reliability, security and compliance are designed to rise together rather than trade off against each other. That is unglamorous, foundational engineering. It is also the only thing that holds up when the traffic, the release pressure and the regulator all arrive in the same quarter.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report (State of AI-assisted Software Development)&lt;/a&gt; - Google Cloud / DORA, 23 Sep 2025.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2026/05/dora-roi-ai-assisted-dev-report/&quot;&gt;New DORA Report Claims Strong Engineering Foundations Drive AI Return on Investment&lt;/a&gt; - InfoQ, 11 May 2026.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.catchpoint.com/learn/sre-report-2025&quot;&gt;The SRE Report 2025&lt;/a&gt; - Catchpoint.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.reversinglabs.com/blog/verizon-2025-dbir-third-party-risk&quot;&gt;Verizon 2025 DBIR: Third-party software risk takes the spotlight&lt;/a&gt; - ReversingLabs, 24 Apr 2025.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.schellman.com/blog/cybersecurity/european-compliance-nis2-cra-dora&quot;&gt;EU Cyber Resilience Update: NIS2, CRA, and DORA&lt;/a&gt; - Schellman, 18 Sep 2025.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.thecommerceteam.com/news-insights-events/peak-season-is-here----are-your-systems-ready-for-the-outage-you-cant-see&quot;&gt;Peak-Ready Retail: How to Prevent Costly Downtime and Strengthen Your Commerce Stack&lt;/a&gt; - The Commerce Team Global, 1 Oct 2025.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.rudrainnovative.com/blog/e-commerce-platform-development-guide&quot;&gt;E-commerce Platform Development: The Complete Scalability and Performance Guide&lt;/a&gt; - Rudra Innovative, 1 Nov 2025.&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/retail-delivery-velocity-vs-stability-peak-engineering/&quot;&gt;The Retail Delivery Squeeze: Shipping Faster Without Breaking Peak&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>The Reliability Tax in Telecom Delivery: Shipping Faster Without Dropping the Call</title><link>https://es.nl/2026/reliability-tax-in-telecom-software-delivery/</link><guid isPermaLink="true">https://es.nl/2026/reliability-tax-in-telecom-software-delivery/</guid><description>How telecom and communications engineering leaders ship faster without eroding SLA reliability: AI&apos;s instability tradeoff, change-management failure modes, toil, and NIS2.</description><pubDate>Wed, 03 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you run engineering for a communications platform, you live inside a contradiction. The business wants more features, faster, on a network it cannot afford to break. Your SLAs are not marketing copy; for emergency-call paths they are a legal and human obligation. And the tooling that promises to make you faster is, on the current evidence, just as likely to make you less reliable. The job is no longer choosing between speed and stability. It is engineering a delivery system where the two stop trading against each other. This piece walks through four pressures that define that system for telecom and large-scale service platforms, each grounded in 2025 data, and what a disciplined response looks like.&lt;/p&gt;

&lt;h2&gt;AI is an amplifier, not a fix, and your foundations decide which way it amplifies&lt;/h2&gt;
&lt;p&gt;The 2025 DORA research on AI-assisted software development is blunt about the mechanism. AI adoption is now near-universal: &lt;a href=&quot;https://www.faros.ai/blog/key-takeaways-from-the-dora-report-2025&quot;&gt;95% of developers use AI tools and over 80% report productivity gains, yet the same data shows an &quot;Acceleration Whiplash&quot; in which more code arrives with less scrutiny&lt;/a&gt;. The same analysis records median time in pull-request review up 441%, 31% more PRs merging with no review at all, bugs per developer up 54%, and incidents per PR up 242.7%. More code, arriving faster, scrutinized less.&lt;/p&gt;
&lt;p&gt;The decisive variable is not the model; it is what the model is poured into. AI amplifies whatever delivery system already exists. Teams with strong testing, review discipline, and loosely-coupled architecture convert AI output into throughput. Teams with weak foundations convert it into technical debt and process chaos at higher velocity. Telecom organizations running mission-critical, tightly-coupled legacy stacks sit squarely in that second profile. A naive &quot;use AI, ship faster&quot; mandate pushed onto an OSS/BSS estate that was never designed for rapid, independent change does not accelerate delivery. It raises change-failure rate against exactly the reliability your SLAs depend on. The leadership move is to treat AI as a forcing function for the foundations: invest in automated testing, enforced review, and progressive delivery first, so that the amplifier has something worth amplifying.&lt;/p&gt;

&lt;h2&gt;In a tightly-coupled network, a routine change is a blast radius&lt;/h2&gt;
&lt;p&gt;The reason reliability dominates this domain is that the failure modes are not abstract. The 2025 Optus emergency-calling outage is the canonical recent case, and it is worth studying as a pure SDLC failure rather than as a telecom curiosity. &lt;a href=&quot;https://en.wikipedia.org/wiki/2025_Optus_emergency_calling_outage&quot;&gt;An 18 September 2025 firewall upgrade caused roughly 600 failed Triple Zero emergency calls over about 13 hours across four Australian states, with four deaths reported during the outage, and Optus stated its monitoring system excluded Triple Zero calls so &quot;there were no alarms&quot;&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Decompose that and every element is a familiar engineering control that was absent or weak. A routine change deployed without blast-radius containment. No canary or progressive rollout to catch the regression on a small slice of traffic before it reached the whole network. Monitoring that did not cover the single most critical path, so mean-time-to-detect stretched to hours on a system where seconds matter. And, by implication, no tested rollback that would have reverted the change the moment something looked wrong. None of these are exotic. They are the standard disciplines of change management and observability, applied to a tightly-coupled system where the cost of skipping them is measured in lives and government inquiries rather than dashboards. For a communications engineering leader the lesson is uncomfortable but actionable: the controls that feel like overhead on a routine firewall change are precisely the controls that exist for routine changes, because in this domain the routine ones are what kill you.&lt;/p&gt;

&lt;h2&gt;Operating two worlds at once is taxing your SRE capacity to the bone&lt;/h2&gt;
&lt;p&gt;The structural reason these controls are hard to apply consistently is that telecom is not migrating off legacy; it is running legacy and cloud-native in parallel, indefinitely. Monolithic OSS/BSS and circuit-era network functions are moving onto cloud-native 5G stacks built on microservices, Kubernetes, and multi-access edge. Teams operate both at once, which roughly doubles the operational surface. Traditional monitoring is part of the problem: tooling &lt;a href=&quot;https://www.vamsitalkstech.com/5g/observability-evolution-in-telecommunications-8-trends-reshaping-5g-networks-and-bss-oss-operations-in-2025/&quot;&gt;built for circuit-switched networks and monolithic OSS cannot handle 5G standalone, distributed edge, and microservices-based BSS&lt;/a&gt;, which is exactly the kind of gap that lets a critical path go unmonitored.&lt;/p&gt;
&lt;p&gt;The human cost shows up in toil. On the network side the work is dominated by &lt;a href=&quot;https://www.itential.com/resource/white-papers/applying-platform-engineering-principles-to-networking/&quot;&gt;manual ticketing and &quot;swivel-chair&quot; provisioning, multivendor tool fragmentation, and non-standardized &quot;snowflake&quot; infrastructure that is hard to automate&lt;/a&gt;. Unmanaged toil is therefore not only a throughput tax; it is a retention and burnout risk, and burned-out engineers operating snowflake systems under time pressure are how change-failure rate climbs. The correction is to shift guardrails down into a self-service golden path rather than dumping operational load onto individual developers. The platform engineering response is real but immature: in one 2025 survey &lt;a href=&quot;https://platformengineering.org/blog/announcing-the-state-of-platform-engineering-vol-4&quot;&gt;29.6% of platform teams do not measure success at all, and 55.9% of companies now operate more than one platform&lt;/a&gt;. Building a platform is not the same as building one that demonstrably reduces toil.&lt;/p&gt;

&lt;h2&gt;NIS2 turns reliability evidence into a board-level, personally-enforced constraint&lt;/h2&gt;
&lt;p&gt;The final pressure removes any option to treat this as best-effort. Under the EU NIS2 Directive, &lt;a href=&quot;https://www.gtlaw.com/en/insights/2025/8/eu-nis-2-directive-expanded-cybersecurity-obligations-for-key-sectors&quot;&gt;telecom and digital infrastructure are in scope regardless of size, with a 24-hour early warning, 72-hour assessment and one-month final incident report mandated, fines up to EUR 10 million or 2% of global annual turnover, and management bodies &quot;personally accountable for compliance,&quot; against a transposition deadline of 17 October 2024&lt;/a&gt;. For Benelux and wider European operators this is now binding law, not guidance.&lt;/p&gt;
&lt;p&gt;Read those clocks as engineering requirements. A 24-hour early warning is impossible without observability good enough to detect and characterize an incident quickly, which is exactly the gap the Optus outage exposed. A one-month final report is impossible without audit-ready change records, supply-chain traceability, and tested incident-response runbooks already wired into the pipeline rather than reconstructed afterward. Personal accountability for management means the resilience evidence has to be a byproduct of how you deliver, not a document assembled under deadline pressure. NIS2 is what fuses the other three pressures into a single mandate: move fast, stay reliable, and prove it, simultaneously, with names attached.&lt;/p&gt;

&lt;h2&gt;What good looks like&lt;/h2&gt;
&lt;p&gt;The teams that hold all four constraints at once tend to share a small set of disciplines rather than a particular toolchain:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Progressive delivery by default for network and service changes&lt;/strong&gt;, so the unit of risk is a canary slice, not the whole estate, with automated, tested rollback wired to the same signals.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Critical-path observability that is verified, not assumed&lt;/strong&gt;, including synthetic monitoring of emergency and high-value call paths, so a silenced alarm is itself an alertable condition.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Guardrails shifted down into a golden path&lt;/strong&gt;, so review, security checks, and compliance evidence are produced by the platform automatically rather than depending on individual engineers under load.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Measured platform outcomes&lt;/strong&gt;, tracking toil, cognitive load, rework rate, and change-failure rate, because a platform nobody measures is a cost center, not a control.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance evidence as a pipeline artifact&lt;/strong&gt;, with change records and incident runbooks generated as you ship, ready to satisfy a 24/72-hour clock without a scramble.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;None of this is exotic, and that is the point. The pressures on a communications platform in 2025 are AI amplifying instability, tightly-coupled change blowing up in production, toil draining the people who keep the network alive, and regulation making the whole thing personally accountable. What connects them is that each is a delivery-discipline problem dressed as a technology problem. A platform that encodes progressive delivery, verified observability, shifted-down guardrails, and audit-ready evidence is not a reliability tax you pay reluctantly. It is the only configuration in which speed and stability stop fighting, which in this domain is the difference between shipping and dropping the call.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.faros.ai/blog/key-takeaways-from-the-dora-report-2025&quot;&gt;DORA Report 2025 Key Takeaways: AI Impact on Dev Metrics (2025 DORA State of AI-Assisted Software Development Report)&lt;/a&gt;, Faros.ai, July 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://platformengineering.org/blog/announcing-the-state-of-platform-engineering-vol-4&quot;&gt;Announcing the State of Platform Engineering Report Vol 4&lt;/a&gt;, PlatformEngineering.org, December 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.vamsitalkstech.com/5g/observability-evolution-in-telecommunications-8-trends-reshaping-5g-networks-and-bss-oss-operations-in-2025/&quot;&gt;Observability Evolution in Telecommunications: 8 Trends Reshaping 5G Networks and BSS/OSS Operations in 2025&lt;/a&gt;, Vamsi Talks Tech, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.itential.com/resource/white-papers/applying-platform-engineering-principles-to-networking/&quot;&gt;Applying Platform Engineering Principles to Networking&lt;/a&gt;, Futuriom Research via Itential, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://en.wikipedia.org/wiki/2025_Optus_emergency_calling_outage&quot;&gt;2025 Optus emergency calling outage&lt;/a&gt;, Wikipedia, September 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gtlaw.com/en/insights/2025/8/eu-nis-2-directive-expanded-cybersecurity-obligations-for-key-sectors&quot;&gt;EU NIS 2 Directive: Expanded Cybersecurity Obligations for Key Sectors&lt;/a&gt;, Greenberg Traurig LLP, August 2025&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2026/reliability-tax-in-telecom-software-delivery/&quot;&gt;The Reliability Tax in Telecom Delivery: Shipping Faster Without Dropping the Call&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How Cloud Computing Enhances Online Fashion Retail</title><link>https://es.nl/2023/how-cloud-computing-enhances-online-fashion-retail/</link><guid isPermaLink="true">https://es.nl/2023/how-cloud-computing-enhances-online-fashion-retail/</guid><description>A senior engineer&apos;s view of how cloud computing actually moves the needle for online fashion retail: peak traffic, personalization, security and cost governance.</description><pubDate>Tue, 05 Dec 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Online fashion retail is a brutal workload to run. Traffic is spiky and event-driven, the catalogue churns every season, margins are thin, and you are holding payment data and personal data under regulatory obligation. &quot;Move to the cloud&quot; has been the default answer for a decade, and it is no longer a contrarian bet: Gartner forecasts worldwide public cloud end-user spending at &lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025&quot;&gt;$723.4 billion in 2025, up 21.5% year over year&lt;/a&gt;. The interesting question for an engineering leader is not whether to adopt cloud, but which properties of it actually change your outcomes, and where the narrative oversells.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of cloud services connecting an online fashion retail platform to scalable compute, storage and analytics&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Elasticity is a property you have to engineer, not buy&lt;/h2&gt;
&lt;p&gt;The defining trait of fashion commerce is the peak. A 48-hour sale, a collaboration drop, a Black Friday window: traffic can go from baseline to an order of magnitude higher in minutes, then collapse. Provisioning on-premise for that peak means paying for idle hardware 50 weeks a year. Provisioning for the average means you fall over exactly when revenue is on the line.&lt;/p&gt;
&lt;p&gt;The proof points are concrete. Footwear brand Filling Pieces used to crash at around &lt;a href=&quot;https://www.shopify.com/enterprise/blog/cloud-computing-retail&quot;&gt;10,000 simultaneous visitors during 48-hour sales and eliminated that downtime after moving to a cloud commerce platform&lt;/a&gt; that sustains roughly 40,000 checkout starts per minute against a 99.9% uptime SLA. That is the headline benefit: absorbing a peak that would have toppled a fixed-capacity stack.&lt;/p&gt;
&lt;p&gt;But elasticity does not arrive in the box. Google&apos;s &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 DORA research&lt;/a&gt; is explicit that elasticity and self-service are two of the five essential characteristics of cloud, and that the value comes from &lt;strong&gt;how&lt;/strong&gt; the cloud is used, not from the act of adoption. A stateful monolith with a single relational primary and no horizontal scaling path will not scale just because it now runs on rented instances. The work that actually buys you the peak is unglamorous: autoscaling policies tuned to leading indicators rather than CPU after the fact, statelessness at the request tier, connection pooling and read replicas or caching so the database is not the bottleneck, queue-based load levelling for checkout and inventory writes, and load tests that rehearse the drop before the drop happens. DORA also reports that only about 19% of teams reach elite delivery performance. Elasticity is in the same bracket: available to everyone, realized by few.&lt;/p&gt;

&lt;h2&gt;Personalization is where cloud pays for itself&lt;/h2&gt;
&lt;p&gt;The strongest commercial case for cloud in fashion is not the infrastructure line item, it is what the data platform on top of it lets you do. McKinsey finds that &lt;a href=&quot;https://www.mckinsey.com/capabilities/growth-marketing-and-sales/our-insights/the-value-of-getting-personalization-right-or-wrong-is-multiplying&quot;&gt;personalization typically lifts revenue 10 to 15%&lt;/a&gt; (company-specific range of 5 to 25%) and improves marketing-spend efficiency by 10 to 30%, predominantly through product recommendations and triggered communications. Fast-growing companies derive roughly 40% more of their revenue from personalization than slower-growing peers.&lt;/p&gt;
&lt;p&gt;Those numbers are reachable in fashion specifically because the signals are rich: browse and search behaviour, size and fit history, returns, wishlist activity, seasonality. Cloud is the enabler here because managed analytics warehouses, feature stores, and on-demand training and inference let a mid-sized retailer run recommendation and demand-forecasting models without standing up a GPU fleet. The engineering discipline that makes this real is the same as anywhere else: a clean event pipeline, training and serving features that do not drift apart, and recommendations served inside the latency budget of a product page. Treat personalization as a product surface with its own SLAs and experimentation loop, not a feature you switch on.&lt;/p&gt;


&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-fashion-store.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-fashion-store-600w.webp 600w, /content/uploads/2026/06/ext-fashion-store-1120w.webp 1120w, /content/uploads/2026/06/ext-fashion-store.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Interior of an In-Fashion clothing store on Granville Road in Tsim Sha Tsui, Hong Kong, with racks and shelves of apparel on display under bright retail lighting.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:HK_TST_night_%E5%98%89%E9%80%A3%E5%A8%81%E8%80%81%E9%81%93_Granville_Road_In-Fashion_clothing_shop_interior.JPG&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Szetoyanlun&lt;/a&gt; / &lt;a href=&quot;https://creativecommons.org/licenses/by-sa/3.0/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;CC BY-SA 3.0&lt;/a&gt;, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;Inventory and operations: real-time visibility, eventual consistency&lt;/h2&gt;
&lt;p&gt;Cloud-hosted inventory and order systems give you real-time stock visibility across channels, which reduces both overselling and dead stock. The architectural caveat worth naming to your team: inventory across stores, warehouses, and the storefront is a distributed-consistency problem. During a peak you will trade strict consistency for availability somewhere, and you want that trade to be a deliberate design decision (reservations, oversell buffers, idempotent fulfilment) rather than an emergent surprise at 40,000 checkouts a minute. The cloud gives you the building blocks; the consistency model is still yours to own.&lt;/p&gt;

&lt;h2&gt;Security and reliability are a genuine advantage, with conditions&lt;/h2&gt;
&lt;p&gt;Fashion retail holds payment and personal data, which makes it a target and a compliance obligation (PCI DSS, and GDPR for European customers). The stakes are rising: IBM&apos;s &lt;a href=&quot;https://www.ibm.com/think/insights/whats-new-2024-cost-of-a-data-breach-report&quot;&gt;Cost of a Data Breach Report 2024&lt;/a&gt; puts the global average breach at $4.88 million, up about 10% year over year, the largest jump since the pandemic. Hyperscalers out-invest almost any individual retailer in physical security, patching cadence, encryption primitives, and certifications, and that is a real edge.&lt;/p&gt;
&lt;p&gt;It is also a shared-responsibility edge. The provider secures the infrastructure; you remain on the hook for identity and access, network segmentation, key management, secrets, logging, and your own application code. Most cloud breaches trace to misconfiguration on the customer side, not a failure of the provider. The practical posture for a regulated retail team is least-privilege IAM, encryption in transit and at rest as default, tight blast-radius boundaries around the cardholder data environment, and audit logging you actually review. On reliability, the same engineering choices that buy you the peak (multi-AZ, health checks, graceful degradation) are what convert a 99.9% SLA into 99.9% real availability.&lt;/p&gt;

&lt;h2&gt;The cost story: governance, not automatic savings&lt;/h2&gt;
&lt;p&gt;This is where the original &quot;cloud cuts costs&quot; framing needs correcting for a skeptical audience. Cloud converts capex to opex and lets you pay for the peak only when it happens, which is genuinely valuable for spiky retail traffic. But it is not automatically cheaper. Industry FinOps data cited by &lt;a href=&quot;https://www.shopify.com/enterprise/blog/cloud-computing-retail&quot;&gt;Shopify Enterprise&lt;/a&gt; shows organizations waste roughly 27% of public cloud spend and run about 15% over budget on average. DORA makes the matching point: a well-run on-premise setup can beat a poorly configured cloud deployment.&lt;/p&gt;
&lt;p&gt;Pair every scalability claim with cost governance. Tag and attribute spend to teams and features, set budgets and alerts, right-size relentlessly, use committed-use or reserved pricing for steady baseline load, and treat the always-on cost of a fashion business between peaks as something to be actively optimized, not assumed away. FinOps is not finance overhead; it is the discipline that keeps elasticity from becoming an unbounded bill.&lt;/p&gt;

&lt;h2&gt;What this means for an engineering leader&lt;/h2&gt;
&lt;p&gt;Cloud is the right substrate for online fashion retail, but the benefits are conditional on engineering practice. Elasticity has to be designed in, personalization has to be built and measured like a product, security depends on your side of the shared-responsibility line, and cost only stays sane with governance. Gartner expects 90% of organizations to run hybrid cloud through 2027, so the real decision is rarely all-or-nothing; it is which workloads live where, and how disciplined the team is about the parts the provider cannot do for you. Adopt the cloud for the properties you will actually exploit, and invest in the platform engineering that turns those properties into outcomes.&lt;/p&gt;
&lt;p&gt;If you are weighing how to architect or migrate a high-scale storefront, &lt;a href=&quot;/devops&quot;&gt;our DevOps and Cloud Services&lt;/a&gt; can help you build the autoscaling, observability, and cost governance that make these benefits real rather than theoretical.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025&quot;&gt;Gartner Forecasts Worldwide Public Cloud End-User Spending to Total $723 Billion in 2025&lt;/a&gt; (Gartner, 2024)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; (DORA / Google Cloud, 2024)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.shopify.com/enterprise/blog/cloud-computing-retail&quot;&gt;Cloud Computing in Retail (2026): Benefits, Use Cases, and Risks&lt;/a&gt; (Shopify Enterprise, 2025)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/capabilities/growth-marketing-and-sales/our-insights/the-value-of-getting-personalization-right-or-wrong-is-multiplying&quot;&gt;The value of getting personalization right - or wrong - is multiplying&lt;/a&gt; (McKinsey &amp;amp; Company, 2021)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.ibm.com/think/insights/whats-new-2024-cost-of-a-data-breach-report&quot;&gt;Cost of a Data Breach Report 2024&lt;/a&gt; (IBM Security / Ponemon Institute, 2024)&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-cloud-computing-enhances-online-fashion-retail/&quot;&gt;How Cloud Computing Enhances Online Fashion Retail&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>The Role of DevOps in Streamlining Automotive Operations</title><link>https://es.nl/2023/the-role-of-devops-in-streamlining-automotive-operations/</link><guid isPermaLink="true">https://es.nl/2023/the-role-of-devops-in-streamlining-automotive-operations/</guid><description>DevOps is now the delivery and compliance backbone for software-defined vehicles - CI/CD, OTA updates, and DORA-grade discipline under UN R155/R156.</description><pubDate>Fri, 01 Dec 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;The car is now a software platform that happens to have wheels. McKinsey projects the global automotive software and electronics market will grow at roughly &lt;a href=&quot;https://www.mckinsey.com/features/mckinsey-center-for-future-mobility/our-insights/mapping-the-automotive-software-and-electronics-landscape&quot;&gt;4.5% CAGR to about $519 billion by 2035, against just ~1.0% CAGR for the vehicle market overall&lt;/a&gt;. Software, not sheet metal, is where the margin and the differentiation now live. If you run automotive engineering, the relevant question is no longer whether to adopt DevOps but whether your delivery and compliance pipelines can keep pace with a software-defined vehicle (SDV) program that ships features over the air across a decade-long fleet lifecycle. This article is about what that actually requires - and where most programs underestimate the gap.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/ci_cd_illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/ci_cd_illustration-600w.webp 600w, /content/uploads/2025/06/ci_cd_illustration-1120w.webp 1120w, /content/uploads/2025/06/ci_cd_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;CI/CD pipeline diagram showing automated build, test, and deployment stages used to deliver automotive software&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The architecture shift forces the operating-model shift&lt;/h2&gt;
&lt;p&gt;The reason DevOps is now load-bearing in automotive is architectural. The industry is collapsing dozens of distributed ECUs into &lt;a href=&quot;https://www.mckinsey.com/features/mckinsey-center-for-future-mobility/our-insights/mapping-the-automotive-software-and-electronics-landscape&quot;&gt;zonal and central high-performance computing architectures&lt;/a&gt;. That decoupling of hardware from software is what makes a true SDV possible: applications can be developed, updated, and added independently of the silicon they run on. But it also means your software organization inherits responsibilities that hardware release cycles used to mask. You now own a fleet of running systems that expect updates, and a codebase that must integrate cleanly across teams and suppliers without a yearly model-year reset to paper over the seams. That is a DevOps problem, end to end.&lt;/p&gt;

&lt;h2&gt;Measure delivery, not activity&lt;/h2&gt;
&lt;p&gt;Before discussing practices, fix the measurement. DevOps performance has a credible, vendor-neutral definition: the four DORA keys - &lt;strong&gt;deployment frequency, lead time for changes, change failure rate, and failed-deployment recovery time&lt;/strong&gt;. Throughput and stability, captured honestly. The 2024 &lt;a href=&quot;https://cloud.google.com/devops/state-of-devops&quot;&gt;Accelerate State of DevOps Report&lt;/a&gt; is a useful corrective for anyone expecting tooling to do the work: the high-performing cluster &lt;em&gt;shrank&lt;/em&gt; from 31% to 22% of teams, the low cluster grew from 17% to 25%, and AI adoption correlated with &lt;em&gt;worse&lt;/em&gt; delivery performance for a second consecutive year, with around 39% of respondents distrusting AI-generated code. The lesson for an automotive director is blunt. Buying a toolchain, or bolting an AI assistant onto an undisciplined pipeline, does not move these numbers. Automated, well-tested continuous delivery does. Instrument the four keys per program and treat regressions as defects.&lt;/p&gt;

&lt;h2&gt;Shift left: validate software before the hardware exists&lt;/h2&gt;
&lt;p&gt;The highest-leverage DevOps practice in automotive is moving validation earlier than physical hardware availability. Microsoft&apos;s 2026 &lt;a href=&quot;https://learn.microsoft.com/en-us/industry/mobility/architecture/software-defined-vehicle-reference-architecture-content&quot;&gt;software-defined vehicle reference architecture&lt;/a&gt; puts CI/CD pipeline automation at the core and builds &lt;strong&gt;virtual ECUs and HPCs in the cloud&lt;/strong&gt; so that software-in-the-loop (SIL) and hardware-in-the-loop (HIL) testing run before the physical board is available. Concretely, that means software and hardware are developed and validated in parallel rather than serially. For programs historically gated by bench and vehicle availability, this is the difference between a quarterly integration crunch and a continuously green main branch.&lt;/p&gt;
&lt;p&gt;This is also where the original framing of &quot;rapid prototyping&quot; and &quot;enhanced quality assurance&quot; earns its keep. Rapid prototyping in a regulated vehicle program is not about moving fast and breaking things - it is about being able to exercise a feature against a virtual target on every commit, so that defects surface in CI rather than in a recall. Quality assurance becomes a property of the pipeline, not a phase appended after development.&lt;/p&gt;

&lt;h2&gt;The concrete toolchain&lt;/h2&gt;
&lt;p&gt;The abstractions - integration, QA, monitoring - resolve into a specific set of practices that the SDV reference architecture treats as table stakes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Infrastructure as code and configuration as code&lt;/strong&gt;, so the cloud test fleet and the virtual targets are reproducible and reviewable, not hand-built.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automated testing&lt;/strong&gt; across SIL and HIL, wired into the pipeline so no change reaches a target board untested.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Software-over-the-air (SOTA/OTA) delivery&lt;/strong&gt; to physical fleets, which is the operational endpoint of the whole pipeline and the thing that makes a vehicle a continuously improving product.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Automated security and code scanning&lt;/strong&gt; - for example &lt;a href=&quot;https://learn.microsoft.com/en-us/industry/mobility/architecture/software-defined-vehicle-reference-architecture-content&quot;&gt;GitHub code scanning with CodeQL, including AUTOSAR C++ and CERT C++ support&lt;/a&gt; - so that coding-standard and vulnerability checks run as gates, not as audits.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&quot;Continuous monitoring,&quot; in this context, is not a Grafana dashboard for its own sake. It is the field-telemetry feedback loop that tells you how a deployed release behaves across a heterogeneous fleet, and which feeds the next OTA campaign. Close that loop and you have something the original article only gestured at: a real-time path from production behavior back into the backlog.&lt;/p&gt;

&lt;h2&gt;Compliance is now a pipeline requirement, not a competitive edge&lt;/h2&gt;
&lt;p&gt;This is the part a 2023-era treatment misses entirely, and it is the part that should change how you fund this work. Since &lt;strong&gt;July 2024&lt;/strong&gt;, &lt;a href=&quot;https://www.appluslaboratories.com/global/en/news/publications/new-cybersecurity-regulations-vehicles-unece-wp29&quot;&gt;UN Regulation No. 155 and No. 156 are mandatory&lt;/a&gt; for all new vehicles type-approved in UNECE markets, including the EU. R155 mandates a Cybersecurity Management System (CSMS); R156 mandates a Software Update Management System (SUMS) - the legal basis for shipping OTA updates at all - and both are referenced to ISO/SAE 21434.&lt;/p&gt;
&lt;p&gt;Read that carefully. A managed, traceable, auditable software-update and security pipeline is no longer a way to outpace competitors. It is a &lt;strong&gt;condition of type approval&lt;/strong&gt;. You cannot legally ship OTA updates into these markets without a SUMS, and you cannot demonstrate a SUMS without exactly the artifacts a disciplined DevOps pipeline produces as a byproduct: versioned, attributable changes; automated security gates; reproducible builds; and an evidence trail from commit to deployed fleet. Teams that treated DevOps as an efficiency play now find that the same investment is what keeps their products street-legal. Teams that bolted compliance on as a separate documentation exercise are carrying duplicate, divergent records and an audit burden that compounds with every release.&lt;/p&gt;

&lt;h2&gt;What this means for how you fund and staff it&lt;/h2&gt;
&lt;p&gt;Three implications follow for an engineering leader. First, &lt;strong&gt;fund the pipeline as core product infrastructure&lt;/strong&gt;, not as a platform-team cost center - it is simultaneously your throughput engine and your regulatory evidence system. Second, &lt;strong&gt;resist the assumption that AI tooling substitutes for delivery discipline&lt;/strong&gt;; the DORA data is two years deep on this point, and an undisciplined pipeline gets faster at producing change-failure incidents, not slower. Third, &lt;strong&gt;make the four DORA keys and the R155/R156 evidence trail the same conversation&lt;/strong&gt;. The practices that drive deployment frequency and recovery time are the practices that produce auditable, traceable updates. Treating delivery performance and compliance as one system, rather than two, is the difference between DevOps as a slogan and DevOps as the operating model of a software-defined vehicle program.&lt;/p&gt;

&lt;p&gt;At Expeditious Software we build and harden these pipelines for high-scale and regulated engineering teams. If you are moving toward an SDV architecture and need the CI/CD, OTA, and compliance-evidence backbone to hold up under R155/R156, that is the work we do. Explore more at &lt;a href=&quot;/devops/&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/devops/state-of-devops&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/features/mckinsey-center-for-future-mobility/our-insights/mapping-the-automotive-software-and-electronics-landscape&quot;&gt;Mapping the automotive software and electronics landscape through 2035&lt;/a&gt; - McKinsey &amp;amp; Company (McKinsey Center for Future Mobility)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://learn.microsoft.com/en-us/industry/mobility/architecture/software-defined-vehicle-reference-architecture-content&quot;&gt;Software-defined vehicle DevOps toolchain - Microsoft for Mobility reference architecture&lt;/a&gt; - Microsoft Learn (Azure Architecture Center)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.appluslaboratories.com/global/en/news/publications/new-cybersecurity-regulations-vehicles-unece-wp29&quot;&gt;UNECE WP.29 R155/R156: new cybersecurity regulations for vehicles&lt;/a&gt; - Applus+ Laboratories&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/the-role-of-devops-in-streamlining-automotive-operations/&quot;&gt;The Role of DevOps in Streamlining Automotive Operations&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>What You Should Know About DevOps Security in 2026</title><link>https://es.nl/2023/what-you-should-know-about-devops-security/</link><guid isPermaLink="true">https://es.nl/2023/what-you-should-know-about-devops-security/</guid><description>A senior, data-grounded take on DevSecOps: shifting security into the CI/CD pipeline, securing dependencies and secrets, and prioritising exploitable risk.</description><pubDate>Fri, 10 Nov 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most writing on DevOps security restates the same checklist: shift left, scan things, manage secrets, monitor everything. The principles are correct and almost useless on their own, because they tell you nothing about where risk actually concentrates, what attackers are exploiting this year, or which of these controls move the numbers your board cares about. This piece keeps the same DevSecOps fundamentals the original article covered, but grounds each one in what the 2024 industry data shows - so an engineering director running a high-scale or regulated estate can decide where to spend the next quarter, not just nod along.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/ci_cd_illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/ci_cd_illustration-600w.webp 600w, /content/uploads/2025/06/ci_cd_illustration-1120w.webp 1120w, /content/uploads/2025/06/ci_cd_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of a CI/CD pipeline with automated build, test and security-scanning stages between commit and production deployment&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The threat model moved, and it moved toward your pipeline&lt;/h2&gt;

&lt;p&gt;DevSecOps - integrating security into the DevOps lifecycle rather than bolting it on after development - is not new advice. What changed is the urgency behind it. Verizon&apos;s 2024 Data Breach Investigations Report found that &lt;a href=&quot;https://www.verizon.com/business/resources/reports/dbir/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;exploitation of vulnerabilities as an initial access vector grew 180% year over year&lt;/a&gt;, driven heavily by mass-exploited zero-days like MOVEit. The implication is direct: the window between a vulnerability becoming public and being exploited at scale is now short enough that periodic, out-of-band security review cannot keep up. Vulnerability scanning and remediation have to live inside the CI/CD pipeline, on every change, because that is the only cadence that matches the threat.&lt;/p&gt;

&lt;p&gt;The same report is blunt about the second shift. Software-supply-chain and third-party involvement &lt;a href=&quot;https://www.verizon.com/business/resources/reports/dbir/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;appeared in roughly 15% of breaches, a 68% jump over the prior year&lt;/a&gt;. Your attack surface is no longer mostly your own code. It is everything your build pulls in.&lt;/p&gt;

&lt;h2&gt;Your dependency graph is where the risk actually lives&lt;/h2&gt;

&lt;p&gt;This is the point where generic advice fails hardest. &quot;Scan your dependencies&quot; sounds like hygiene; the data says it is the main event. Datadog&apos;s State of DevSecOps 2024, drawn from tens of thousands of applications and container images, found that &lt;a href=&quot;https://www.datadoghq.com/state-of-devsecops-2024/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;90% of Java services carry at least one critical or high-severity third-party-library vulnerability&lt;/a&gt;, against a 47% average across other languages. More importantly for how you scan: &lt;strong&gt;63% of those high and critical Java vulnerabilities come from indirect, transitive dependencies&lt;/strong&gt; - the libraries your libraries pull in, which never appear in your own manifest and which a naive first-party scan will miss entirely.&lt;/p&gt;

&lt;p&gt;The operational consequence is specific. Software composition analysis has to resolve the full transitive tree, and you have to scan the built container image, not just the source repository, because that is where the real runtime dependency set is assembled. If your security testing stops at your own code and direct dependencies, you are looking at a minority of your exposure.&lt;/p&gt;

&lt;h2&gt;Automation gaps, not missing tools, are the weak link&lt;/h2&gt;

&lt;p&gt;The principles around immutable infrastructure, security as code, secrets management and least-privilege access tend to be treated as settled. The data says they are widely unsettled in practice. Datadog found that &lt;a href=&quot;https://www.datadoghq.com/state-of-devsecops-2024/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;38% of AWS-using organisations still performed sensitive production actions manually through the console&lt;/a&gt; - ClickOps - rather than through Infrastructure as Code. Manual production changes are precisely what defeats immutable infrastructure and reproducible, reviewable controls: they create drift no scanner can see and leave no audit trail.&lt;/p&gt;

&lt;p&gt;Credentials are the same story. &lt;a href=&quot;https://www.datadoghq.com/about/latest-news/press-releases/datadogs-state-of-devsecops-2024-report-finds-organizations-arent-fully-embracing-automation-for-securing-cloud-deployments/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Only 37% of GitHub Actions users relied exclusively on short-lived credentials&lt;/a&gt;; the remaining 63% still used long-lived IAM keys, which are the single most reliable thing for an attacker to find in a leaked secret or a compromised build. If you are going to prioritise one infrastructure control this year, move CI/CD off long-lived credentials and onto short-lived, federated identity. That one change neutralises a large class of supply-chain and secrets-exposure incidents.&lt;/p&gt;

&lt;h2&gt;Continuous monitoring is a prioritisation problem, not a volume problem&lt;/h2&gt;

&lt;p&gt;The instinct when you turn on scanning is to treat every critical CVE as a fire. That instinct will bury your team and stall delivery. Datadog&apos;s data on attack noise is striking: of tens of millions of malicious requests from automated scanners, &lt;a href=&quot;https://www.datadoghq.com/state-of-devsecops-2024/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;only 0.0065% actually triggered a vulnerability&lt;/a&gt;. The overwhelming majority of what hits you is harmless background noise.&lt;/p&gt;

&lt;p&gt;The same logic applies to your own backlog. When runtime context is applied - is the vulnerable code actually loaded, reachable, and exposed - &lt;a href=&quot;https://www.datadoghq.com/state-of-devsecops-2024/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;63% of organisations that appeared to have critical CVEs had none left&lt;/a&gt;. A scanner that reports a thousand criticals is not giving you a security posture; it is giving you a triage problem. Continuous monitoring earns its keep when it ranks by exploitability and reachability, so engineers spend their limited remediation time on the handful of issues an attacker could actually use.&lt;/p&gt;

&lt;h2&gt;Speed of remediation is the metric that proves the pipeline works&lt;/h2&gt;

&lt;p&gt;Shift-left and incident response are easy to claim and hard to verify. There is a clean metric for whether your pipeline genuinely shortens exposure: how fast you close known-exploited vulnerabilities. Verizon found organisations took an &lt;a href=&quot;https://www.verizon.com/business/resources/reports/dbir/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;average of 55 days to remediate half of the critical vulnerabilities on CISA&apos;s Known Exploited Vulnerabilities catalogue, and 8% were still unpatched a year after disclosure&lt;/a&gt;. The KEV list is the subset that is being actively exploited in the wild. Fifty-five days to fix half of those is the gap a DevSecOps pipeline exists to close. If you want one number to govern your security investment, track time-to-remediate for KEV-listed issues and drive it down; everything else in this article is in service of that.&lt;/p&gt;

&lt;h2&gt;The new front: securing AI-assisted delivery&lt;/h2&gt;

&lt;p&gt;One angle the original article predates entirely. The 2024 DORA report, drawing on more than 39,000 respondents, found &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;75.9% of teams now use AI in their work&lt;/a&gt;, while around 40% have little or no trust in AI-generated code - and AI tends to enlarge change batches, which raises change-failure risk. Larger, faster, less-trusted changesets are exactly the conditions under which security review gets skipped. AI-assisted development does not remove the need for the controls above; it raises the premium on having them automated and in the pipeline, because human review will not scale to the new change volume.&lt;/p&gt;

&lt;h2&gt;What good looks like&lt;/h2&gt;

&lt;p&gt;The teams handling this well share a recognisable shape, and it maps cleanly onto the fundamentals:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Security gates run on every change, in CI/CD.&lt;/strong&gt; Dependency, container and secrets scanning are pipeline stages, not periodic projects - because a 180% jump in vulnerability exploitation does not wait for your next review cycle.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Scanning resolves the full transitive tree and the built image.&lt;/strong&gt; With 63% of critical Java vulnerabilities hiding in indirect dependencies, anything less misses most of the exposure.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Production changes go through Infrastructure as Code, on short-lived credentials.&lt;/strong&gt; No ClickOps, no long-lived IAM keys - the two automation gaps the data flags as most common.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Findings are ranked by runtime reachability, not raw count.&lt;/strong&gt; Engineers fix what is exploitable, which is a fraction of what a scanner reports.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Remediation speed for known-exploited vulnerabilities is measured and improving.&lt;/strong&gt; That single number is the honest test of whether the pipeline is working.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;DevOps security is not a separate phase and never was - but treating it as an integral part of the pipeline is now a measurable business priority backed by hard numbers, not a slogan. DORA&apos;s 2024 deep dive on security exists precisely because supply-chain breaches raised the stakes, and it points the same way the rest of the data does: &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;platform engineering and internal developer platforms can enforce security, compliance and governance without slowing developers down&lt;/a&gt;. That is the work. At Expeditious Software we build DevSecOps and platform engineering into the delivery platform itself, so security is something your pipeline produces as a byproduct of shipping, not something you reconstruct under deadline. If you want to pressure-test your current posture against these numbers, &lt;a href=&quot;/devops/&quot;&gt;talk to our team&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;https://www.verizon.com/business/resources/reports/dbir/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;2024 Data Breach Investigations Report (DBIR) (Verizon Business)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.datadoghq.com/state-of-devsecops-2024/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;State of DevSecOps 2024 (Datadog)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.datadoghq.com/about/latest-news/press-releases/datadogs-state-of-devsecops-2024-report-finds-organizations-arent-fully-embracing-automation-for-securing-cloud-deployments/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Datadog&apos;s State of DevSecOps 2024 Report Finds Organizations Aren&apos;t Fully Embracing Automation for Securing Cloud Deployments (Datadog)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Accelerate State of DevOps Report 2024 (DORA / Google Cloud)&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/what-you-should-know-about-devops-security/&quot;&gt;What You Should Know About DevOps Security in 2026&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How Software Development Drives Innovation in Semiconductor Manufacturing</title><link>https://es.nl/2023/how-software-development-drives-innovation-in-semiconductor-manufacturing/</link><guid isPermaLink="true">https://es.nl/2023/how-software-development-drives-innovation-in-semiconductor-manufacturing/</guid><description>Where software actually moves the needle in semiconductor manufacturing: yield ramps, predictive maintenance, digital twins and AI - with the numbers.</description><pubDate>Sun, 05 Nov 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;In a modern fab, the constraint on innovation is rarely the physics. It is how fast you can turn process and equipment data into decisions - new recipes, tighter control loops, fewer wafer scraps - and how reliably the software carrying those decisions runs at scale. Below is where software development actually moves yield, uptime and design cycle time in semiconductor manufacturing, with the numbers, and where the engineering effort is justified versus where it is theatre.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration-600w.webp 600w, /content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Software development lifecycle illustration spanning design, build, test and operate stages, mapped to the data and control loops that drive semiconductor manufacturing&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The value is large, and mostly unrealised&lt;/h2&gt;
&lt;p&gt;Start with the size of the prize, because it sets the bar for what is worth building. McKinsey estimates that AI and machine learning already add &lt;strong&gt;$5 to $8 billion to annual EBIT&lt;/strong&gt; across the semiconductor industry - but that this is only about &lt;strong&gt;10 percent of the full potential&lt;/strong&gt;, with up to &lt;strong&gt;$20 billion more&lt;/strong&gt; in annual value available if AI/ML is extended across more functions (&lt;a href=&quot;https://www.mckinsey.com/industries/semiconductors/our-insights/scaling-ai-in-the-sector-that-enables-it-lessons-for-semiconductor-device-makers&quot;&gt;McKinsey, 2021&lt;/a&gt;). The gap is not a modelling gap. It is a software and data-engineering gap: most fabs cannot get clean, joined, governed data to a model in production and keep it there. That is the work, and it is squarely a software development problem.&lt;/p&gt;

&lt;h2&gt;Process optimisation: where yield ramps are won&lt;/h2&gt;
&lt;p&gt;The highest-leverage software in a fab is not the dashboard - it is the analytics pipeline that compresses the yield ramp. Applying advanced analytics across &lt;strong&gt;all&lt;/strong&gt; fab production data (not a sampled subset) can cut yield-ramp lead time and the number of debugging iterations for new products and processes by &lt;strong&gt;up to tenfold&lt;/strong&gt; (&lt;a href=&quot;https://www.mckinsey.com/industries/semiconductors/our-insights/reimagining-fabs-advanced-analytics-in-semiconductor-manufacturing&quot;&gt;McKinsey, &quot;Reimagining fabs&quot;&lt;/a&gt;). The same work found roughly &lt;strong&gt;30 percent of assembly-and-test capex goes to tests that add no value&lt;/strong&gt; - tests retained because no one had the traceability to prove they were redundant.&lt;/p&gt;
&lt;p&gt;That finding is the brief for a senior team. The differentiator is not the model; it is the data plane underneath it: deterministic ingestion from metrology and equipment logs, schema and lineage that survive a tool generation change, and feature pipelines reproducible across thousands of wafers. Get that right and the ROC curves improve themselves. Skip it and every model degrades silently the first time a sensor is recalibrated.&lt;/p&gt;


&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-photolithography-cleanroom.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-photolithography-cleanroom-600w.webp 600w, /content/uploads/2026/06/ext-photolithography-cleanroom-1120w.webp 1120w, /content/uploads/2026/06/ext-photolithography-cleanroom.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;A photolithography laboratory inside a semiconductor cleanroom, with specialised microfabrication equipment bathed in orange safelight to protect light-sensitive photoresist.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:Cleanroom_-_photolithography_lab_(9148324481).jpg&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;UCL Mathematical &amp; Physical Sciences&lt;/a&gt; / &lt;a href=&quot;https://creativecommons.org/licenses/by/2.0/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;CC BY 2.0&lt;/a&gt;, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;Equipment control and predictive maintenance&lt;/h2&gt;
&lt;p&gt;Downtime is the other place software pays directly. Moving from reactive to predictive, software-driven maintenance can reduce semiconductor equipment downtime by &lt;strong&gt;30 to 50 percent&lt;/strong&gt; (&lt;a href=&quot;https://www.mckinsey.com/industries/semiconductors/our-insights/need-to-boost-semiconductor-fab-efficiency-look-to-maintenance&quot;&gt;McKinsey, 2022&lt;/a&gt;). Hitting that ratio is an engineering discipline, not a vendor purchase: you need streaming telemetry off heterogeneous tools, anomaly detection that tolerates concept drift, and - critically - a closed loop back into the maintenance scheduling system so a prediction becomes a work order instead of a Slack message.&lt;/p&gt;
&lt;p&gt;This is where regulated, high-scale teams should be most skeptical of demos. A model that flags a failing pump is worth nothing until its output is versioned, auditable and integrated. Treat the maintenance model like any other production service: CI/CD, rollback, on-call, and monitored SLOs on prediction latency and false-positive rate. The control loop, not the algorithm, is the deliverable.&lt;/p&gt;

&lt;h2&gt;Integration and connectivity: IoT, edge and digital twins&lt;/h2&gt;
&lt;p&gt;The newer compounding gains come from combining IoT sensors, edge AI and digital twins for condition-based maintenance. The IEEE Computer Society reports this combination reduces unplanned downtime by &lt;strong&gt;20 to 50 percent&lt;/strong&gt;, cuts semiconductor fab tool downtime by about &lt;strong&gt;10 percent&lt;/strong&gt;, lowers maintenance costs &lt;strong&gt;10 to 40 percent&lt;/strong&gt;, extends equipment life &lt;strong&gt;10 to 20 percent&lt;/strong&gt;, and improves energy efficiency &lt;strong&gt;5 to 10 percent&lt;/strong&gt; (&lt;a href=&quot;https://www.computer.org/publications/tech-news/trends/new-playbook-for-maintenance&quot;&gt;IEEE Computer Society, 2025&lt;/a&gt;). Note where the inference runs: at the edge, next to the tool, because the round trip to a central cloud is too slow and too fragile for a control decision. That has real architectural consequences - edge fleets need the same deployment rigour, secure update path and observability as any distributed system, and most teams underestimate that operational surface.&lt;/p&gt;

&lt;h2&gt;Software now shapes the chip itself, not just the line&lt;/h2&gt;
&lt;p&gt;The boundary between &quot;design&quot; and &quot;manufacturing&quot; software is dissolving, and senior teams should plan for it. Deloitte&apos;s 2025 outlook describes the industry adopting &lt;strong&gt;digital twins to emulate and visualise complex designs&lt;/strong&gt; - 3D modelling, swapping chiplets to assess performance before committing to silicon - and using &lt;strong&gt;generative AI combined with graph neural networks and reinforcement learning&lt;/strong&gt; to produce more power-efficient designs than human engineers achieve alone. The accompanying &lt;strong&gt;&quot;shift-left&quot;&lt;/strong&gt; move pulls verification, testing and validation far earlier in development (&lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/technology/technology-media-telecom-outlooks/semiconductor-industry-outlook/2025.html&quot;&gt;Deloitte, 2025&lt;/a&gt;). For engineering leadership this reads exactly like the shift-left discipline already familiar from software delivery, applied to silicon: catch the defect in simulation, not in the cleanroom, where an iteration costs a quarter and a mask set.&lt;/p&gt;

&lt;h2&gt;What this means for how you staff and build&lt;/h2&gt;
&lt;p&gt;The pattern across every section is the same. The valuable software is not the model or the visual - it is the production system that keeps a decision correct, traced and repeatable across tool generations, recalibrations and process changes. That is ordinary software engineering discipline applied to an unforgiving domain: reproducible data pipelines, versioned models behind real CI/CD, edge deployments with proper observability, and lineage rigorous enough to satisfy an auditor and retire a useless test.&lt;/p&gt;
&lt;p&gt;Two of the strongest figures above (the yield-ramp and AI-at-scale studies) are established, foundational findings; the 2025 IEEE and Deloitte sources show the direction has only accelerated, with edge AI, digital twins and generative design now in production rather than pilots. The economics are settled. The open question for most teams is execution: whether their data and delivery platforms are solid enough to capture the value the research has already quantified.&lt;/p&gt;
&lt;p&gt;At &lt;a href=&quot;/devops&quot;&gt;Expeditious Software&lt;/a&gt; we build that platform layer - DevOps, cloud and platform engineering for high-scale, regulated manufacturing teams. If your models work in a notebook but not in the fab, that gap is the conversation worth having.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/industries/semiconductors/our-insights/scaling-ai-in-the-sector-that-enables-it-lessons-for-semiconductor-device-makers&quot;&gt;Scaling AI in the sector that enables it: Lessons for semiconductor-device makers&lt;/a&gt; - McKinsey &amp;amp; Company, 2021&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/industries/semiconductors/our-insights/reimagining-fabs-advanced-analytics-in-semiconductor-manufacturing&quot;&gt;Reimagining fabs: Advanced analytics in semiconductor manufacturing&lt;/a&gt; - McKinsey &amp;amp; Company, 2017&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/industries/semiconductors/our-insights/need-to-boost-semiconductor-fab-efficiency-look-to-maintenance&quot;&gt;Need to boost semiconductor fab efficiency? Look to maintenance&lt;/a&gt; - McKinsey &amp;amp; Company, 2022&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.computer.org/publications/tech-news/trends/new-playbook-for-maintenance&quot;&gt;IoT, Edge, and Digital Twins: The New Playbook for Maintenance&lt;/a&gt; - IEEE Computer Society, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/technology/technology-media-telecom-outlooks/semiconductor-industry-outlook/2025.html&quot;&gt;2025 Global Semiconductor Industry Outlook&lt;/a&gt; - Deloitte Insights, 2025&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-software-development-drives-innovation-in-semiconductor-manufacturing/&quot;&gt;How Software Development Drives Innovation in Semiconductor Manufacturing&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Embracing Software Development for Rapid Evolution in Technology Services</title><link>https://es.nl/2023/embracing-software-development-for-rapid-evolution-in-technology-services/</link><guid isPermaLink="true">https://es.nl/2023/embracing-software-development-for-rapid-evolution-in-technology-services/</guid><description>What actually drives fast, safe delivery in 2026: DevOps fundamentals, platform engineering, FinOps and shift-left security, grounded in DORA, Gartner, Flexera and IBM data.</description><pubDate>Wed, 01 Nov 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&amp;#8220;Embrace new technology&amp;#8221; is advice every engineering leader has heard, and most have learned to distrust. The hard part was never adopting AI, multi-cloud or the next runtime; it is delivering against those bets without throughput, stability, cost and compliance quietly degrading at the same time. For technology services teams operating at high scale or under regulation, software development is the discipline that decides whether rapid evolution compounds into advantage or just accumulates risk. This briefing lays out where the leverage actually is in 2026, with the evidence behind each claim.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing continuous plan, build, test, release, deploy, operate and monitor stages feeding back into one another&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The AI paradox: a force multiplier that needs guardrails&lt;/h2&gt;
&lt;p&gt;The most useful and most uncomfortable finding of the last two years is that AI helps individuals and, by default, hurts teams. DORA&amp;#8217;s &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; found that 75.9% of developers now use AI in daily work, and that every 25% increase in AI adoption is associated with roughly 2.1% higher productivity and 2.6% higher job satisfaction. Yet for the second consecutive year, the same adoption correlated with &lt;strong&gt;worse delivery outcomes&lt;/strong&gt;: an estimated 1.5% drop in throughput and a 7.2% drop in delivery stability per 25% rise in AI use.&lt;/p&gt;
&lt;p&gt;The mechanism is not mysterious. AI makes it cheap to produce more code, which makes it easy to &lt;strong&gt;grow batch sizes&lt;/strong&gt;, and large batches are precisely what wrecks throughput and stability. The lesson is not to slow down adoption; it is that AI only pays off inside a system that already enforces the fundamentals: small batches, automated testing, trunk-based development and fast feedback. Treat AI output as more code to review, test and ship in small increments, not as a license to skip the controls that made delivery safe in the first place. Where those fundamentals are weak, AI accelerates you into the wall faster.&lt;/p&gt;

&lt;h2&gt;Platform engineering as the operating model, not a tooling fad&lt;/h2&gt;
&lt;p&gt;The same DORA research is clear that internal developer platforms improve individual productivity and organizational performance. This is why platform engineering has moved from emerging practice to default operating model. Gartner predicts that by 2026, &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;80% of large software engineering organizations will have established platform engineering teams&lt;/a&gt;, up from 45% in 2022, positioning them as internal providers of reusable, paved-path services for application delivery.&lt;/p&gt;
&lt;p&gt;The strategic point for a VP is the operating model, not the org-chart box. A platform team productizes the golden paths, so the small-batch, fully-tested, observable workflow that DORA rewards becomes the path of least resistance rather than a thing each squad reinvents. That is what makes the AI guardrails above hold at scale: consistent CI, automated policy checks and self-service environments are enforced once, in the platform, instead of negotiated team by team. Done badly, platform engineering becomes a renamed ops team with a backlog. Done well, it is how an organization scales delivery without scaling chaos.&lt;/p&gt;

&lt;h2&gt;Time-to-market now plays out in cost-pressured multi-cloud&lt;/h2&gt;
&lt;p&gt;Accelerating time-to-market is no longer just an engineering-velocity question; it is an economic one. Flexera&amp;#8217;s &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;2025 State of the Cloud Report&lt;/a&gt; found that &lt;strong&gt;84% of organizations name managing cloud spend as their top challenge&lt;/strong&gt;, budgets overrun by around 17%, and spend is set to grow roughly 28% in the year ahead. Multi-cloud is now the default rather than the exception: organizations run about 2.4 public clouds on average, and GenAI public cloud adoption jumped to 72%, up from 47% a year earlier.&lt;/p&gt;
&lt;p&gt;This reframes scalability. Shipping faster onto infrastructure you cannot see or cost is how you turn velocity into an unbudgeted liability, often the same GenAI services that are driving the new spend. The discipline that closes the gap is FinOps coupled with infrastructure-as-code: cost as a first-class signal in the pipeline, tagging and budgets enforced as policy, and capacity decisions made with the same rigor as code review. Flexera reports FinOps team adoption climbing from 51% to 59% year over year, which tracks with the shift from cloud as a cost center to cloud as an engineered, accountable system. For technology services teams, the architectural choices that enable growth and the financial controls that keep it sustainable are the same set of decisions.&lt;/p&gt;

&lt;h2&gt;Security and compliance are engineered in, not bolted on&lt;/h2&gt;
&lt;p&gt;If there is one place where &amp;#8220;move fast&amp;#8221; has a quantified failure cost, it is security. IBM&amp;#8217;s &lt;a href=&quot;https://www.prnewswire.com/news-releases/ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs-302209290.html&quot;&gt;Cost of a Data Breach Report 2024&lt;/a&gt; put the global average breach at a record &lt;strong&gt;USD 4.88 million&lt;/strong&gt;, up 10% year over year, the steepest jump since the pandemic. The same report shows where the leverage is: organizations using security AI and automation extensively across prevention workflows spent &lt;strong&gt;USD 2.2 million less per breach&lt;/strong&gt; on average and contained incidents materially faster.&lt;/p&gt;
&lt;p&gt;That is the business case for DevSecOps and shift-left security stated in cash, not slogans. Compliance controls, dependency scanning, secrets management and policy-as-code belong inside the delivery pipeline, running automatically on every change, where they are cheapest to satisfy and hardest to skip. The cross-environment angle should worry anyone running multi-cloud: 40% of 2024 breaches spanned public cloud, private cloud and on-prem, each costing over USD 5 million and taking the longest to contain at 283 days. The architectural complexity that enables scale is the same complexity that lengthens incident response, which is exactly why security cannot be a separate workstream stapled on before release.&lt;/p&gt;

&lt;h2&gt;The throughline for leaders&lt;/h2&gt;
&lt;p&gt;Strip away the trend names and one pattern holds across all four data points. AI, platform engineering, multi-cloud and security all reward the same underlying capability: the ability to ship small, well-tested, observable changes through a governed pipeline, with cost and compliance treated as engineering signals rather than afterthoughts. Adopting new technology is necessary and, on its own, insufficient. The differentiator is the delivery system that turns adoption into outcomes you can measure and defend.&lt;/p&gt;
&lt;p&gt;That is deliberately not a list of products to buy. It is an argument for investing in fundamentals, because those fundamentals are what make every subsequent bet safer and faster. At &lt;strong&gt;Expeditious Software&lt;/strong&gt;, we work with DevOps, Cloud and Platform Engineering teams to build exactly that delivery system: paved paths, security and FinOps engineered into the pipeline, and the small-batch fundamentals that let AI and new technology compound instead of backfire. &lt;a href=&quot;/contact/&quot;&gt;Contact us&lt;/a&gt; to discuss where the leverage is in your delivery pipeline.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; &amp;#8211; DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Unlock Infrastructure Efficiency with Platform Engineering&lt;/a&gt; &amp;#8211; Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;New Flexera Report Finds that 84% of Organizations Struggle to Manage Cloud Spend (2025 State of the Cloud Report)&lt;/a&gt; &amp;#8211; Flexera&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.prnewswire.com/news-releases/ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs-302209290.html&quot;&gt;IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs (Cost of a Data Breach Report 2024)&lt;/a&gt; &amp;#8211; IBM&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/embracing-software-development-for-rapid-evolution-in-technology-services/&quot;&gt;Embracing Software Development for Rapid Evolution in Technology Services&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>What Cloud Service Type Fits a Finance and Expense-Tracking Solution?</title><link>https://es.nl/2023/what-type-of-cloud-service-type-would-a-finance-and-expense-tracking-solution-typically-be-in/</link><guid isPermaLink="true">https://es.nl/2023/what-type-of-cloud-service-type-would-a-finance-and-expense-tracking-solution-typically-be-in/</guid><description>Why hybrid/multi-cloud is now the default for finance and expense platforms, how DORA hard-codes the choice, and how to decide placement workload by workload.</description><pubDate>Thu, 26 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you are choosing a cloud model for a finance and expense-tracking platform in 2026, the honest answer is that the four-way menu - public, private, hybrid, multi-cloud - no longer describes a real decision. The market has already converged. An LSEG survey of 453 financial-services executives in July 2025 found that &lt;a href=&quot;https://www.lseg.com/en/media-centre/press-releases/2025/lseg-global-cloud-survey-financial-services-firms-embrace-cloud-to-drive-competitiveness&quot;&gt;82% already run a hybrid or multi-cloud strategy&lt;/a&gt;, and 87% have increased cloud spending over the past two years. Nutanix&apos;s financial-services Enterprise Cloud Index points the same direction even more sharply: respondents expect a &lt;a href=&quot;https://www.nutanix.com/press-releases/2024/nutanix-study-projects-hybrid-multicloud-adoption-for-financial-services-will-triple&quot;&gt;roughly threefold increase in hybrid multicloud adoption&lt;/a&gt; within three years, making it the leading operating model in the sector. So the question a senior engineer should actually be answering is not &quot;which of four models&quot; but &quot;where does each workload sit inside a hybrid estate, and who is accountable for that placement.&quot; Public-only and private-only are now the exceptions you justify, not the defaults you assume.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of cloud service types feeding a finance and expense-tracking platform across public, private and hybrid placement&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;p&gt;This matters because a finance and expense-tracking solution is not one workload. It is a ledger, an identity boundary, an integration layer to banking rails and ERP systems, a reporting and analytics tier, and increasingly an AI layer doing categorization, anomaly detection and forecasting. Those components have different gravity. Treating them as a single &quot;app&quot; that lives in one cloud tier is how teams end up either overpaying for dedicated infrastructure they did not need or putting regulated data somewhere they cannot defend in an audit.&lt;/p&gt;

&lt;h2&gt;Why the sensitive core trends private, and it is not abstract&lt;/h2&gt;

&lt;p&gt;The argument for keeping the ledger and customer financial data on dedicated or private infrastructure is usually framed as &quot;compliance.&quot; That undersells it. The operative driver in finance right now is ransomware exposure, and the numbers are stark: in the Nutanix study, &lt;a href=&quot;https://www.nutanix.com/press-releases/2024/nutanix-study-projects-hybrid-multicloud-adoption-for-financial-services-will-triple&quot;&gt;99% of financial-services respondents had experienced a ransomware attack&lt;/a&gt; in the prior three years, and 89% said they had room to improve their defences. When nearly every peer has already been hit, the blast radius of a shared-tenancy compromise on your core ledger is not a theoretical risk to wave away in a design review. That is the concrete case for dedicated infrastructure under the data that would end your business if it leaked or got encrypted - not the data-residency checkbox.&lt;/p&gt;

&lt;h2&gt;Why the rest trends public, including the part teams forget&lt;/h2&gt;

&lt;p&gt;The flip side is that the elastic, bursty, undifferentiated parts of an expense platform - month-end reporting load, receipt OCR, dev and test environments, the AI/ML tier - are exactly what public hyperscalers are good at, and that is where the sector is investing. LSEG found 91% of firms are advancing AI through the cloud, and the shift in rationale is the part worth internalizing: it has moved from cost-cutting to outcome - scalability, revenue, and AI capability. But public cloud is not a one-way door. Flexera&apos;s 2025 State of the Cloud Report, surveying 759 IT professionals, found that &lt;a href=&quot;https://www.flexera.com/blog/finops/the-latest-cloud-computing-trends-flexera-2025-state-of-the-cloud-report/&quot;&gt;about one-fifth (21%) of cloud workloads have already been repatriated&lt;/a&gt; from public cloud back on-premises. Placement is a reversible engineering decision that should be revisited per workload, not a migration you do once and defend forever.&lt;/p&gt;

&lt;h2&gt;Multi-cloud is a governance commitment, not a free lunch&lt;/h2&gt;

&lt;p&gt;Multi-cloud is sold on avoiding vendor lock-in and accessing specialist services, and both are real. Flexera&apos;s data confirms the spread is now normal: enterprises run across &lt;a href=&quot;https://www.flexera.com/blog/finops/the-latest-cloud-computing-trends-flexera-2025-state-of-the-cloud-report/&quot;&gt;AWS at 53%, Azure at 29% and Google Cloud at 16%&lt;/a&gt;. But the original framing - &quot;specialist services from various providers&quot; - skips the bill. Operating across providers multiplies your security surface, your identity and networking complexity, and above all your cost-governance burden. The market&apos;s answer is FinOps as a standing discipline: the same Flexera report shows &lt;a href=&quot;https://www.flexera.com/blog/finops/the-latest-cloud-computing-trends-flexera-2025-state-of-the-cloud-report/&quot;&gt;59% of organizations now have a dedicated FinOps team, up from 51%&lt;/a&gt;. If you adopt multi-cloud for a finance platform without a funded FinOps and governance function, you have not bought flexibility. You have bought unmanaged spend and a wider attack surface.&lt;/p&gt;

&lt;h2&gt;DORA turned this into a regulatory decision, not just an architectural one&lt;/h2&gt;

&lt;p&gt;For any team serving EU financial customers - which, from the Netherlands, is most of them - the cloud-model choice is now hard-coded by regulation. The Digital Operational Resilience Act &lt;a href=&quot;https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en&quot;&gt;became applicable across the EU on 17 January 2025&lt;/a&gt;. It imposes binding ICT third-party risk-management duties: a mandatory register of ICT providers, prescribed contractual clauses, oversight of subcontracting, and an EU oversight framework for &quot;critical&quot; ICT third-party providers that explicitly includes cloud service providers. This is not advisory. LSEG found &lt;a href=&quot;https://www.lseg.com/en/media-centre/press-releases/2025/lseg-global-cloud-survey-financial-services-firms-embrace-cloud-to-drive-competitiveness&quot;&gt;84% of firms have already had to adjust their cloud strategy&lt;/a&gt; in response to frameworks like DORA and GDPR, and 92% now rate operational resilience as critical when choosing a provider.&lt;/p&gt;

&lt;p&gt;The practical consequences for how you choose are specific. Concentration risk is now a named obligation, which strengthens the multi-cloud case for genuinely critical functions - but only if you can actually fail over, not just hold two contracts. Every provider and subprocessor needs a documented exit strategy, which makes the lock-in you accept a board-level question rather than an architect&apos;s preference. And the contracts themselves carry mandated clauses, so &quot;we&apos;ll use the standard hyperscaler terms&quot; is no longer sufficient.&lt;/p&gt;

&lt;h2&gt;How to actually decide&lt;/h2&gt;

&lt;p&gt;Drop the &quot;which of four models&quot; question and run placement workload by workload against three axes. First, &lt;strong&gt;data sensitivity and blast radius&lt;/strong&gt;: the ledger and customer financial records bias toward dedicated or private infrastructure; derived, aggregated and test data does not. Second, &lt;strong&gt;elasticity and differentiation&lt;/strong&gt;: bursty, undifferentiated load - reporting, OCR, ML - belongs on public cloud where you pay for what you burn, and stays reversible. Third, &lt;strong&gt;regulatory criticality under DORA&lt;/strong&gt;: functions whose outage is material need demonstrable resilience and a real exit path, which is where deliberate multi-cloud earns its complexity. Run those three axes and you will almost always land on a hybrid estate - the question is only how the line is drawn, and that line is the actual engineering work.&lt;/p&gt;

&lt;p&gt;That is also where the real cost lives, and where it is most often underestimated. A hybrid, partly multi-cloud finance platform is not harder to draw on a whiteboard than a single-cloud one. It is harder to operate: identity federation across boundaries, consistent policy enforcement, audit evidence that satisfies DORA continuously rather than at year-end, and FinOps discipline so the multi-cloud bill does not quietly compound. The model is the easy part. The operating discipline is the part that determines whether the architecture survives contact with an auditor, a ransomware crew, or a CFO reading the cloud invoice.&lt;/p&gt;

&lt;p&gt;At Expeditious Software, our DevOps, cloud and platform-engineering specialists help finance teams make these placement decisions deliberately - and build the identity, policy and FinOps guardrails that keep a hybrid estate compliant and affordable. &lt;a href=&quot;/contact/&quot;&gt;Get in touch&lt;/a&gt; to talk through the right service model for your finance and expense-tracking platform.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;https://www.lseg.com/en/media-centre/press-releases/2025/lseg-global-cloud-survey-financial-services-firms-embrace-cloud-to-drive-competitiveness&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;LSEG Global Cloud Survey: Financial Services Firms Embrace Cloud to Drive Competitiveness (LSEG, London Stock Exchange Group)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.nutanix.com/press-releases/2024/nutanix-study-projects-hybrid-multicloud-adoption-for-financial-services-will-triple&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Nutanix Study Projects Hybrid Multicloud Adoption for Financial Services Will Triple (Nutanix Enterprise Cloud Index, financial services edition)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/blog/finops/the-latest-cloud-computing-trends-flexera-2025-state-of-the-cloud-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;The latest cloud computing trends: Flexera 2025 State of the Cloud Report (Flexera)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Digital Operational Resilience Act (DORA) (EIOPA, European Insurance and Occupational Pensions Authority)&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/what-type-of-cloud-service-type-would-a-finance-and-expense-tracking-solution-typically-be-in/&quot;&gt;What Cloud Service Type Fits a Finance and Expense-Tracking Solution?&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Why Software Delivery, Not Just Software, Decides the Financial Sector</title><link>https://es.nl/2023/the-crucial-role-of-software-development-in-the-financial-sector/</link><guid isPermaLink="true">https://es.nl/2023/the-crucial-role-of-software-development-in-the-financial-sector/</guid><description>In regulated finance, the edge is reliable, secure, compliant delivery, not raw code. What DORA, AI and rising IT spend mean for engineering teams.</description><pubDate>Sat, 21 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Every bank now runs on software, so &quot;software matters in finance&quot; is not a thesis worth defending. The argument worth having is sharper: in a regulated, high-scale financial institution, your competitive and regulatory position is decided less by the code you write and more by how reliably, securely and compliantly you ship and operate it. The constraint has moved from authoring to delivery. This piece is for engineering directors and senior engineers who already know that, and want the evidence and the operating implications rather than another list of why apps are good.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software.webp&quot; srcset=&quot;/content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software-600w.webp 600w, /content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software.webp 800w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing the continuous loop of plan, build, test, release, deploy, operate and monitor that underpins reliable software delivery in financial institutions&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Spend confirms software is strategic, not back-office&lt;/h2&gt;
&lt;p&gt;The money settles the &quot;is this strategic&quot; debate. Gartner forecasts global enterprise IT spending in the banking and investment services market to grow roughly 7.8% in 2025 to about $760 billion, on a path to exceed $1.1 trillion by 2029 at a constant-currency five-year CAGR near 8.7%, driven by digital transformation, AI adoption and cybersecurity (&lt;a href=&quot;https://www.gartner.com/en/documents/6812534&quot;&gt;Gartner, 2025&lt;/a&gt;). That growth rate matters more than the absolute number: technology is compounding faster than most banks&apos; top lines, which means engineering decisions increasingly are the business strategy, not an enabler of it. The flip side is that this spend only converts into outcomes if delivery is disciplined. Capital buys capacity; it does not buy reliability.&lt;/p&gt;

&lt;h2&gt;Operational resilience is now a legal requirement, not a maturity goal&lt;/h2&gt;
&lt;p&gt;For any team operating in the EU, the &quot;Risk and Compliance Management&quot; theme has hardened into binding law. The Digital Operational Resilience Act (Regulation (EU) 2022/2554) became enforceable across the financial sector on 17 January 2025 (&lt;a href=&quot;https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora&quot;&gt;ESMA&lt;/a&gt;). DORA imposes a single harmonised framework across 20-plus categories of financial entity, built on ICT risk management, mandatory incident reporting, resilience testing, strict oversight of third-party and cloud providers, and information sharing.&lt;/p&gt;
&lt;p&gt;Read that as engineering requirements, because that is what it is. Mandatory incident reporting on tight clocks means your observability, alerting and runbooks have to surface and classify ICT incidents fast enough to report them, not merely fast enough to fix them. Resilience testing means threat-led penetration testing and recoverability you can evidence, not assume. Third-party oversight means your cloud and SaaS dependencies, exit plans and concentration risk become auditable artifacts. The teams that treated resilience as a property to be engineered and measured, rather than a document to be written, walked into 2025 already compliant. The rest are retrofitting under a regulator&apos;s gaze.&lt;/p&gt;


&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-trading-floor.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-trading-floor-600w.webp 600w, /content/uploads/2026/06/ext-trading-floor-1120w.webp 1120w, /content/uploads/2026/06/ext-trading-floor.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;A busy financial trading floor in a Houston oil-trading office, with rows of traders seated at desks crowded with computer monitors displaying live market data and charts, an American flag hanging in the background.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:A1_Houston_Office_Oil_Traders_on_Monday.jpg&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Oil Industry News&lt;/a&gt;, public domain, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;AI raises the ceiling and the floor at once&lt;/h2&gt;
&lt;p&gt;The upside is real and quantified. McKinsey estimates generative AI could add $200 billion to $340 billion annually to the global banking sector, equivalent to 2.8% to 4.7% of industry revenues, within an economy-wide opportunity of $2.6 trillion to $4.4 trillion (&lt;a href=&quot;https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier&quot;&gt;McKinsey Global Institute, 2023&lt;/a&gt;). That is the prize behind AI advisors, fraud models, document automation and data-driven decisioning.&lt;/p&gt;
&lt;p&gt;The catch is in how that capability lands in production. The 2024 DORA Accelerate State of DevOps report found AI to be a double-edged tool: a 25% increase in AI adoption was associated with an estimated 1.5% decline in software delivery throughput and a 7.2% decline in delivery stability, attributed largely to AI inflating change and batch sizes rather than producing bad code (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;DORA / Google Cloud, via InfoQ&lt;/a&gt;). The same report found only about 19% of teams reach the &quot;Elite&quot; performance tier.&lt;/p&gt;
&lt;p&gt;The lesson is uncomfortable for anyone selling raw code-generation speed. If your developers can produce more change faster but your pipeline still merges large batches, your lead time gets worse and your change-failure rate climbs. In a DORA-regulated context, declining delivery stability is not just a velocity problem, it is a resilience problem with a reporting obligation attached. The mitigation is the unglamorous discipline that predates AI: small batches, trunk-based flow, fast automated testing, progressive delivery and tight feedback loops. AI is a force multiplier on whatever delivery system it lands in. Multiply a brittle one and you get faster outages.&lt;/p&gt;

&lt;h2&gt;Security spend is rising because the threat is&lt;/h2&gt;
&lt;p&gt;The &quot;Security and Fraud Prevention&quot; pressure is escalating in measurable terms. Gartner forecasts worldwide end-user information-security spending to reach $213 billion in 2025, up from $193 billion in 2024, roughly 10% growth, driven in part by AI and generative-AI-enabled threats on both the attacker and defender side (&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2025-07-29-gartner-forecasts-worldwide-end-user-spending-on-information-security-to-total-213-billion-us-dollars-in-2025&quot;&gt;Gartner, 2025&lt;/a&gt;). For financial institutions, the practical implication is that security cannot be a gate at the end of the pipeline. Encryption and multi-factor authentication are table stakes; the differentiator is shifting controls left into the delivery system itself, so that dependency scanning, secrets management, signed artifacts and policy-as-code run on every change. Security you can prove on every deploy is also security you can evidence to a regulator.&lt;/p&gt;

&lt;h2&gt;What this means for how you build&lt;/h2&gt;
&lt;p&gt;Pull the threads together and a consistent operating model emerges for senior teams in finance:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Optimise the four key delivery metrics, not output.&lt;/strong&gt; Lead time, deployment frequency, change-failure rate and time-to-restore are the levers that turn IT spend into safe, fast change. They are also the closest proxy you have for DORA-grade operational resilience.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Keep batches small, especially with AI in the loop.&lt;/strong&gt; The cheapest defence against AI-inflated change size is a pipeline that makes large changes painful and small ones trivial. Trunk-based development and progressive delivery do more for stability than any policy memo.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Make resilience and compliance executable.&lt;/strong&gt; Recoverability, incident detection, third-party inventory and control evidence belong in code and pipelines, generated as a by-product of how you ship, not assembled by hand before an audit.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Treat third-party and cloud dependencies as first-class risk.&lt;/strong&gt; Under DORA, concentration risk and exit strategy are your problem whether or not you outsourced the running of them.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;None of this is novel to a staff engineer. What is new is that regulation, AI economics and threat spend have converged to make elite delivery practice the precondition for both compliance and competitiveness, rather than a nice-to-have. The institutions that win the next cycle will not be the ones that wrote the most software, or even the ones that adopted AI fastest. They will be the ones whose delivery systems can absorb that speed without losing stability, security or the ability to prove either.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Expeditious Software&lt;/strong&gt; builds and hardens exactly that delivery capability for financial institutions, across DevOps, cloud and platform engineering. If you are turning rising technology spend into faster, more resilient, demonstrably compliant change, &lt;a href=&quot;/contact/&quot;&gt;talk to us&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud, reported by InfoQ (2024)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora&quot;&gt;Regulation (EU) 2022/2554 - Digital Operational Resilience Act (DORA)&lt;/a&gt; - European Securities and Markets Authority (ESMA)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2025-07-29-gartner-forecasts-worldwide-end-user-spending-on-information-security-to-total-213-billion-us-dollars-in-2025&quot;&gt;Gartner Forecasts Worldwide End-User Spending on Information Security to Total $213 Billion in 2025&lt;/a&gt; - Gartner (2025)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier&quot;&gt;The economic potential of generative AI: The next productivity frontier&lt;/a&gt; - McKinsey Global Institute (2023)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/documents/6812534&quot;&gt;Forecast: Enterprise IT Spending for the Banking and Investment Services Market, Worldwide, 2023-2029 (2Q25 Update)&lt;/a&gt; - Gartner (2025)&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/the-crucial-role-of-software-development-in-the-financial-sector/&quot;&gt;Why Software Delivery, Not Just Software, Decides the Financial Sector&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Five Ways Cloud Computing Benefits the Semiconductor Industry</title><link>https://es.nl/2023/five-ways-cloud-computing-benefits-the-semiconductor-industry/</link><guid isPermaLink="true">https://es.nl/2023/five-ways-cloud-computing-benefits-the-semiconductor-industry/</guid><description>Five concrete ways cloud computing helps semiconductor teams: elastic EDA, cloud tape-out, collaboration, confidential computing for IP, and pay-per-use economics.</description><pubDate>Mon, 16 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If your team designs chips, &quot;move to the cloud&quot; has stopped being a slide in a vendor deck. It is now how leading-edge silicon actually gets built. The market backdrop is hard to ignore: Deloitte projects global semiconductor sales of roughly &lt;strong&gt;US$975 billion in 2026&lt;/strong&gt; (after 22% growth in 2025, accelerating to 26%), on track to pass &lt;strong&gt;US$2 trillion by 2036&lt;/strong&gt;, with generative-AI chips alone approaching US$500 billion in 2026 - about half of all chip revenue from under 0.2% of unit volume (&lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/technology/technology-media-telecom-outlooks/semiconductor-industry-outlook.html&quot;&gt;2026 Global Semiconductor Industry Outlook&lt;/a&gt;). That demand is driven by cloud data centers, and it is reshaping the tools chipmakers use to design the silicon underneath it. Below are five benefits that hold up under scrutiny, with the engineering trade-offs named rather than glossed over.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of cloud services connecting compute, storage and design tooling for semiconductor engineering teams&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;1. Elastic compute for EDA, sized to the run not the peak&lt;/h2&gt;
&lt;p&gt;Electronic design automation is the canonical bursty workload. Verification, place-and-route, static timing, and especially full-chip simulation need thousands of cores for hours or days, then nothing. On-premises you size the farm for the peak and pay for idle silicon the rest of the quarter. In the cloud you provision the compute for the run and release it.&lt;/p&gt;
&lt;p&gt;This is not a whiteboard argument. Netherlands-based &lt;strong&gt;NXP completed migrating the majority of its EDA to AWS&lt;/strong&gt; by September 2024, with engineers able to &quot;dynamically provision the compute they need, when they need it&quot; for demanding workloads (&lt;a href=&quot;https://press.aboutamazon.com/aws/2024/9/nxp-semiconductors-selects-aws-to-drive-the-next-era-of-semiconductor-innovation&quot;&gt;NXP Semiconductors Selects AWS&lt;/a&gt;). The earlier disclosure spells out the mechanics: NXP shifted the bulk of EDA off its own data centers onto AWS HPC across dozens of global design centers (&lt;a href=&quot;https://www.businesswire.com/news/home/20211013006195/en/NXP-Semiconductors-Selects-AWS-as-Its-Preferred-Cloud-Provider-to-Power-Electronic-Design-Automation-in-the-Cloud&quot;&gt;NXP Selects AWS as Preferred Cloud Provider&lt;/a&gt;). The constraint to plan for is data gravity: EDA jobs are I/O-bound against petabyte design databases, so elasticity only pays off if your storage tier keeps the cores fed - which is the next point.&lt;/p&gt;

&lt;h2&gt;2. Full design-to-tape-out in the cloud, including the data path&lt;/h2&gt;
&lt;p&gt;Bursting compute is the easy half. The harder half is moving and serving terabytes of design state without the filesystem becoming the bottleneck. NXP ran &lt;strong&gt;end-to-end SoC design in the cloud - simulation through tape-out of a leading-edge automotive integration processor&lt;/strong&gt; - using &lt;strong&gt;Amazon FSx for Lustre to hold petabytes of design-simulation data&lt;/strong&gt; and make it available at the throughput EDA tools demand (&lt;a href=&quot;https://press.aboutamazon.com/aws/2024/9/nxp-semiconductors-selects-aws-to-drive-the-next-era-of-semiconductor-innovation&quot;&gt;NXP / AWS&lt;/a&gt;, &lt;a href=&quot;https://www.businesswire.com/news/home/20211013006195/en/NXP-Semiconductors-Selects-AWS-as-Its-Preferred-Cloud-Provider-to-Power-Electronic-Design-Automation-in-the-Cloud&quot;&gt;Business Wire&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;The takeaway for anyone planning a migration: budget for a parallel scratch filesystem and a deliberate data-placement strategy, not just compute instances. The industry-wide direction is clear - the &lt;strong&gt;cloud EDA market is valued at US$4.18 billion in 2025 and is forecast to reach about US$7.52 billion by 2034&lt;/strong&gt; (6.74% CAGR), so tool vendors and licensing models are increasingly built around cloud-first execution rather than treating it as an afterthought (&lt;a href=&quot;https://www.precedenceresearch.com/cloud-eda-market&quot;&gt;Cloud EDA Market Size, Share and Trends 2025 to 2034&lt;/a&gt;).&lt;/p&gt;


&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-silicon-wafer.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-silicon-wafer-600w.webp 600w, /content/uploads/2026/06/ext-silicon-wafer-1120w.webp 1120w, /content/uploads/2026/06/ext-silicon-wafer.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Close-up photograph of a round silicon semiconductor wafer, its mirror-like surface shimmering with rainbow color gradients from the patterned circuitry.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:5C2A5960R_%E2%80%93_Silicon_Wafer_20200519.jpg&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Robert Bulmahn&lt;/a&gt; / &lt;a href=&quot;https://creativecommons.org/licenses/by/2.0/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;CC BY 2.0&lt;/a&gt;, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;3. Collaboration across design centers without shipping data manually&lt;/h2&gt;
&lt;p&gt;A modern SoC is built by teams in multiple countries, often across an IP-supplier and foundry boundary. The old pattern - replicate the design database to each site, reconcile nightly, hope nobody is working against stale state - does not scale and is a correctness risk. A shared cloud data plane lets &lt;strong&gt;dozens of design centers&lt;/strong&gt; work against one authoritative copy with consistent tooling (&lt;a href=&quot;https://www.businesswire.com/news/home/20211013006195/en/NXP-Semiconductors-Selects-AWS-as-Its-Preferred-Cloud-Provider-to-Power-Electronic-Design-Automation-in-the-Cloud&quot;&gt;NXP / AWS&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;The honest caveat: this only works if you also standardize. NXP stood up a &lt;strong&gt;cloud center of excellence&lt;/strong&gt; for governance and standardization alongside the migration (&lt;a href=&quot;https://press.aboutamazon.com/aws/2024/9/nxp-semiconductors-selects-aws-to-drive-the-next-era-of-semiconductor-innovation&quot;&gt;NXP / AWS&lt;/a&gt;). Without a CCoE you get the worst of both worlds - shared infrastructure, inconsistent tool versions, and reproducibility problems at tape-out.&lt;/p&gt;

&lt;h2&gt;4. Protecting IP with confidential computing, not vague assurances&lt;/h2&gt;
&lt;p&gt;This is the section that usually gets hand-waved with &quot;providers invest heavily in security.&quot; That is not an answer your security team will accept for GDSII or OpenAccess databases. The concrete, current mechanism is &lt;strong&gt;confidential computing&lt;/strong&gt;: sensitive computations are isolated inside hardware-based Trusted Execution Environments via &lt;strong&gt;Intel SGX, AMD SEV, and AWS Nitro Enclaves&lt;/strong&gt;, so data is protected not just at rest and in transit but &lt;strong&gt;in use&lt;/strong&gt; (&lt;a href=&quot;https://semiengineering.com/confidential-computing-a-key-to-secure-cloud-and-edge-environments/&quot;&gt;Confidential Computing: A Key To Secure Cloud And Edge Environments&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;For semiconductor IP this is the control that makes the rest defensible: encrypted, access-controlled handling of the most sensitive design assets, mapped to the frameworks that actually bind your business - &lt;strong&gt;ITAR&lt;/strong&gt; for export-controlled designs and &lt;strong&gt;GDPR&lt;/strong&gt; where personal data is in scope. Design the residency and attestation requirements first, then choose the region and enclave technology that satisfy them. Treat any provider claim you cannot attest cryptographically as a claim you have to verify another way.&lt;/p&gt;

&lt;h2&gt;5. Pay-per-use economics that match a cyclical industry&lt;/h2&gt;
&lt;p&gt;Semiconductor demand is cyclical and project-driven. A fixed on-premises farm forces you to capitalize for the peak and amortize it across the trough. The cloud&apos;s pay-as-you-go model converts that capital expense into usage that tracks active projects - elastic scaling and on-demand provisioning replacing fixed capacity, which was an explicit driver in NXP&apos;s move off its own data centers (&lt;a href=&quot;https://www.businesswire.com/news/home/20211013006195/en/NXP-Semiconductors-Selects-AWS-as-Its-Preferred-Cloud-Provider-to-Power-Electronic-Design-Automation-in-the-Cloud&quot;&gt;NXP / AWS&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;Be precise about where the savings come from, because naive lift-and-shift can cost more than the on-prem farm it replaces. The wins are real when you (a) scale to zero between runs, (b) right-size instance families to each EDA step, and (c) keep tool-license utilization high so you are not paying for idle licenses while you pay for elastic cores. The economics follow the engineering discipline, not the migration itself. With &lt;strong&gt;AI network-fabric spending growing at a 38% CAGR from 2024 to 2029&lt;/strong&gt; (&lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/technology/technology-media-telecom-outlooks/semiconductor-industry-outlook.html&quot;&gt;Deloitte&lt;/a&gt;), compute prices and instance options will keep shifting under you - another reason to keep capacity decisions reversible.&lt;/p&gt;

&lt;h2&gt;The bottom line&lt;/h2&gt;
&lt;p&gt;Cloud computing benefits the semiconductor industry not because it is fashionable but because the workload shape - bursty EDA, petabyte design state, globally distributed teams, export-controlled IP, and cyclical demand - maps cleanly onto elastic compute, parallel filesystems, a shared data plane, confidential computing, and consumption pricing. The proof points are in production at companies tapping out leading-edge silicon today, not in pilots. The teams that win the transition treat it as an engineering program - a cloud center of excellence, deliberate data placement, attestable security, and ruthless cost discipline - rather than a procurement decision.&lt;/p&gt;
&lt;p&gt;If you are weighing a cloud migration for design, verification, or build infrastructure and want a clear-eyed assessment of the trade-offs, &lt;a href=&quot;/contact/&quot;&gt;contact us&lt;/a&gt; to discuss how Expeditious Software can help.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.deloitte.com/us/en/insights/industry/technology/technology-media-telecom-outlooks/semiconductor-industry-outlook.html&quot;&gt;2026 Global Semiconductor Industry Outlook&lt;/a&gt; - Deloitte Insights&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://press.aboutamazon.com/aws/2024/9/nxp-semiconductors-selects-aws-to-drive-the-next-era-of-semiconductor-innovation&quot;&gt;NXP Semiconductors Selects AWS to Drive the Next Era of Semiconductor Innovation&lt;/a&gt; - AWS / Amazon Press Center&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.businesswire.com/news/home/20211013006195/en/NXP-Semiconductors-Selects-AWS-as-Its-Preferred-Cloud-Provider-to-Power-Electronic-Design-Automation-in-the-Cloud&quot;&gt;NXP Semiconductors Selects AWS as Its Preferred Cloud Provider to Power Electronic Design Automation in the Cloud&lt;/a&gt; - Business Wire&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.precedenceresearch.com/cloud-eda-market&quot;&gt;Cloud EDA Market Size, Share and Trends 2025 to 2034&lt;/a&gt; - Precedence Research&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://semiengineering.com/confidential-computing-a-key-to-secure-cloud-and-edge-environments/&quot;&gt;Confidential Computing: A Key To Secure Cloud And Edge Environments&lt;/a&gt; - Semiconductor Engineering&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/five-ways-cloud-computing-benefits-the-semiconductor-industry/&quot;&gt;Five Ways Cloud Computing Benefits the Semiconductor Industry&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>The Technology Trends Reshaping Fashion - And the Engineering That Ships Them</title><link>https://es.nl/2023/unveiling-the-latest-technology-trends-transforming-the-fashion-industry/</link><guid isPermaLink="true">https://es.nl/2023/unveiling-the-latest-technology-trends-transforming-the-fashion-industry/</guid><description>AI styling, virtual try-on and connected products are now always-on services. What it actually takes to ship fashion-tech reliably and at scale.</description><pubDate>Sun, 15 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most write-ups of fashion technology stop at the demo: a virtual try-on that drapes a dress over a webcam feed, an AI stylist that &quot;knows what looks best on you.&quot; That framing is three years out of date and it skips the part that actually determines whether any of it works. The trends are no longer experiments living in an innovation lab. AI styling, conversational product discovery, virtual try-on and connected products are now &lt;strong&gt;always-on digital services&lt;/strong&gt; that customers hit during peak traffic and expect to be correct, fast and available. The interesting engineering question is not &quot;is the model clever?&quot; It is &quot;can you deploy, scale, observe and recover this on a Tuesday during a flash sale?&quot; This briefing is for the people who own that answer.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/ci_cd_illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/ci_cd_illustration-600w.webp 600w, /content/uploads/2025/06/ci_cd_illustration-1120w.webp 1120w, /content/uploads/2025/06/ci_cd_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;CI/CD pipeline diagram showing source, build, automated test and deployment stages that ship fashion-tech features as always-on services&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The commitment is real, which raises the stakes&lt;/h2&gt;
&lt;p&gt;This is not speculative interest. Per &lt;a href=&quot;https://www.businessoffashion.com/articles/technology/the-state-of-fashion-2025-report-generative-ai-artificial-intelligence-search-discovery/&quot;&gt;McKinsey and the Business of Fashion&apos;s State of Fashion 2025&lt;/a&gt;, roughly 73% of fashion executives said generative AI would be a business priority for the coming year and about 62% said their companies already use it, with more than 35% reporting active use in customer service, image creation, copywriting and product discovery. The same research describes a shift in how shoppers find product: away from keyword catalogues and toward &lt;a href=&quot;https://www.businessoffashion.com/articles/technology/the-state-of-fashion-2025-report-generative-ai-artificial-intelligence-search-discovery/&quot;&gt;conversational, AI-driven assistants and personalized recommendation experiences&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;When the CEO has committed publicly to AI personalization, the feature stops being optional. It sits on the critical revenue path. That changes the engineering profile entirely: a styling assistant that is &quot;usually right&quot; and &quot;mostly up&quot; is a liability, not a differentiator. The leadership commitment is exactly why the delivery foundation underneath it now matters more than the model on top.&lt;/p&gt;

&lt;h2&gt;AI is the baseline in software delivery too - and it is an amplifier&lt;/h2&gt;
&lt;p&gt;The same shift has already happened inside engineering. The &lt;a href=&quot;https://blog.google/innovation-and-ai/technology/developers-tools/dora-report-2025/&quot;&gt;2025 DORA report&lt;/a&gt;, surveying nearly 5,000 technology professionals, found AI adoption among developers reached 90% (up 14 points year over year), with practitioners spending a median of two hours per day using AI tools. Over 80% said it improved their productivity and 59% said it improved code quality. AI assistance in the codebase is now the default, not a pilot.&lt;/p&gt;
&lt;p&gt;But DORA&apos;s central finding is the one to internalize before you greenlight a fashion-tech roadmap: &lt;strong&gt;AI is an amplifier, not a fix.&lt;/strong&gt; It magnifies an organization&apos;s existing strengths and weaknesses. The returns come from the underlying system - data quality, internal platforms, governance - rather than from the tooling itself. Notably, trust remains limited: only about 24% of practitioners report high trust in AI output, while roughly 30% report little or none. If your data is messy and your delivery process is brittle, AI will help you ship messy, brittle things faster. The recommendation engine is only as good as the product and behavioral data feeding it, and the deployment pipeline carrying it.&lt;/p&gt;

&lt;h2&gt;The operational risk most fashion-tech write-ups ignore&lt;/h2&gt;
&lt;p&gt;There is a measurable downside that the optimistic coverage skips. The &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps 2024 report&lt;/a&gt; found that a 25% increase in AI adoption was associated with roughly a &lt;strong&gt;7.2% drop in delivery stability&lt;/strong&gt; and about a 1.5% drop in throughput. The mechanism is not mysterious: AI inflates batch sizes. It is now trivial to generate large changes quickly, and large changes are harder to test, review and roll back safely.&lt;/p&gt;
&lt;p&gt;For a retailer shipping AI try-on or a conversational shopping assistant, that risk lands directly on the customer experience during the moments that matter most. The countermeasures are the unglamorous DevOps fundamentals that the original &quot;trends&quot; narrative treats as background noise: &lt;strong&gt;small batches, automated testing, robust pipelines, fast rollback.&lt;/strong&gt; AI does not make these optional. It makes them load-bearing. The faster you can generate code, the more disciplined your delivery system has to be to absorb it without destabilizing production.&lt;/p&gt;

&lt;h2&gt;Platform engineering is the backbone that ships these features&lt;/h2&gt;
&lt;p&gt;The thing that lets a team move quickly without breaking production is no longer exotic. Analysis of the &lt;a href=&quot;https://platformengineering.com/features/dora-2025-ai-wont-save-you-without-a-solid-platform/&quot;&gt;2025 DORA data&lt;/a&gt; reports that 90% of organizations now use internal platform constructs and 76% have a dedicated platform engineering team. A solid internal developer platform - paved-road CI/CD, standardized environments, built-in observability, automated rollback - is what lets a retailer ship AI styling, recommendation and try-on features safely and repeatedly rather than as one-off heroics.&lt;/p&gt;
&lt;p&gt;The same analysis is blunt about the relationship between AI and platforms: &lt;a href=&quot;https://platformengineering.com/features/dora-2025-ai-wont-save-you-without-a-solid-platform/&quot;&gt;AI does not change the fundamentals, it makes them more important&lt;/a&gt;. Platforms, data quality and governance determine whether AI accelerates delivery or destabilizes it. If you are evaluating where to invest ahead of a fashion-tech push, the platform is the higher-leverage bet than any individual model integration.&lt;/p&gt;

&lt;h2&gt;Mapping each fashion trend to a concrete engineering requirement&lt;/h2&gt;
&lt;p&gt;Tie the consumer-facing trends from the original framing back to what they actually demand, and the generic &quot;we do DevOps&quot; pitch turns into specific requirements:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AI styling and personalized recommendations:&lt;/strong&gt; a low-latency inference path on the request hot path, clean and current product and behavioral data, and continuous deployment so models can be retrained and rolled out without downtime. Personalization that lags or serves stale results is worse than no personalization.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Conversational product discovery:&lt;/strong&gt; resilient integration with model providers, graceful degradation when an upstream call is slow or fails, and observability that distinguishes a model-quality problem from an infrastructure problem. When discovery is the new search bar, its uptime is your storefront&apos;s uptime.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Virtual and immersive try-on:&lt;/strong&gt; elastic compute that scales with promotional traffic spikes, edge and asset delivery tuned for heavy media, and load-tested capacity so the feature does not fall over precisely when a campaign drives traffic to it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Smart and connected products:&lt;/strong&gt; secure device-to-cloud telemetry, versioned and safely deployable firmware and backend services, and the observability to operate a fleet you cannot physically reach.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Every one of these is an always-on service. None of them is finished at launch. They depend on continuous deployment, scalability, observability and uptime - the delivery backbone - far more than on any single piece of clever modeling.&lt;/p&gt;

&lt;h2&gt;The takeaway for the people who own delivery&lt;/h2&gt;
&lt;p&gt;The honest version of &quot;the latest technology trends transforming fashion&quot; is this: the trends are validated, leadership has committed, and the differentiator has moved from &lt;em&gt;having&lt;/em&gt; the feature to &lt;em&gt;operating&lt;/em&gt; it reliably at scale. AI is now baseline on both sides - in the product and in how you build it - and the evidence is consistent that it amplifies whatever foundation it lands on. Invest in the platform, keep batch sizes small, test relentlessly and make rollback boring. That is what lets fashion-tech features ship safely, scale through peak demand and stay up when it counts. The model gets the headline; the delivery system decides whether the headline survives contact with production.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://blog.google/innovation-and-ai/technology/developers-tools/dora-report-2025/&quot;&gt;State of AI-assisted Software Development (2025 DORA Report)&lt;/a&gt; - Google Cloud / DORA&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - Google Cloud / DORA&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://platformengineering.com/features/dora-2025-ai-wont-save-you-without-a-solid-platform/&quot;&gt;DORA 2025: AI Won&apos;t Save You Without a Solid Platform&lt;/a&gt; - Platform Engineering&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/~/media/mckinsey/industries/retail/our%20insights/state%20of%20fashion/2025/the-state-of-fashion-2025-v2.pdf&quot;&gt;The State of Fashion 2025&lt;/a&gt; - McKinsey &amp;amp; Company and The Business of Fashion&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.businessoffashion.com/articles/technology/the-state-of-fashion-2025-report-generative-ai-artificial-intelligence-search-discovery/&quot;&gt;Fashion&apos;s New Era of Product Discovery&lt;/a&gt; - The Business of Fashion, with McKinsey&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/unveiling-the-latest-technology-trends-transforming-the-fashion-industry/&quot;&gt;The Technology Trends Reshaping Fashion - And the Engineering That Ships Them&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How To Implement DevOps In Your Organization</title><link>https://es.nl/2023/how-to-implement-devops-in-your-organization/</link><guid isPermaLink="true">https://es.nl/2023/how-to-implement-devops-in-your-organization/</guid><description>A senior, evidence-based playbook for implementing DevOps at scale: platform foundations, DORA metrics, automation, and AI guardrails that actually hold.</description><pubDate>Wed, 11 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most &quot;how to implement DevOps&quot; guides assume that buying the tools and holding a few cross-team standups will move the needle. The data says otherwise. The 2024 &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report&lt;/a&gt;, drawing on more than 39,000 professionals, found the industry is not improving on aggregate: &lt;a href=&quot;https://getdx.com/blog/2024-dora-report/&quot;&gt;independent analysis of that data&lt;/a&gt; shows the high-performing cluster shrank from 31% to 22% of teams while the low-performing cluster grew from 17% to 25%. Tooling alone does not raise delivery performance. What follows is a sequence that does, framed for directors and senior engineers who have already been burned by a transformation that stalled at slide 40 of a vendor deck.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing the continuous loop of plan, code, build, test, release, deploy, operate, and monitor stages&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Start by measuring, not by reorganizing&lt;/h2&gt;
&lt;p&gt;Before you touch the org chart, instrument the four metrics that have survived a decade of DORA research: deployment frequency, change lead time, change failure rate, and time to restore service. These are not vanity dashboards. They are the only widely validated way to know whether a change to your pipeline made delivery better or worse, and they double as concrete targets. Elite performers deploy on demand, keep change lead time under a day, hold change failure rate around 5%, and restore service in under an hour.&lt;/p&gt;
&lt;p&gt;The non-obvious finding is that &lt;strong&gt;speed and stability are not a trade-off&lt;/strong&gt;. Teams that deploy more frequently also fail less and recover faster, because small, frequent changes are easier to reason about and reverse. If your current narrative is &quot;we move slowly so that we stay safe,&quot; the data contradicts you, and that conversation is worth having with your leadership before any reorg. Baseline these four numbers now so that every later step is judged against them rather than against opinion.&lt;/p&gt;

&lt;h2&gt;Build the platform before you scale the practice&lt;/h2&gt;
&lt;p&gt;The single biggest shift in how DevOps is implemented at scale is that the &quot;you build it, you run it&quot; ideal has run into the wall of cognitive load. Modern toolchains and distributed architectures ask each developer to understand far too much. The answer the industry converged on is platform engineering: a dedicated team that provides reusable services, paved roads, and guardrails as an internal product. Gartner predicts that by 2026, &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;80% of large software engineering organizations will have platform engineering teams&lt;/a&gt;, up from 45% in 2022, and DORA reports that roughly 89% of organizations already run internal developer platforms.&lt;/p&gt;
&lt;p&gt;For a regulated or high-scale team, this is where compliance becomes cheap instead of painful. Encode your controls into the paved path: signed artifacts, mandatory test gates, policy-as-code, audit logging, and pre-approved infrastructure modules. When the easy way to ship is also the compliant way, you stop relying on engineers to remember the rules under deadline pressure. Treat the platform as a product with real users, a backlog, and adoption metrics, not as a side project for whoever has spare cycles.&lt;/p&gt;
&lt;p&gt;One caveat that the research is blunt about: platforms are not automatically a win. The 2024 DORA report found that internal developer platforms lifted team performance by roughly 10%, yet could also reduce throughput and stability when the underlying fundamentals lapsed. A platform that adds approval queues and indirection without removing toil will make things worse. Measure adoption and the four delivery metrics before and after, and kill platform features that do not pay for themselves.&lt;/p&gt;

&lt;h2&gt;Automate the path to production, then keep it honest&lt;/h2&gt;
&lt;p&gt;Automation is the part everyone already believes in, so the failure mode is subtler: teams automate the deployment and then stop. A pipeline that runs but does not enforce small batch sizes, robust automated testing, and continuous monitoring is a faster way to ship the wrong thing. The 2024 DORA data is explicit that automation pays off only when paired with these fundamentals, not when treated as a one-time setup.&lt;/p&gt;
&lt;p&gt;Concretely, that means three things hold the line. First, &lt;strong&gt;small batch sizes&lt;/strong&gt;: trunk-based development or short-lived branches so changes reach production in hours, not weeks. Second, &lt;strong&gt;tests you trust enough to gate on&lt;/strong&gt;: if a red build does not block a release, the suite is decoration. Third, &lt;strong&gt;monitoring and feedback wired back into the team&lt;/strong&gt;, not just an on-call dashboard nobody reads. Define service level objectives, alert on user-facing symptoms, and review change failure rate weekly. The goal is a closed loop where every deployment teaches you something measurable.&lt;/p&gt;

&lt;h2&gt;Treat AI as an amplifier, with guardrails&lt;/h2&gt;
&lt;p&gt;AI in the toolchain is no longer optional to discuss. The &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;2025 DORA report&lt;/a&gt;, based on nearly 5,000 professionals, found that 90% use AI at work and over 80% say it increased their productivity. But about 30% report little or no trust in AI-generated code, and the 2024 data put that distrust at 39.2%. That gap matters because the headline finding is uncomfortable: &lt;strong&gt;AI does not fix a team, it amplifies what is already there.&lt;/strong&gt; AI correlates with higher throughput and product performance only where strong internal platforms, clear workflows, and team alignment already exist. Without robust controls, it intensifies existing weaknesses and still drags on delivery stability.&lt;/p&gt;
&lt;p&gt;The implication for your rollout is sequencing. Stand up the platform and the delivery discipline first, then introduce AI assistance on top of paved paths where generated code passes through the same test gates, review, and policy checks as anything else. Do not let AI become a side channel that bypasses your controls, especially in a regulated context. Used inside a strong system, AI accelerates the good behaviors you have already built. Used to paper over a weak one, it accelerates the failures.&lt;/p&gt;

&lt;h2&gt;Culture is the constraint, not the slogan&lt;/h2&gt;
&lt;p&gt;Every credible source lands on the same place: tools and platforms are necessary but not sufficient. The clusters of high and low performers in the DORA data are separated less by their stack than by how they work, whether blameless retrospectives are real, whether teams own their services end to end, and whether leadership protects the time to pay down toil. The cultural work is not a kickoff workshop. It is the sustained decision to keep batch sizes small and to act on the metrics even when a deadline argues otherwise.&lt;/p&gt;

&lt;h2&gt;A realistic sequence&lt;/h2&gt;
&lt;p&gt;If you compress this into an order of operations: baseline the four DORA metrics; pick one or two value streams as pilots rather than a big-bang mandate; build the paved-road platform with compliance encoded into it; drive small batch sizes and trustworthy test gates through automation; wire monitoring back into the teams; then layer AI on the foundation you have proven. Expect this to be a continuous program, not a project with an end date. The teams that pulled ahead in the DORA cohort did not adopt a tool. They built a system that gets a little better every release, and then they refused to let it regress.&lt;/p&gt;
&lt;p&gt;That is the honest version of how to implement DevOps in your organization. It is less about a methodology to buy and more about a discipline to sustain. If you want a partner who works from the same evidence base, explore our &lt;a href=&quot;/devops/&quot;&gt;DevOps services&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;2025 DORA Report: State of AI-Assisted Software Development&lt;/a&gt; - Google Cloud / DORA&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Platform Engineering&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://getdx.com/blog/2024-dora-report/&quot;&gt;Highlights from the 2024 DORA State of DevOps Report&lt;/a&gt; - DX (getdx.com)&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-to-implement-devops-in-your-organization/&quot;&gt;How To Implement DevOps In Your Organization&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Mastering Cloud Financial Management: The Four Key Areas You Need To Know</title><link>https://es.nl/2023/mastering-cloud-financial-management-the-four-key-areas-you-need-to-know/</link><guid isPermaLink="true">https://es.nl/2023/mastering-cloud-financial-management-the-four-key-areas-you-need-to-know/</guid><description>A senior, FinOps-grounded guide to the four areas of cloud financial management: understand, quantify, optimize, and govern cloud spend at scale.</description><pubDate>Tue, 10 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Public cloud spending is no longer a line item you can defer to procurement. Gartner forecasts worldwide end-user spending on public cloud services will reach &lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025&quot;&gt;USD 723.4 billion in 2025, up from USD 595.7 billion in 2024&lt;/a&gt; - roughly 21.5% growth in a single year, driven heavily by AI workloads. At that scale, a few uncontrolled percentage points of waste translate into eight-figure problems, and cloud cost has become a board-level concern. The discipline that addresses it has matured well past the vague &quot;watch your bill&quot; advice most teams still operate on.&lt;/p&gt;
&lt;p&gt;That discipline now has a name and a standard vocabulary: &lt;strong&gt;FinOps&lt;/strong&gt;. The FinOps Foundation organizes the practice into four &lt;a href=&quot;https://www.finops.org/framework/domains/&quot;&gt;Domains&lt;/a&gt; - Understand Usage &amp;amp; Cost, Quantify Business Value, Optimize Usage &amp;amp; Cost, and Manage the FinOps Practice. These four areas map almost one-to-one onto how engineering organizations should think about cloud financial management, and they are far more precise than the older labels of financial management, performance management, cost optimization, and usage-based planning. This article walks each one as an engineering leader should run it - not as a finance abstraction, but as an operational capability your teams own.&lt;/p&gt;
&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of cloud services and infrastructure underpinning cloud financial management&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;
&lt;h2&gt;Understand Usage and Cost&lt;/h2&gt;
&lt;p&gt;You cannot optimize what you cannot attribute. The first area is building a reliable, granular picture of where money goes - which team, which service, which environment, which customer. This is the foundation, and most organizations are weaker here than they admit. In the FinOps Foundation&apos;s &lt;a href=&quot;https://data.finops.org/2025-report/&quot;&gt;State of FinOps 2025 report&lt;/a&gt; - drawn from 861 respondents collectively representing roughly USD 69 billion of cloud spend - full allocation of cloud spend ranks among the top practitioner priorities, second only to optimization itself. The reason it stays a priority is that it is genuinely hard at scale.&lt;/p&gt;
&lt;p&gt;Getting this right means non-negotiable tagging and account-structure conventions, enforced in code rather than in a wiki. It means showback or chargeback so the team that provisions a resource sees its cost. And it means accepting that a meaningful share of spend - shared platforms, networking, support - resists clean allocation and needs a defensible amortization policy rather than a perfect one. The output of this area is a single source of truth that the next three depend on. Skip it and every forecast and optimization downstream is built on sand.&lt;/p&gt;
&lt;h2&gt;Quantify Business Value&lt;/h2&gt;
&lt;p&gt;Understanding cost is descriptive; quantifying value is the part that earns FinOps a seat at planning. This area covers forecasting, budgeting, and the unit economics that connect spend to business output - cost per transaction, per tenant, per inference, per active user. It is where &quot;we spent $4M on cloud last quarter&quot; becomes &quot;our cost to serve dropped 12% as volume doubled,&quot; which is the only framing a VP or CFO actually acts on.&lt;/p&gt;
&lt;p&gt;Accurate forecasting is consistently among the hardest and most-wanted FinOps capabilities, and for good reason: cloud consumption is variable by design, so traditional fixed budgets break. Flexera&apos;s &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;2025 State of the Cloud Report&lt;/a&gt; found cloud budgets already exceed their limits by about 17% on average - a forecasting failure as much as a spending one. The fix is not tighter caps. It is tying spend projections to demand drivers the business already plans against (signups, orders, model usage) and reporting variance in those terms. The same report found 87% of organizations name cost efficiency and savings as their number-one metric for assessing cloud progress, which tells you leadership is already listening in this language - the gap is engineering&apos;s ability to supply the numbers.&lt;/p&gt;
&lt;h2&gt;Optimize Usage and Cost&lt;/h2&gt;
&lt;p&gt;This is the area most engineers think of first, and the data backs the instinct: workload optimization and waste reduction is the single biggest FinOps priority among practitioners, ahead of allocation and forecasting. It is also where the money is. Flexera estimates roughly &lt;strong&gt;27% of cloud spend is still wasted&lt;/strong&gt;, and 84% of organizations call managing cloud spend their top cloud challenge. A quarter of your bill is, statistically, a defensible target.&lt;/p&gt;
&lt;p&gt;Optimization splits into two distinct motions, and conflating them is a common mistake. The first is &lt;strong&gt;rate optimization&lt;/strong&gt; - paying less for the same resources through commitment-based discounts (reserved instances, savings plans, committed-use discounts), spot capacity for interruptible work, and storage-tier selection. This is largely a finance-and-platform exercise with predictable returns. The second is &lt;strong&gt;usage optimization&lt;/strong&gt; - changing what you run: rightsizing over-provisioned instances, killing idle and orphaned resources, fixing autoscaling that never scales down, and re-architecting the handful of services that dominate the bill. Usage optimization is harder, needs engineers in the loop, and delivers the durable wins. A practical rule: rate optimization buys you time; usage optimization buys you the structural savings. Both depend entirely on the attribution work from the first area - you optimize the top of a ranked cost breakdown, not a hunch.&lt;/p&gt;
&lt;h2&gt;Manage the FinOps Practice&lt;/h2&gt;
&lt;p&gt;The fourth area is the one that separates a sustainable practice from a one-off cost-cutting sprint that quietly reverses within two quarters. It covers governance, policy, education, and the operating model that keeps the other three running. This is also where the field is visibly heading. The State of FinOps 2025 report shows &lt;strong&gt;implementing governance and policy at scale&lt;/strong&gt; becoming the top forward-looking priority for the next twelve months - displacing pure optimization - alongside sharp rises in managing AI/ML spend and in costs beyond public cloud, such as SaaS and private infrastructure.&lt;/p&gt;
&lt;p&gt;For an engineering organization, this means guardrails enforced in the platform: budget alerts wired to ownership, policy-as-code that blocks untagged or oversized resources at provision time, and anomaly detection that flags a runaway spend before it shows up on the monthly invoice. It means making cost a standing input to architecture decisions rather than a post-mortem. And increasingly it means extending the same discipline to AI workloads, whose token-based and GPU-hour pricing behaves nothing like traditional compute and is currently the fastest-growing source of surprise bills. The State of FinOps respondents also reported investment in tooling and automation jumping roughly 20% year over year - a signal that the manual spreadsheet phase of cloud finance is ending.&lt;/p&gt;
&lt;h2&gt;How the four areas reinforce each other&lt;/h2&gt;
&lt;p&gt;Treat these as a loop, not a checklist. Attribution feeds honest forecasts; forecasts and unit economics tell you which optimizations are worth engineering time; optimization results feed back into the next forecast; and governance keeps all three from decaying. Organizations that run only the third area - chasing savings without the allocation, value framing, or governance around it - get a temporary dip followed by drift back to baseline, which is precisely why waste has stayed near a quarter of spend across multiple annual surveys.&lt;/p&gt;
&lt;p&gt;Standing this up is as much an operating-model problem as a technical one, and it sits squarely at the intersection of platform engineering, finance, and product. If you want help instrumenting cost attribution, building forecast pipelines tied to real demand drivers, or enforcing cost guardrails in your delivery process, our &lt;a href=&quot;/devops/&quot;&gt;DevOps services&lt;/a&gt; at &lt;a href=&quot;/about-us/&quot;&gt;Expeditious Software&lt;/a&gt; are built to make cloud financial discipline a property of your platform rather than a quarterly fire drill.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.finops.org/framework/domains/&quot;&gt;FinOps Framework: Domains&lt;/a&gt; - FinOps Foundation&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://data.finops.org/2025-report/&quot;&gt;The State of FinOps Report 2025&lt;/a&gt; - FinOps Foundation&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;New Flexera Report Finds that 84% of Organizations Struggle to Manage Cloud Spend (2025 State of the Cloud Report)&lt;/a&gt; - Flexera&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025&quot;&gt;Gartner Forecasts Worldwide Public Cloud End-User Spending to Total $723 Billion in 2025&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/mastering-cloud-financial-management-the-four-key-areas-you-need-to-know/&quot;&gt;Mastering Cloud Financial Management: The Four Key Areas You Need To Know&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How Software Integration Is Reshaping the Fashion Industry</title><link>https://es.nl/2023/how-software-integration-is-revolutionizing-the-fashion-industry/</link><guid isPermaLink="true">https://es.nl/2023/how-software-integration-is-revolutionizing-the-fashion-industry/</guid><description>A staff-level look at how software integration, AI, and DevOps discipline are reshaping fashion: design, supply chain, personalization, and EU DPP compliance.</description><pubDate>Thu, 05 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Fashion&apos;s software story is no longer about a 3D rendering plugin or a recommendation widget bolted onto a storefront. The interesting work now sits at the integration layer: how design systems, supplier data, commerce platforms, and compliance tooling talk to each other, and whether your delivery pipeline can ship changes to that stack faster than your competitors and your regulators move. McKinsey estimates generative AI alone could add &lt;a href=&quot;https://www.mckinsey.com/industries/retail/our-insights/generative-ai-unlocking-the-future-of-fashion&quot;&gt;between $150 billion and $275 billion to apparel, fashion, and luxury operating profits over three to five years&lt;/a&gt;, spread across design, supply chain, marketing, and digital commerce. That number only lands for teams that have the integration and delivery discipline to capture it. This is a briefing on where that value actually is, and where the engineering traps are.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/11/Traceability_illustration.webp&quot; srcset=&quot;/content/uploads/2025/11/Traceability_illustration-600w.webp 600w, /content/uploads/2025/11/Traceability_illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram showing end-to-end supply-chain traceability, linking material origin, production data, and per-product digital identity for fashion goods&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Design tooling is becoming a data pipeline, not a tool&lt;/h2&gt;
&lt;p&gt;The headline use case - sketch-to-3D design, virtual sampling, mass customization - is real and McKinsey scopes it as one of six value areas where generative AI moves the needle in fashion. But the engineering reality is unglamorous: a 3D design tool is only useful if its output is structured, versioned, and machine-readable downstream. A garment that exists as a flat render is a marketing asset. A garment that exists as a parameterized model with linked material specs, colorways, and bill-of-materials data is an input to your PLM, your supplier portal, and eventually your compliance record.&lt;/p&gt;
&lt;p&gt;The integration work here is the work. Treat design output as an API contract between creative and production, not as files that get emailed around. The brands that win are the ones whose 3D assets carry enough structured metadata that supply-chain and compliance systems can consume them without a human re-keying the material composition.&lt;/p&gt;

&lt;h2&gt;Supply chain: automation is table stakes, traceability is the new requirement&lt;/h2&gt;
&lt;p&gt;Tracking materials, orders, and shipments through software is no longer a differentiator; it is the baseline. The shift that should reorganize your roadmap is that traceability is becoming a legal obligation, not a sustainability talking point. The EU&apos;s Ecodesign for Sustainable Products Regulation (ESPR) &lt;a href=&quot;https://sigmatechnology.com/articles/understanding-the-eu-digital-product-passport-for-textiles/&quot;&gt;entered into force on 18 July 2024 and introduces a mandatory Digital Product Passport (DPP) for textiles&lt;/a&gt;. The textile delegated act is expected to be adopted in 2026, with enforcement around July 2027.&lt;/p&gt;
&lt;p&gt;Read the DPP as a data-engineering spec, because that is what it is. Every product needs a unique digital identity, reachable via a QR code or similar carrier, that captures material composition and origin, production processes including energy and water use, carbon footprint and waste, and social-responsibility data. That means you need a stable per-SKU identifier, a system of record that aggregates data from suppliers you do not control, and an externally addressable, durable endpoint that resolves that identifier for the lifetime of the garment. If your supplier data lives in spreadsheets and your product identifiers are not stable across systems, you have roughly until 2027 to fix an integration problem that touches every system you own.&lt;/p&gt;
&lt;p&gt;There is a strategic reason to move early rather than treat this as a 2027 fire drill. &lt;a href=&quot;https://www.fashiondive.com/news/mckinsey-state-of-fashion-2025-AI/732684/&quot;&gt;63% of fashion brands are behind on their 2030 decarbonization goals, yet only 18% of executives rank sustainability a top-three growth risk for 2025&lt;/a&gt;, down from 29% a year earlier. That gap between obligation and attention is exactly where teams that instrument materials and carbon data properly will pull ahead, because the data the DPP demands is the same data you need to actually hit a decarbonization target instead of asserting one.&lt;/p&gt;

&lt;h2&gt;Personalization is a measured revenue lever, with a measured cost&lt;/h2&gt;
&lt;p&gt;The personal-stylist framing undersells what is now a board-level number. McKinsey research finds personalization most often drives a 5 to 15% revenue lift, and that companies excelling at it grow revenues roughly 40% faster than peers who do not. This is no longer a 2023 novelty: in McKinsey and Business of Fashion&apos;s &lt;a href=&quot;https://www.fashiondive.com/news/mckinsey-state-of-fashion-2025-AI/732684/&quot;&gt;State of Fashion 2025, 50% of executives named product discovery as the top generative-AI use case, and 82% of customers said they want AI to cut their shopping research time&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;For engineering leaders, the implication is that personalization and discovery have graduated from a feature team&apos;s experiment to a system you are expected to operate reliably at scale. That means owning the data pipeline behind it, the latency budget of model inference in the request path, the evaluation harness that tells you whether a model change helped or quietly degraded conversion, and the privacy posture around behavioral data. A recommendation system that is right 60% of the time and unmonitored is a liability; the revenue lift assumes you can measure and defend the model in production.&lt;/p&gt;

&lt;h2&gt;The DevOps discipline that makes the rest of it real&lt;/h2&gt;
&lt;p&gt;Here is the counterpoint that separates a serious integration plan from a vendor pitch. More tools and more AI do not automatically translate into faster, safer delivery. The 2024 DORA &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps report&lt;/a&gt; found that roughly 76% of developers now use AI in daily work, and that a 25% increase in AI adoption is associated with about a 7.5% improvement in documentation quality and a 2.1% lift in individual productivity - but also with roughly a 1.5% reduction in software delivery throughput and reduced delivery stability, driven by larger batch sizes. AI helps individuals write more code; without guardrails it can slow down the system that ships it.&lt;/p&gt;
&lt;p&gt;The fix is not novel, which is the point. The integration of design, supply chain, compliance, and commerce systems only delivers speed-to-market if it rides on the practices DORA has been measuring for a decade: continuous integration and delivery, small batch sizes, trunk-based workflows, and platform engineering that gives product teams paved paths instead of bespoke pipelines. A fashion brand that adds AI design tools and an AI recommender on top of a manual release process and brittle integrations will generate more code and ship it more slowly and less safely. The discipline is the differentiator, not the tooling.&lt;/p&gt;

&lt;h2&gt;What this means for your roadmap&lt;/h2&gt;
&lt;p&gt;Three things deserve a line in next quarter&apos;s planning. First, stable per-product identity and a supplier-data system of record, because the DPP turns this from technical debt into legal exposure on a known clock. Second, a personalization stack you actually operate and evaluate, not a black box, because the 5 to 15% revenue lift is contingent on measurement. Third, the unglamorous CI/CD and platform-engineering investment that lets you ship into all of the above without trading stability for speed. Software integration is genuinely reshaping fashion, but the gains accrue to teams that treat it as a delivery and data-engineering problem - not as a shopping list of tools.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/industries/retail/our-insights/generative-ai-unlocking-the-future-of-fashion&quot;&gt;Generative AI: Unlocking the future of fashion&lt;/a&gt; - McKinsey &amp;amp; Company, March 2023&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.fashiondive.com/news/mckinsey-state-of-fashion-2025-AI/732684/&quot;&gt;Fashion revenue will be sluggish but stable in 2025: report (on McKinsey &amp;amp; Business of Fashion, The State of Fashion 2025)&lt;/a&gt; - Fashion Dive, November 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://sigmatechnology.com/articles/understanding-the-eu-digital-product-passport-for-textiles/&quot;&gt;Understanding the EU Digital Product Passport for Textiles&lt;/a&gt; - Sigma Technology, September 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024 (DORA)&lt;/a&gt; - DORA / Google Cloud, October 2024&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-software-integration-is-revolutionizing-the-fashion-industry/&quot;&gt;How Software Integration Is Reshaping the Fashion Industry&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Addressing Software Development Challenges in Financial Services</title><link>https://es.nl/2023/addressing-software-development-challenges-in-financial-services/</link><guid isPermaLink="true">https://es.nl/2023/addressing-software-development-challenges-in-financial-services/</guid><description>How regulated finance teams ship software under DORA, govern open-source supply chains, and keep delivery fast without trading away stability.</description><pubDate>Sun, 01 Oct 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you run engineering in a bank, insurer, or payments business in the EU, the ground shifted on 17 January 2025. That is the day the &lt;strong&gt;Digital Operational Resilience Act (DORA)&lt;/strong&gt; became legally applicable, and it converted a set of soft &quot;compliance&quot; aspirations into hard, software-level legal obligations with board-level accountability. The challenges in financial services software development have not changed in name, but they have changed in weight. This is a briefing on the three that now dominate delivery planning: regulatory resilience as a code property, governing an open-source supply chain you no longer control, and shipping fast without quietly trading away stability.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing plan, build, test, release, deploy, operate and monitor stages feeding back into each other for regulated software delivery&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Regulatory compliance is now an engineering requirement, not a legal afterthought&lt;/h2&gt;
&lt;p&gt;The old framing treated regulation as a gate the legal team owned and engineering passed through. DORA dismantles that handoff. The regulation covers almost every EU financial entity, including banks, insurers, payment and e-money institutions, investment firms, and crypto-asset service providers, and it mandates ICT risk management with explicit board accountability, third-party ICT provider oversight, major-incident reporting, and threat-led penetration testing (&lt;a href=&quot;https://www.mayerbrown.com/en/insights/publications/2025/01/cybersecurity-in-the-financial-sector-eus-digital-operational-resilience-act-takes-effect&quot;&gt;Mayer Brown, 2025&lt;/a&gt;). Read that list as a system requirements document, because that is what it is. &quot;Oversight of third-party ICT providers&quot; means you need a current, accurate inventory of every vendor and dependency in your critical path. &quot;Major-incident reporting&quot; on a tight timeline means your observability and on-call tooling have to produce a regulator-grade narrative quickly, not a postmortem written from memory a week later.&lt;/p&gt;
&lt;p&gt;What used to be vague penalty language is now a number on the table. Under DORA, non-compliance can trigger penalties of up to &lt;strong&gt;2% of total annual worldwide turnover, or EUR 10 million for individuals&lt;/strong&gt; (&lt;a href=&quot;https://www.surecloud.com/resource-hub/dora-compliance-guide&quot;&gt;SureCloud, 2025&lt;/a&gt;). That figure is the reason &quot;we will harden it later&quot; stops being a defensible position. The practical move is to make compliance a code property: codify controls as policy-as-code in the pipeline, treat your software bill of materials and vendor register as living artifacts that build tooling maintains, and wire incident detection to the reporting timeline rather than to a quarterly review. Resilience testing is not a one-off audit event; build it into the release cadence so the evidence the regulator wants is a byproduct of how you already ship.&lt;/p&gt;

&lt;h2&gt;Open source is now the platform, and governance is the hard part&lt;/h2&gt;
&lt;p&gt;The shift to open source in finance is no longer a trend to debate; it is the substrate everything runs on. Over &lt;strong&gt;85% of banking, insurance, and financial-services organizations are increasing their open-source usage&lt;/strong&gt; (&lt;a href=&quot;https://www.finos.org/state-of-open-source-in-financial-services-2024&quot;&gt;FINOS 2024 State of Open Source in Financial Services&lt;/a&gt;). For an engineering director, the interesting finding in that survey is not the adoption rate but the governance gap. Firms with an Open Source Program Office or a visible open-source leader are far more likely to encourage both consumption (62% versus 29%) and contribution, while maintaining security policy and regulatory compliance remains a top reported challenge. Translation: the difference between safe and reckless open-source use is organizational, not technical. The teams that win have a named owner and a policy, not just a permissive license to pull packages.&lt;/p&gt;
&lt;p&gt;The reason this matters more every year is the threat surface those dependencies represent. Developers were projected to download &lt;strong&gt;6.6 trillion open-source packages in 2024&lt;/strong&gt;, and Sonatype has identified 704,102 malicious open-source packages since 2019, a 156% year-over-year jump in malware (&lt;a href=&quot;https://www.sonatype.com/state-of-the-software-supply-chain/2024/scale&quot;&gt;Sonatype 2024 State of the Software Supply Chain&lt;/a&gt;). The same dependencies that let a small team move fast are the same dependencies an attacker uses to reach your build system. In a regulated environment, where DORA already obliges you to oversee third-party ICT risk, your transitive dependency graph is third-party ICT risk. The controls that follow are unglamorous and non-negotiable: a generated SBOM on every build, dependency provenance and signature verification, automated vulnerability gating that fails the pipeline rather than filing a ticket, and a curated internal registry so engineers are not pulling unvetted artifacts straight from public mirrors. This is the concrete content behind the SecDevOps label, and it is where the security investment actually pays off.&lt;/p&gt;

&lt;h2&gt;Delivering business value fast is a platform problem, not a tooling problem&lt;/h2&gt;
&lt;p&gt;Every financial institution wants to ship faster, and most reach for new tools to get there. The 2024 evidence argues that tooling alone is the wrong lever, and in one case an actively counterproductive one. The 2024 DORA Accelerate State of DevOps report found that a 25% increase in AI adoption correlates with an estimated &lt;strong&gt;1.5% decrease in software delivery throughput and reduced delivery stability&lt;/strong&gt;, even as AI lifts individual developer productivity (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report, via InfoQ&lt;/a&gt;). That is the central tension this article&apos;s predecessor gestured at without quantifying: faster individuals do not equal a faster system. More code generated more quickly, fed into a delivery pipeline that cannot review, test, and release it safely, increases batch size and queue time rather than reducing it.&lt;/p&gt;
&lt;p&gt;The same report notes that only around 19% of teams reach elite delivery performance, deploying on demand with lead times under a day. What separates them is rarely a single tool; it is platform engineering and developer self-service that remove friction from the path to production. For a regulated finance team, the synthesis is clean: invest in the platform that lets engineers ship a compliant, tested, observable change without a series of manual handoffs. Build the compliance controls, the SBOM generation, the security gates, and the deployment automation into a paved road so that doing the right thing is also the fast thing. That is how speed and stability stop being a trade-off. You do not balance them by slowing down; you balance them by making the safe path the default path.&lt;/p&gt;

&lt;h2&gt;Where this leaves your roadmap&lt;/h2&gt;
&lt;p&gt;The three challenges converge on a single discipline: treat regulatory resilience, supply-chain security, and delivery speed as properties of one platform rather than three separate workstreams owned by three separate teams. DORA gives you the requirements, the open-source data gives you the threat model, and the DevOps research gives you the delivery model. At &lt;strong&gt;Expeditious Software&lt;/strong&gt;, our &lt;a href=&quot;/devops/&quot;&gt;DevOps services&lt;/a&gt; and &lt;a href=&quot;/about-us/&quot;&gt;freelance DevOps expertise&lt;/a&gt; focus on exactly this integration, embedding security and compliance into the pipeline so that regulated financial software is shipped quickly because it is built to be auditable, not in spite of it.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mayerbrown.com/en/insights/publications/2025/01/cybersecurity-in-the-financial-sector-eus-digital-operational-resilience-act-takes-effect&quot;&gt;Cybersecurity in the Financial Sector: EU&apos;s Digital Operational Resilience Act Takes Effect&lt;/a&gt; - Mayer Brown, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.surecloud.com/resource-hub/dora-compliance-guide&quot;&gt;Complete Guide to DORA Compliance in 2025 / DORA Compliance: Key Requirements for Financial Entities&lt;/a&gt; - SureCloud, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.finos.org/state-of-open-source-in-financial-services-2024&quot;&gt;The 2024 State of Open Source in Financial Services&lt;/a&gt; - FINOS &amp;amp; Linux Foundation Research, 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.sonatype.com/state-of-the-software-supply-chain/2024/scale&quot;&gt;2024 State of the Software Supply Chain Report (10th Annual): Scale of Open Source&lt;/a&gt; - Sonatype, 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report&lt;/a&gt; - Google Cloud DORA, via InfoQ, 2024&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/addressing-software-development-challenges-in-financial-services/&quot;&gt;Addressing Software Development Challenges in Financial Services&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>The Six Phases of the Software Development Life Cycle, Rethought for the AI Era</title><link>https://es.nl/2023/the-six-phases-of-the-software-development-life-cycle-explained/</link><guid isPermaLink="true">https://es.nl/2023/the-six-phases-of-the-software-development-life-cycle-explained/</guid><description>The six SDLC phases reframed for high-scale, regulated teams: where AI now adds value, where it adds risk, and why platforms decide the outcome.</description><pubDate>Sat, 16 Sep 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;The six-phase software development life cycle - requirement analysis, system design, implementation, testing, deployment, maintenance - has been taught the same way for thirty years. The phases have not changed. What has changed, and changed fast, is where the work, the cost, and the risk now sit inside them. Treating the SDLC as a tidy linear diagram is no longer harmless simplification; it actively hides the two forces reshaping every phase: AI-generated code and the platform engineering that either contains it or doesn&apos;t. This is a briefing on how each phase behaves under those forces for teams operating at scale or under regulatory scrutiny.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration-600w.webp 600w, /content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of the six software development life cycle phases - requirement analysis, system design, implementation, testing, deployment, and maintenance - arranged as a continuous cycle&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;p&gt;Start with the fact that reorders everything else. AI is no longer an experiment in the implementation phase. The &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;2025 DORA Report&lt;/a&gt;, drawing on nearly 5,000 technology professionals, found that 90% now use AI at work and over 80% say it raises their productivity. &lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-04-11-gartner-says-75-percent-of-enterprise-software-engineers-will-use-ai-code-assistants-by-2028&quot;&gt;Gartner forecasts&lt;/a&gt; that 75% of enterprise software engineers will use AI code assistants by 2028, up from less than 10% in early 2023 - one of the steepest enterprise adoption curves the firm has projected. AI is now a cross-cutting input to all six phases, and it does not distribute its effects evenly. It accelerates the phases where humans were the bottleneck and applies pressure to the phases that were supposed to catch mistakes.&lt;/p&gt;

&lt;h2&gt;Requirement Analysis and System Design: where human judgment concentrates&lt;/h2&gt;

&lt;p&gt;These two phases answer &quot;what&quot; and &quot;how,&quot; and they are precisely where AI helps least and where mistakes cost most. The widely cited rule of thumb still holds: a defect introduced in requirements or design is roughly 100x cheaper to fix there than in production. The &lt;a href=&quot;https://www.it-cisq.org/press-releases/12-06-22/&quot;&gt;CISQ 2022 report&lt;/a&gt; put the price of poor software quality in the US at an estimated $2.41 trillion, including roughly $1.52 trillion of accumulated technical debt - debt that overwhelmingly originates in decisions made during these early phases and compounds silently afterward.&lt;/p&gt;

&lt;p&gt;Gartner&apos;s read on the trajectory is that the developer role is shifting from writing code toward orchestration and system design as AI absorbs routine implementation. That makes requirement analysis and design the durable human centre of the SDLC. For regulated teams, design is also where traceability is established - the chain from a stated requirement, to the component that satisfies it, to the test that proves it. AI can draft a requirements document; it cannot own the accountability for whether that document is correct, complete, and defensible to an auditor. Treat these phases as the place where you spend senior time deliberately, because everything downstream inherits their errors at 100x markup.&lt;/p&gt;

&lt;h2&gt;Implementation: faster, and that is the problem&lt;/h2&gt;

&lt;p&gt;Implementation is where AI&apos;s acceleration is real and measurable, and where the SDLC&apos;s clean diagram becomes dangerous. The same DORA programme exposed a paradox worth sitting with. In the &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 report&lt;/a&gt;, across more than 39,000 respondents, a 25% increase in AI adoption was associated with an estimated 1.5% drop in delivery throughput and a 7.2% drop in delivery stability. The mechanism was not that AI wrote worse code; it was that AI inflated change-set sizes, and large changes are harder to review, test, and roll back.&lt;/p&gt;

&lt;p&gt;By 2025 the throughput relationship had turned positive - AI now correlates with shipping more. But the stability relationship remained negative. Read those two findings together and the implication for the SDLC is sharp: &lt;strong&gt;AI speeds up the implementation phase while transferring load onto testing, review, and deployment.&lt;/strong&gt; The bottleneck does not disappear; it moves downstream to the phases least able to absorb a sudden surge in volume. A team that adopts AI in coding without hardening the phases after it is not getting faster - it is accumulating risk on a delay.&lt;/p&gt;

&lt;h2&gt;Testing: more important as AI writes more, not less&lt;/h2&gt;

&lt;p&gt;The instinct that AI reduces the need for testing is exactly backwards. The 2025 DORA data found that even with 90% adoption, 30% of practitioners report little or no trust in AI-generated code. That distrust is rational, and it has to be operationalised rather than felt. As AI generates a larger share of the codebase, the verification phase becomes the load-bearing control of the whole life cycle.&lt;/p&gt;

&lt;p&gt;Concretely, that means automated test coverage that scales with output rather than headcount, mandatory human review with deliberately small change sets so reviewers can actually reason about a diff, and DevSecOps guardrails - security scanning, dependency checks, policy-as-code - running inside the pipeline rather than as a quarterly audit. The economics make the case on their own. When poor quality and technical debt carry trillion-dollar aggregate costs, the testing phase is not a gate to clear before shipping; it is where the financial return of the entire SDLC is decided. Under-investing here to ship faster is borrowing against production at a punishing interest rate.&lt;/p&gt;

&lt;h2&gt;Deployment: the control point under the most new pressure&lt;/h2&gt;

&lt;p&gt;Deployment is where increased change volume meets reality. If implementation now produces more and larger changes, the deployment phase has to enforce the discipline that keeps stability from degrading: small, frequent, reversible releases; progressive delivery and staged rollouts so blast radius stays bounded; and automated rollback that does not depend on a human noticing fast enough. The DORA stability signal is, in practical terms, a warning that deployment controls are where AI-driven speed gets converted into either reliable delivery or incidents - depending entirely on whether those controls exist before the volume arrives.&lt;/p&gt;

&lt;h2&gt;Maintenance: the phase that holds the money&lt;/h2&gt;

&lt;p&gt;The original framing of the SDLC as cyclical is correct but understated. Deployment is not the finish line; for most systems, maintenance is the longest and most expensive phase, and it is where the trillion-dollar quality and technical-debt costs actually land. Every shortcut taken in design, every under-reviewed AI-generated change, every skipped test resurfaces here as an outage, a vulnerability, or a slowdown that quietly taxes every future release. Maintenance is also where regulated teams live or die on traceability: when something breaks, can you reconstruct why a change shipped, who approved it, and which requirement it served?&lt;/p&gt;

&lt;h2&gt;The variable that actually decides the outcome&lt;/h2&gt;

&lt;p&gt;Across all six phases, the 2025 DORA Report lands on a conclusion that should reframe how any engineering leader reads the AI hype: &lt;strong&gt;AI amplifies what is already there.&lt;/strong&gt; The decisive factor is not the assistant a team buys - it is the quality of the internal platform underneath it. The report found that 90% of organizations have adopted at least one internal platform, and that high-quality platforms are what let teams convert AI speed into real value. For low-quality platforms, the measured AI benefit was negligible.&lt;/p&gt;

&lt;p&gt;This is the through-line for any leader auditing their own SDLC. AI in implementation without strong testing and deployment controls produces the 2024 outcome: more code, worse stability. The same AI on top of a mature platform - paved CI/CD paths, automated verification, traceability, fast rollback - produces the 2025 outcome: more throughput without sacrificing the rest. The six phases have not changed. What determines whether AI makes them better or worse is the platform and DevOps foundation running underneath all six. That foundation is where the leverage is, and it is the work worth funding before the next assistant rollout, not after.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-Assisted Software Development&lt;/a&gt; - Google Cloud / DORA Research Program, 23 September 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - Google Cloud / DORA Research Program, 22 October 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-04-11-gartner-says-75-percent-of-enterprise-software-engineers-will-use-ai-code-assistants-by-2028&quot;&gt;Gartner Says 75% of Enterprise Software Engineers Will Use AI Code Assistants by 2028&lt;/a&gt; - Gartner, 11 April 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.it-cisq.org/press-releases/12-06-22/&quot;&gt;The Cost of Poor Software Quality in the US: A 2022 Report&lt;/a&gt; - Consortium for Information &amp;amp; Software Quality (CISQ), 6 December 2022&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/the-six-phases-of-the-software-development-life-cycle-explained/&quot;&gt;The Six Phases of the Software Development Life Cycle, Rethought for the AI Era&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Five Reasons To Hire A Custom Healthcare Software Development Company</title><link>https://es.nl/2023/five-reasons-to-hire-a-custom-healthcare-software-development-company/</link><guid isPermaLink="true">https://es.nl/2023/five-reasons-to-hire-a-custom-healthcare-software-development-company/</guid><description>Five engineering-grounded reasons to hire a custom healthcare software development company: breach economics, HTI-1 compliance, FHIR interoperability, DevOps maturity.</description><pubDate>Wed, 06 Sep 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you run engineering for a healthcare product, &quot;should we build custom or buy off the shelf&quot; is rarely the real question. The real question is whether your team can carry the security, compliance, and delivery burden that regulated healthcare software imposes, indefinitely, alongside shipping features. A specialist partner is worth hiring only when it removes that burden in ways a generalist team or a packaged vendor cannot. Below are five reasons that survive a skeptical read, each tied to a concrete, current obligation or number rather than a slogan.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration-600w.webp 600w, /content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Software development lifecycle diagram showing requirements, design, build, test, deploy, and operate phases applied to regulated healthcare software&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;1. Breach economics make security a design constraint, not a feature&lt;/h2&gt;
&lt;p&gt;Healthcare has been the single most expensive industry for data breaches every year since 2011. IBM and the Ponemon Institute put the average healthcare breach at &lt;a href=&quot;https://www.hipaajournal.com/cost-healthcare-data-breach-2024/&quot;&gt;$9.77 million in 2024&lt;/a&gt;, and even after a sharp decline the 2025 report still has it at &lt;a href=&quot;https://www.hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025/&quot;&gt;$7.42 million, the costliest sector for the 14th consecutive year&lt;/a&gt;. That number is not an insurance line item you can defer. It is the budget you are implicitly underwriting every time PHI flows through a service you wrote.&lt;/p&gt;
&lt;p&gt;What this means for the build: HIPAA-grade security has to be engineered in at the architecture level, not bolted on before an audit. Encryption at rest and in transit, least-privilege access, immutable audit logging, key rotation, tenant isolation, and a documented threat model are structural decisions made in the first sprints. A team that has done this repeatedly in regulated environments treats them as defaults. A generalist team rediscovers each one the hard way, usually during a penetration test or, worse, after an incident. The value of a specialist here is not that they &quot;know HIPAA,&quot; it is that secure-by-default is muscle memory rather than a checklist someone hopes was followed.&lt;/p&gt;

&lt;h2&gt;2. Compliance is a moving target that needs standing engineering capacity&lt;/h2&gt;
&lt;p&gt;Compliance in healthcare is not a one-time certification you pass and forget. The ONC &lt;a href=&quot;https://healthit.gov/regulations/hti-rules/hti-1-final-rule/&quot;&gt;HTI-1 Final Rule&lt;/a&gt;, finalized in December 2023 and effective March 11, 2024, is a clear example. It requires certified health IT to move to USCDI v3 and FHIR US Core 6.1.0 by January 1, 2026, to have published FHIR service base URLs by the end of 2024, and to revoke a connected app&apos;s access within one hour of a request. It also introduces first-of-its-kind transparency requirements for AI and predictive algorithms in certified health IT, and it revises the information-blocking exceptions.&lt;/p&gt;
&lt;p&gt;Read those obligations as an engineer and you see standing work, not a project with an end date: data-model migrations, API versioning, token-revocation paths that actually meet a one-hour SLA, and algorithm documentation pipelines. The next rule will land before you have finished the last one. That cadence is precisely what an internal team staffed to ship product features struggles to absorb, and it is what a partner with dedicated regulatory and platform capacity is built to carry. &quot;Future-proofing&quot; stops being a brochure word once you map it to a concrete 2026 deadline you are currently behind on.&lt;/p&gt;

&lt;h2&gt;3. Interoperability via standards is now the bar, not a differentiator&lt;/h2&gt;
&lt;p&gt;&quot;Tailored solutions&quot; used to mean a custom UI on a proprietary backend. Regulators have moved the goalposts. HTI-1 makes standards-based APIs and patient access mandatory, which means a custom build that operates as a silo is non-compliant by construction. Your software now has to speak FHIR and USCDI fluently and integrate with the EHR and health-data ecosystem around it, including patient-facing access to records.&lt;/p&gt;
&lt;p&gt;This is harder than it looks from a greenfield perspective. FHIR conformance is full of edge cases, real-world EHR implementations diverge from the spec, and US Core profiles constrain what you can model. A partner who has shipped against Epic, Cerner, and the long tail of smaller systems brings integration patterns, test harnesses, and a realistic estimate of where the spec and production diverge. The point is not flexibility for its own sake, it is that the only &quot;custom&quot; worth building is one that plugs cleanly into the standards-based ecosystem regulators now require.&lt;/p&gt;

&lt;h2&gt;4. DevOps maturity is what separates reliable healthcare software from risky software&lt;/h2&gt;
&lt;p&gt;Correct code is necessary and insufficient. In a regulated clinical context, the delivery system around the code is where reliability and auditability live: reproducible builds, automated compliance gates in CI, observability that can reconstruct who-did-what, and the ability to roll back fast. The 2024 &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;DORA Accelerate State of DevOps Report&lt;/a&gt;, drawing on more than 39,000 practitioners, is blunt about how easily this goes wrong: AI adoption was associated with a roughly 1.5% drop in delivery throughput and a 7.2% drop in stability, and platform engineering only paid off when it was implemented well. Tooling does not buy you maturity. Practices do.&lt;/p&gt;
&lt;p&gt;This is the part of &quot;custom development&quot; that generalist shops most often underdeliver. A partner whose value proposition is disciplined delivery, self-serve platforms, and strong observability is directly reducing your exposure to the two failure modes that hurt most in healthcare: an outage during a clinical workflow, and a compliance gap that surfaces in an audit because no one could trace a change. Ask any prospective partner for their DORA-style metrics and their incident and rollback story before you ask about their tech stack.&lt;/p&gt;

&lt;h2&gt;5. AI is now a regulated, double-edged factor you cannot wave through&lt;/h2&gt;
&lt;p&gt;AI in healthcare software is no longer optional to think about, and it is no longer purely an upside. On the regulatory side, HTI-1 already mandates transparency for AI and predictive algorithms in certified health IT, so any model touching clinical decisions carries documentation and disclosure obligations. On the delivery side, DORA found that 39% of practitioners report low or no trust in AI-generated code, even as AI raises individual productivity. Those two facts together define the bar: you want the productivity, but you cannot ship unreviewed AI output into a system where a defect can harm a patient and trigger a disclosure.&lt;/p&gt;
&lt;p&gt;A credible partner in 2026 treats this explicitly. Human-in-the-loop review for AI-assisted code, governance and documentation for any predictive algorithm in the product, and a clear position on where AI is allowed in the SDLC and where it is not. If a vendor pitches AI as pure acceleration with no governance story, that is a signal they have not internalized the regulatory and reliability constraints this sector imposes.&lt;/p&gt;

&lt;h2&gt;The decision, framed honestly&lt;/h2&gt;
&lt;p&gt;The demand for custom and cloud-delivered healthcare software is real and durable. The global healthcare software market reached &lt;a href=&quot;https://www.appsruntheworld.com/top-10-healthcare-software-vendors-and-market-forecast/&quot;&gt;roughly $36.3 billion in 2024 and is projected to hit about $47.9 billion by 2029&lt;/a&gt;, a roughly 5.7% CAGR. That pull is why off-the-shelf rarely fits and why teams keep choosing to build. But the market size is not the reason to hire a specialist. The reason is that healthcare software fails expensively along five specific axes: breach exposure, shifting compliance, standards-based interoperability, delivery discipline, and AI governance. Hire a partner that demonstrably owns all five, with numbers and references, not one that recites them. If your own team can already carry that load, you may not need a partner at all, and a good one will tell you so.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.hipaajournal.com/cost-healthcare-data-breach-2024/&quot;&gt;Cost of a Data Breach Report 2024 (Healthcare findings)&lt;/a&gt;, HIPAA Journal (reporting IBM / Ponemon Institute data)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025/&quot;&gt;Average Cost of a Healthcare Data Breach Falls to $7.42 Million (Cost of a Data Breach Report 2025)&lt;/a&gt;, HIPAA Journal (reporting IBM / Ponemon Institute data)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://healthit.gov/regulations/hti-rules/hti-1-final-rule/&quot;&gt;HTI-1 Final Rule (Health Data, Technology, and Interoperability)&lt;/a&gt;, Office of the National Coordinator for Health IT (ASTP/ONC), U.S. Dept. of Health and Human Services&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt;, DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.appsruntheworld.com/top-10-healthcare-software-vendors-and-market-forecast/&quot;&gt;Top 10 Healthcare Software Vendors, Market Size and Forecast 2024-2029&lt;/a&gt;, Apps Run The World&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/five-reasons-to-hire-a-custom-healthcare-software-development-company/&quot;&gt;Five Reasons To Hire A Custom Healthcare Software Development Company&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>DevOps vs DevSecOps: What&apos;s the Difference, and When the Distinction Stops Mattering</title><link>https://es.nl/2023/devops-vs-devsecops-whats-the-difference/</link><guid isPermaLink="true">https://es.nl/2023/devops-vs-devsecops-whats-the-difference/</guid><description>DevOps vs DevSecOps for senior teams: what actually changes, the data behind shift-left, and why platform engineering settles the speed-vs-security fight.</description><pubDate>Fri, 01 Sep 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you run engineering at any scale, &quot;DevOps vs DevSecOps&quot; is mostly a vocabulary question with a real organizational decision hiding inside it. The honest framing is this: DevOps is the operating model that collapsed the wall between writing software and running it. DevSecOps is the same operating model with security treated as a first-class pipeline concern instead of a gate someone runs at the end. The interesting part is not the definition. It is what the last two years of data say about whether the shift actually pays, where it breaks, and why &quot;add more scanners&quot; is the wrong instinct.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/ci_cd_illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/ci_cd_illustration-600w.webp 600w, /content/uploads/2025/06/ci_cd_illustration-1120w.webp 1120w, /content/uploads/2025/06/ci_cd_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;CI/CD pipeline diagram showing automated build, test and security stages between commit and deployment&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The actual difference: where security lives in the lifecycle&lt;/h2&gt;

&lt;p&gt;DevOps optimizes for flow. Trunk-based development, continuous integration, infrastructure as code, automated delivery - all of it exists to shorten the distance between a commit and a running system, and to make that path repeatable. Security, in a pure DevOps shop, tends to sit at the edges: a pre-release pen test, a periodic scan, a review board that the team learns to route around.&lt;/p&gt;

&lt;p&gt;DevSecOps moves that responsibility left, into the workflow developers already use. The change is structural, not cultural sloganeering: dependency scanning on every pull request, static and dynamic analysis wired into CI, secrets detection at commit time, signed artifacts, and policy checks that fail the build rather than a meeting. The point is not that DevOps ignores security. It is that DevSecOps makes security a property the pipeline enforces continuously, instead of an event a separate team performs late.&lt;/p&gt;

&lt;h2&gt;The data says shift-left is now the default&lt;/h2&gt;

&lt;p&gt;This used to be an aspiration you argued for. It is now the mainstream posture. GitLab&apos;s 2024 survey of more than 5,000 practitioners shows how far the operating model has shifted: &lt;a href=&quot;https://about.gitlab.com/the-source/platform/3-surprising-findings-from-our-2024-global-devsecops-survey/&quot;&gt;74% of organizations already using AI in software development want to consolidate their toolchain, and 55% of respondents consider introducing AI into the lifecycle risky&lt;/a&gt;. Read together, those signals describe teams that have already embedded security and AI tooling deep into the developer workflow and are now wrestling with the consequences. The &quot;DevOps that matures into DevSecOps&quot; path described for years is the trajectory most organizations are now on, not an edge case.&lt;/p&gt;

&lt;p&gt;The economic argument has also stopped being hand-waving. IBM&apos;s 2024 report put the &lt;a href=&quot;https://www.ibm.com/think/insights/whats-new-2024-cost-of-a-data-breach-report&quot;&gt;global average cost of a data breach at a record USD 4.88 million, up 10% year over year&lt;/a&gt; - the largest jump since the pandemic. IBM names a DevSecOps approach among the leading cost mitigators, and found that extensive use of security AI and automation across prevention workflows correlated with roughly USD 2.2 million lower breach costs versus organizations using none. When a single avoided incident is worth multiples of your tooling budget, &quot;fix it earlier&quot; stops being a virtue argument and becomes a balance-sheet one.&lt;/p&gt;

&lt;h2&gt;Why &quot;add more scanning&quot; is the wrong reflex&lt;/h2&gt;

&lt;p&gt;Here is where senior teams should be skeptical of the standard pitch. The failure mode of DevSecOps is not too little security tooling. It is too much, badly integrated. Black Duck&apos;s 2024 survey of over 1,000 practitioners is blunt about the cost: &lt;a href=&quot;https://www.blackduck.com/blog/black-duck-devsecops-report.html&quot;&gt;86% say security testing slows down development, 60% report that 21-60% of their security results are noise (false positives), and 82% of organizations run between 6 and 20 separate security tools&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Read that the way an operator should. If a majority of your scan results are false positives and you are stitching together a dozen-plus tools, you have not made the system more secure - you have built an alert fatigue machine and taxed every developer who has to triage it. The teams getting real value from DevSecOps are not the ones with the longest tool list. They are the ones who treat &lt;strong&gt;signal quality and pipeline integration as the actual product&lt;/strong&gt;: deduplicated findings, results that land in the pull request with a clear fix, gates calibrated so a failed build means something. The differentiator at scale is not coverage. It is whether the security feedback your engineers receive is trustworthy enough that they act on it instead of muting it.&lt;/p&gt;

&lt;h2&gt;AI changed the stakes since this debate started&lt;/h2&gt;

&lt;p&gt;The original version of this discussion predates generative coding tools, and that gap matters more than anything else here. AI raised the volume and lowered the trust at the same time. Black Duck found that &lt;a href=&quot;https://www.blackduck.com/blog/black-duck-devsecops-report.html&quot;&gt;over 90% of organizations now use AI tools in some capacity, but only 24% are very confident in their testing of AI-generated code&lt;/a&gt;. DORA&apos;s 2024 research goes further, linking a 25% increase in AI adoption to roughly a &lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;7.2% drop in delivery stability, with 39% of respondents reporting little or no trust in AI-generated code&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The implication for the DevOps-versus-DevSecOps choice is direct. More code is being generated faster, by tools the people merging it do not fully trust, into systems where instability is rising. Manual, end-of-cycle security review cannot keep pace with that output, and human eyes are exactly the bottleneck AI is overwhelming. Continuous, automated guardrails in the pipeline are not a nice-to-have in that environment - they are the only control surface that scales with the volume of code now arriving. AI makes the case for DevSecOps stronger, not weaker.&lt;/p&gt;

&lt;h2&gt;How mature teams resolve speed versus security&lt;/h2&gt;

&lt;p&gt;The framing that &quot;you trade velocity for security&quot; is the one to retire. The teams that have actually solved it did not pick a side or negotiate a balance per release. They moved the controls into a platform. DORA&apos;s 2024 report finds that &lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;well-designed internal developer platforms increase developer productivity, particularly in larger organizations managing complex environments&lt;/a&gt;. That is the modern, concrete direction this debate has always circled.&lt;/p&gt;

&lt;p&gt;A good internal developer platform makes the secure path the default path. Hardened, pre-approved templates. Policy as code that runs automatically rather than in a review meeting. Signed builds, baseline scanning, and compliance evidence generated by the pipeline as a byproduct of shipping. The developer experience is faster, because the secure option is the one with the least friction - and security is stronger, because it is enforced by the system instead of by individual diligence. This is why &quot;security vs speed&quot; is increasingly a structural problem with a structural solution, not a temperament you negotiate team by team.&lt;/p&gt;

&lt;h2&gt;So which one do you need?&lt;/h2&gt;

&lt;p&gt;For most organizations operating at scale, this is no longer a meaningful choice. If your DevOps practice is solid, you already have the substrate; DevSecOps is what that practice looks like once security is wired into it instead of bolted on. The genuine fork is narrower and more practical: in regulated or high-blast-radius domains - finance, healthcare, critical infrastructure, anything handling sensitive data at volume - embedded security is non-negotiable and you should be building toward platform-enforced controls now. For lower-stakes internal tooling with separate, robust security mechanisms, a leaner DevOps posture can be defensible for longer.&lt;/p&gt;

&lt;p&gt;But the trajectory is one direction. With breach costs at record highs, AI flooding pipelines with code nobody fully trusts, and shift-left now the default operating posture, the question for a senior engineering leader in 2026 is not whether to adopt DevSecOps. It is whether your security controls live in a platform your developers want to use, or in a queue they have learned to route around.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;2024 Accelerate State of DevOps Report (DORA)&lt;/a&gt; - DORA / Google Cloud, 23 October 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.blackduck.com/blog/black-duck-devsecops-report.html&quot;&gt;Global State of DevSecOps 2024&lt;/a&gt; - Black Duck (formerly Synopsys Software Integrity Group), 8 October 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://about.gitlab.com/the-source/platform/3-surprising-findings-from-our-2024-global-devsecops-survey/&quot;&gt;GitLab 2024 Global DevSecOps Report (Eighth Annual Survey)&lt;/a&gt; - GitLab, 25 June 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.ibm.com/think/insights/whats-new-2024-cost-of-a-data-breach-report&quot;&gt;Cost of a Data Breach Report 2024&lt;/a&gt; - IBM Security / Ponemon Institute, 30 July 2024&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/devops-vs-devsecops-whats-the-difference/&quot;&gt;DevOps vs DevSecOps: What&apos;s the Difference, and When the Distinction Stops Mattering&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How DevOps Actually Works: Loops, Metrics, and the Shift to Platforms</title><link>https://es.nl/2023/how-does-devops-work/</link><guid isPermaLink="true">https://es.nl/2023/how-does-devops-work/</guid><description>How DevOps actually works in high-scale, regulated teams: DORA&apos;s four metrics, fast feedback loops, AI as an amplifier, and the move to platform engineering.</description><pubDate>Wed, 16 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Ask ten teams how DevOps works and you get ten taxonomies of stages, tools, and Venn diagrams. None of that tells you whether it is working. DevOps is not a pipeline diagram or a job title; it is a closed-loop control system for software delivery, where every change is small, automated, measured, and reversible. The useful question for an engineering leader is not &quot;what are the stages of DevOps&quot; but &quot;what does a working DevOps system optimise for, how do you know it is improving, and what changes when AI writes a third of your diffs.&quot; This piece answers those, grounded in the largest body of evidence the field has - &lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;DORA&apos;s research program&lt;/a&gt;, now in its 10th-plus year.&lt;/p&gt;
&lt;img src=&quot;/content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software.webp&quot; srcset=&quot;/content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software-600w.webp 600w, /content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software.webp 800w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle loop showing plan, code, build, test, release, deploy, operate and monitor stages feeding continuous feedback&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;
&lt;h2&gt;What &quot;working&quot; means: the four metrics, not the toolchain&lt;/h2&gt;
&lt;p&gt;The most durable contribution of DevOps research is a measurement model, not a methodology. DORA&apos;s four key metrics, &lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;introduced in 2013 and now the industry standard&lt;/a&gt;, give you a way to define delivery performance that survives any tooling change:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Deployment frequency&lt;/strong&gt; - how often you ship to production. A proxy for batch size and the health of your release path.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Change lead time&lt;/strong&gt; - time from commit to running in production. Measures the friction in your pipeline, not your developers&apos; typing speed.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Change failure rate&lt;/strong&gt; - the share of deployments that cause a degradation requiring remediation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Time to restore service&lt;/strong&gt; - how fast you recover when something breaks.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The first two measure &lt;strong&gt;throughput&lt;/strong&gt;; the last two measure &lt;strong&gt;stability&lt;/strong&gt;. The central, counter-intuitive finding of two decades of research is that these are not a trade-off. High performers are fast &lt;em&gt;and&lt;/em&gt; stable, and they get there through the same mechanism: small changes, deployed often, behind automated tests and one-button rollback. If your &quot;DevOps transformation&quot; has improved deploy frequency while change failure rate climbs, you have not adopted DevOps - you have just removed a safety gate. Pick these four as your scoreboard before you argue about tools. This is evidence-based: the &lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 report drew on more than 39,000 professionals&lt;/a&gt;, and the 2025 edition added nearly 5,000 respondents plus over 100 hours of qualitative interviews.&lt;/p&gt;
&lt;h2&gt;The mechanism: a feedback loop, optimised for small changes&lt;/h2&gt;
&lt;p&gt;How DevOps actually produces those numbers is unglamorous and specific. A developer commits a small change to version control. Continuous integration builds and tests it within minutes, against a suite trustworthy enough that a green run is a deploy decision, not a suggestion. Continuous delivery turns every passing build into a release candidate, deployable on demand. Infrastructure is defined as code, so environments are reproducible and a rollback is a redeploy of a known-good artifact rather than a heroic night. Production is instrumented so that monitoring, traces, and error budgets tell you within minutes whether the change is healthy.&lt;/p&gt;
&lt;p&gt;Each property exists to shrink the loop. Small batches make failures cheap to diagnose and cheap to revert. Automated tests move the cost of a defect from production back to the pull request. Fast restore means you can tolerate a non-zero failure rate, which in turn lets you move fast without pretending you will never be wrong. For teams in regulated or high-scale environments, this is also your audit and compliance story: every change traced from commit to deploy, every gate automated and logged, every environment described in code rather than in tribal memory. The loop is the control. The tools are interchangeable implementations of it.&lt;/p&gt;
&lt;h2&gt;AI is now in the loop, and it is an amplifier, not a fix&lt;/h2&gt;
&lt;p&gt;You cannot describe how DevOps works in 2026 without addressing AI-assisted delivery, because it is no longer marginal. By 2025, &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;90% of respondents reported using AI at work&lt;/a&gt; and over 80% believed it increased their productivity - yet 30% still report little or no trust in AI-generated code. That tension is the point.&lt;/p&gt;
&lt;p&gt;The headline finding of the 2025 DORA report is blunt: &lt;strong&gt;AI is an amplifier&lt;/strong&gt;. It magnifies a team&apos;s existing strengths and weaknesses. Teams with strong internal platforms, fast feedback loops, automated testing, and clean version control convert AI into real gains. Teams without those foundations get faster at producing changes their delivery system cannot safely absorb. The return comes from the organisational system, not the tool.&lt;/p&gt;
&lt;p&gt;The 2024 data quantifies the failure mode. A 25% increase in AI adoption correlated with measurable lifts in documentation, code quality, and review speed - but also an estimated &lt;strong&gt;1.5% drop in delivery throughput and a 7.2% drop in delivery stability&lt;/strong&gt;. The mechanism, flagged by &lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;InfoQ&apos;s analysis&lt;/a&gt;, is that AI tends to increase change and batch size, and larger changesets are riskier. That is a direct collision with the one practice DevOps research is most certain about: small, frequent, well-tested releases. The practical implication for leaders is not &quot;ban AI&quot; or &quot;buy more AI.&quot; It is to treat your delivery foundations - test coverage you trust, CI you cannot bypass, batch-size discipline in review - as the prerequisite that determines whether AI is leverage or a stability tax.&lt;/p&gt;
&lt;h2&gt;Where this is heading: from DevOps to platform engineering&lt;/h2&gt;
&lt;p&gt;The next structural shift is already visible. As DevOps practices scaled, the cost of every team running its own bespoke pipeline, security scanning, and infrastructure became the new bottleneck. The response is &lt;strong&gt;platform engineering&lt;/strong&gt;: a dedicated team that treats the internal delivery platform as a product, offering paved-road, self-service tooling so application teams ship without reinventing the plumbing. &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Gartner predicts that by 2026, 80% of large software engineering organisations will have platform engineering teams&lt;/a&gt;, up from 45% in 2022. DORA corroborates the demand side: roughly &lt;strong&gt;90% of organisations have adopted at least one internal platform&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;This is not a repudiation of DevOps; it is its operationalisation at scale. The four metrics still define success, the loop still does the work - but the loop is now provided as a product so that &quot;the right way to ship&quot; is also the easy way. For regulated teams, an internal platform is where compliance controls, security gates, and traceability stop being per-team discipline and become defaults nobody can route around.&lt;/p&gt;
&lt;h2&gt;What to take away&lt;/h2&gt;
&lt;p&gt;DevOps works as a feedback system that makes change cheap, fast, and safe to reverse, measured by four metrics that balance speed against reliability. Adopt the scoreboard first. Invest in the foundations - automated testing, trustworthy CI, infrastructure as code, real observability - because those are what convert both human and AI effort into throughput without sacrificing stability. Then consolidate that capability into a platform so the safe path is the default path.&lt;/p&gt;
&lt;p&gt;That is the work &lt;a href=&quot;/about-us/&quot;&gt;Expeditious Software&lt;/a&gt; does: building the delivery systems, internal platforms, and measurement underneath them rather than selling the diagram. If you want a delivery loop that holds up under scale, regulation, and AI-assisted development, start with our &lt;a href=&quot;/devops&quot;&gt;DevOps services&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-Assisted Software Development&lt;/a&gt; - Google Cloud (DORA), 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;State of AI-assisted Software Development 2025&lt;/a&gt; - DORA / Google Cloud, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;Highlights from the 10th DORA report (Accelerate State of DevOps Report 2024)&lt;/a&gt; - Google Cloud (DORA), 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report Shows Pros and Cons of AI&lt;/a&gt; - InfoQ, 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Unlock Infrastructure Efficiency with Platform Engineering&lt;/a&gt; - Gartner, 2023&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-does-devops-work/&quot;&gt;How DevOps Actually Works: Loops, Metrics, and the Shift to Platforms&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Why Software Development In Healthcare Is An Engineering Discipline, Not A Feature</title><link>https://es.nl/2023/the-importance-of-software-development-in-healthcare/</link><guid isPermaLink="true">https://es.nl/2023/the-importance-of-software-development-in-healthcare/</guid><description>Healthcare software lives or dies on security, reliability and delivery discipline. What engineering leaders should prioritise in regulated, high-scale teams.</description><pubDate>Tue, 15 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;In most industries, a botched deploy costs revenue. In healthcare it can cost a patient, a regulator&apos;s attention, and a breach disclosure that runs into eight figures. That asymmetry should shape every architectural and process decision an engineering organisation makes here, yet a lot of healthcare software is still built as if reliability and security were features to add later rather than constraints to design around from the first commit. This piece is for the people who own that decision: directors, engineering managers and senior engineers running regulated, high-scale teams who have heard enough about &quot;digital transformation&quot; and want to know where the actual engineering leverage is.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software.webp&quot; srcset=&quot;/content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software-600w.webp 600w, /content/uploads/2026/02/DevOps_Lifecycle_Expeditious_Software.webp 800w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing plan, build, test, release, deploy, operate and monitor as a continuous loop applied to healthcare software delivery&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Security is the central constraint, not a compliance checkbox&lt;/h2&gt;
&lt;p&gt;Start with the number that reframes everything else. According to IBM&apos;s 2025 Cost of a Data Breach Report, the &lt;a href=&quot;https://www.hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025/&quot;&gt;average U.S. healthcare data breach cost $7.42 million in 2025&lt;/a&gt;. That figure fell from $9.36 million the year before, but healthcare has still been the costliest industry for breaches for fourteen consecutive years. No other sector is close. When the expected cost of a single failure is this high, security stops being a workstream the security team owns and becomes a property of the delivery pipeline itself.&lt;/p&gt;
&lt;p&gt;The detection numbers make the argument even sharper. Healthcare breaches take the longest of any industry to identify and contain, &lt;a href=&quot;https://www.hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025/&quot;&gt;averaging 279 days&lt;/a&gt;, roughly five weeks longer than the global average. A 279-day mean-time-to-detect is not a security problem in isolation; it is an observability problem. It means telemetry, audit logging, anomaly detection and incident response were not built into the system as it shipped. The fix is unglamorous and entirely within engineering&apos;s control: structured logging on every protected-health-information access path, automated alerting tied to runbooks, and incident response rehearsed rather than improvised. Secure-by-design pipelines, where secrets management, dependency scanning, SBOM generation and least-privilege deploy credentials are part of the build rather than a quarterly audit, are what move that 279-day number down. Bolt-on security does not.&lt;/p&gt;

&lt;h2&gt;The AI wave is real, but it raises the bar on delivery discipline&lt;/h2&gt;
&lt;p&gt;The demand signal is unambiguous. In McKinsey&apos;s Q4 2024 survey of around 150 healthcare leaders, &lt;a href=&quot;https://www.mckinsey.com/industries/healthcare/our-insights/generative-ai-in-healthcare-current-trends-and-future-outlook&quot;&gt;85% were already exploring or adopting generative AI&lt;/a&gt;, with more organisations in implementation than in proof-of-concept. Independent reporting on the same survey &lt;a href=&quot;https://www.techtarget.com/healthtechanalytics/news/366622076/Survey-Gen-AI-in-healthcare-gains-momentum-across-sectors&quot;&gt;confirmed that breakdown&lt;/a&gt; and added detail on how the work gets done. This is no longer a question of whether AI shows up in clinical and operational workflows; it is a question of who builds it reliably enough to deploy near patient care.&lt;/p&gt;
&lt;p&gt;Here is the part most roadmaps skip. DORA&apos;s 2024 State of DevOps Report found that AI adoption raises individual developer productivity, flow and job satisfaction, but is &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;correlated with decreased software delivery throughput and stability&lt;/a&gt;. The report&apos;s modelling estimated that a 25% increase in AI adoption was associated with roughly a 1.5% drop in delivery throughput and a 7.2% drop in stability. Internal developer platforms showed a similar pattern: productivity gains that can come at the cost of change stability if the guardrails are weak. In a domain where instability has clinical consequences, that trade-off is not academic. It means AI-assisted development and platform investments have to be paired with the boring fundamentals: trunk-based development, fast and trustworthy CI, progressive delivery with automated rollback, and code review that does not rubber-stamp generated code. AI accelerates output; it does not absolve you of verifying that output before it touches a system of record.&lt;/p&gt;


&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-medical-ultrasound.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-medical-ultrasound-600w.webp 600w, /content/uploads/2026/06/ext-medical-ultrasound-1120w.webp 1120w, /content/uploads/2026/06/ext-medical-ultrasound.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;A sonographer performs a pediatric echocardiography (heart ultrasound) on an infant, using a medical ultrasound machine with a digital display monitor at the bedside while the baby&apos;s mother is present.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:Sonographer_doing_pediatric_echocardiography.JPG&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Kjetil Lenes&lt;/a&gt;, public domain, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;Build, buy, or partner is itself an engineering decision&lt;/h2&gt;
&lt;p&gt;The same survey data tells you how the market intends to deliver all this. Of the healthcare organisations adopting generative AI, &lt;a href=&quot;https://www.mckinsey.com/industries/healthcare/our-insights/generative-ai-in-healthcare-current-trends-and-future-outlook&quot;&gt;61% plan to do it through third-party partnerships&lt;/a&gt;, against 20% building in-house and 19% buying off-the-shelf. Among those partnering, independent reporting noted that &lt;a href=&quot;https://www.techtarget.com/healthtechanalytics/news/366622076/Survey-Gen-AI-in-healthcare-gains-momentum-across-sectors&quot;&gt;58% lean on existing IT vendors and 46% on cloud hyperscalers&lt;/a&gt; for data-management expertise.&lt;/p&gt;
&lt;p&gt;For an engineering leader, the takeaway is not &quot;outsource it.&quot; It is that the build/buy/partner choice is an architecture decision with long-lived consequences, and it should be made on engineering grounds rather than procurement convenience. Partnering with a hyperscaler or specialist gets you data infrastructure and model tooling quickly, but it pushes responsibility for data residency, access boundaries, audit trails and exit strategy onto your integration layer. The teams that come out of this well treat partners as components behind clean, well-tested interfaces, retain ownership of their data model and their compliance posture, and avoid the trap of a vendor relationship that quietly becomes load-bearing infrastructure nobody can swap out.&lt;/p&gt;

&lt;h2&gt;Where the directional themes actually cash out&lt;/h2&gt;
&lt;p&gt;Remote patient monitoring, electronic health records, data-driven care and operational automation are still the right directions; they were the right directions in 2023 and the demand has only hardened. But each one is a reliability and scale problem dressed as a product feature. Remote monitoring means ingesting streaming device telemetry without dropping events that trigger an intervention. EHR integration means correctness under concurrent writes and a schema that survives a decade of regulatory change. Data-driven care means a pipeline whose lineage you can prove to an auditor. Operational automation means workflows that fail safe, because a scheduling system that silently double-books is worse than one that asks a human.&lt;/p&gt;
&lt;p&gt;What ties these together is not a product category; it is engineering practice. &lt;a href=&quot;/devops/&quot;&gt;DevOps, cloud and platform engineering&lt;/a&gt; are the disciplines that turn directional ambition into systems that are observable, recoverable, secure and scalable under real load. Infrastructure as code makes environments reproducible and auditable. CI/CD with automated security and compliance gates turns the 279-day detection window into something you actively shrink. Platform engineering gives clinical product teams paved paths so they ship features without each reinventing secrets handling and deployment safety. None of this is novel. In healthcare it is simply non-optional, because the cost of getting it wrong is measured in millions of dollars and, occasionally, in outcomes that do not show up on a dashboard at all.&lt;/p&gt;
&lt;p&gt;If there is one shift to take from the last two years of evidence, it is this: the conversation about software in healthcare has moved past whether technology helps. It does. The open question is whether your delivery practice is strong enough to ship it safely. Teams that invest in secure-by-design pipelines, real observability and disciplined delivery will capture the AI and data opportunity. Teams that treat those as afterthoughts will keep contributing to the breach statistics. Keeping up with &lt;a href=&quot;/news/&quot;&gt;developments in software engineering and delivery&lt;/a&gt; is part of staying on the right side of that line, but the durable advantage is built in the pipeline, not the press cycle.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025/&quot;&gt;Average Cost of a Healthcare Data Breach Falls to $7.42 Million&lt;/a&gt; - The HIPAA Journal (reporting IBM Cost of a Data Breach Report 2025), 30 July 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud, 22 October 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.mckinsey.com/industries/healthcare/our-insights/generative-ai-in-healthcare-current-trends-and-future-outlook&quot;&gt;Generative AI in healthcare: Adoption trends and what&apos;s next&lt;/a&gt; - McKinsey &amp;amp; Company, 13 February 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.techtarget.com/healthtechanalytics/news/366622076/Survey-Gen-AI-in-healthcare-gains-momentum-across-sectors&quot;&gt;Survey: Gen AI in healthcare gains momentum across sectors&lt;/a&gt; - xtelligent Healthtech Analytics / TechTarget, 4 April 2025&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/the-importance-of-software-development-in-healthcare/&quot;&gt;Why Software Development In Healthcare Is An Engineering Discipline, Not A Feature&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>What You Need To Know About DevOps in 2026</title><link>https://es.nl/2023/what-you-need-to-know-about-devops/</link><guid isPermaLink="true">https://es.nl/2023/what-you-need-to-know-about-devops/</guid><description>A senior, metrics-grounded brief on DevOps in 2026: DORA&apos;s four key metrics, the AI speed-vs-stability tradeoff, and platform engineering.</description><pubDate>Sat, 12 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most writing on DevOps is still pitched at people who have never run a deployment. If you are an engineering director, manager, or senior engineer at a high-scale or regulated team, you do not need another definition of &quot;Dev plus Ops.&quot; You need to know what the evidence says works, where the current hype breaks down, and which decisions actually move delivery performance. This is that brief.&lt;/p&gt;
&lt;p&gt;The useful frame for 2026 is not &quot;should we do DevOps&quot; but &quot;is our delivery system getting measurably faster &lt;strong&gt;and&lt;/strong&gt; more stable, or are we trading one for the other.&quot; That distinction is the whole game, and it is now well instrumented.&lt;/p&gt;
&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle loop showing plan, code, build, test, release, deploy, operate and monitor feeding back into planning&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;
&lt;h2&gt;Stop arguing about DevOps. Measure it.&lt;/h2&gt;
&lt;p&gt;DevOps stopped being a philosophy you debate the moment the four &lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;DORA metrics&lt;/a&gt; gave it a scoreboard. They pair throughput with stability so neither can be gamed in isolation:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Deployment frequency&lt;/strong&gt; and &lt;strong&gt;lead time for changes&lt;/strong&gt; measure speed: how often you ship and how long an idea takes to reach production.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Change failure rate&lt;/strong&gt; and &lt;strong&gt;failed-deployment recovery time&lt;/strong&gt; measure stability: how often a release breaks something and how fast you recover when it does.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The benchmark gap is not subtle. Elite teams deploy on demand, multiple times per day, with recovery times under an hour and a change failure rate around 5%. Low performers deploy only between once a week and once a month, take a month or more to recover, and run a &lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;change failure rate near 64%&lt;/a&gt;. The difference in shipping cadence is an order of magnitude, and elite teams achieve it without trading away reliability. If your organization cannot state its current numbers on all four, that is the first problem to fix, ahead of any tooling purchase.&lt;/p&gt;
&lt;h2&gt;AI is now in the loop. It is a mirror, not a fix.&lt;/h2&gt;
&lt;p&gt;The center of gravity has moved. In the &lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;2025 DORA report&lt;/a&gt;, drawn from nearly 5,000 technology professionals, 90% now report using AI in their daily work, a sharp jump year over year. Any honest discussion of DevOps in 2026 has to account for AI in the development lifecycle. But the headline finding deserves to be read carefully by anyone making bets here.&lt;/p&gt;
&lt;p&gt;DORA&apos;s central conclusion is that &lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;AI is an amplifier, a mirror&lt;/a&gt;. It magnifies the strengths and weaknesses a team already has. It does not repair a broken delivery process; it lets a team with weak foundations ship low-quality work faster. That is consistent with developer sentiment on the ground: roughly 30% still report little or no trust in AI-generated code. The technology raises individual output. Whether that output becomes value or incident volume depends entirely on the system it lands in.&lt;/p&gt;
&lt;p&gt;There is a measurable tradeoff, and it is the one your existing instrumentation was built to catch. The &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 DORA research&lt;/a&gt; found that AI adoption correlates with higher individual productivity and job satisfaction but with &lt;strong&gt;reduced delivery stability&lt;/strong&gt;, more change failures and slower recovery. In 2024 terms, each 25% rise in AI adoption was associated with roughly 2.1% higher individual productivity and 2.6% higher job satisfaction, but about 1.5% lower delivery throughput end to end. AI can make a developer faster while making the system slower. The only way to see that happening is to watch the four metrics while you roll it out.&lt;/p&gt;
&lt;p&gt;The practical implication for a regulated or high-scale team: treat AI-assisted code as code from a fast but junior contributor. The controls that already protect your pipeline, review, automated testing, progressive delivery, fast rollback, are exactly the controls that determine whether AI is a net gain. If those controls are thin, AI will surface that fact quickly and expensively.&lt;/p&gt;
&lt;h2&gt;Platform engineering is where the budget should go&lt;/h2&gt;
&lt;p&gt;The clearest industry evolution of DevOps is platform engineering, and it is the angle most worth a senior team&apos;s attention. Gartner &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;predicts that by 2026, 80% of large software engineering organizations&lt;/a&gt; will have established platform engineering teams, up from 45% in 2022. These teams act as internal providers of reusable services, components, and tooling, exposed through self-service internal developer platforms.&lt;/p&gt;
&lt;p&gt;The motivation is concrete. A decade of &quot;you build it, you run it&quot; pushed an enormous toolchain onto every developer, and the cognitive load became a tax on delivery. A platform team&apos;s job is to pave the golden path: standardized CI/CD, &lt;strong&gt;Infrastructure as Code&lt;/strong&gt; for reproducible environments, observability, and policy-as-code wired in by default rather than reassembled by each squad. For regulated teams this is the highest-leverage move available, because controls baked into a self-service platform are auditable and consistent in a way that controls living in tribal knowledge never are.&lt;/p&gt;
&lt;p&gt;One caveat the data demands. The 2024 research found that internal developer platforms raise productivity and organizational performance but can &lt;strong&gt;decrease change stability and throughput&lt;/strong&gt; if introduced carelessly. A platform is a product. If you ship it without a user-centric focus, you have built another layer your engineers route around. The same instrumentation applies: a platform that is working should move your DORA numbers in the right direction, not just generate adoption slides.&lt;/p&gt;
&lt;h2&gt;The organizational factors outweigh the tooling&lt;/h2&gt;
&lt;p&gt;The most counterintuitive finding for engineers who like clean architecture is that the strongest predictors of high performance are not technical. Across years of DORA research, the biggest drivers of quality, speed, and lower burnout are &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;a user-centric focus, stable organizational priorities, transformational leadership, strong documentation, and psychological safety&lt;/a&gt;. Teams that know who they are building for and are not whiplashed by shifting priorities outperform teams with better pipelines and worse focus.&lt;/p&gt;
&lt;p&gt;This is why &quot;DevOps as a culture of collaboration and continuous improvement&quot; survives the skepticism it deserves. It is not a slogan; it is what the measurements keep pointing back to. Automation, CI/CD, and IaC are necessary. They are not sufficient, and they are not where the largest remaining gains live for most organizations.&lt;/p&gt;
&lt;h2&gt;What to actually do next&lt;/h2&gt;
&lt;p&gt;If you take three things from this brief: instrument the four DORA metrics before you change anything, so you can tell whether interventions help or hurt. Treat AI adoption as a controlled rollout watched through those same metrics, not a productivity press release. And invest in platform engineering as a product with real users, since that is where reduced cognitive load and embedded controls compound, particularly under regulatory pressure.&lt;/p&gt;
&lt;p&gt;DevOps at this point is less a thing you adopt and more a feedback loop you run with discipline. The teams pulling ahead are not the ones with the most tools. They are the ones who can see, in numbers, whether each change made them both faster and more reliable, and who are willing to roll back the ones that did not. If you want a partner who works from that evidence rather than the brochure, that is how &lt;a href=&quot;/devops/&quot;&gt;Expeditious Software approaches DevOps&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;State of AI-assisted Software Development 2025 (DORA Report)&lt;/a&gt;, DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt;, DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Platform Engineering&lt;/a&gt;, Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;DORA Metrics: The four key metrics and elite vs low performer benchmarks&lt;/a&gt;, Octopus Deploy&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/what-you-need-to-know-about-devops/&quot;&gt;What You Need To Know About DevOps in 2026&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How To Measure DevOps Success: The 4 Key Metrics To Know (DORA, 2025)</title><link>https://es.nl/2023/how-to-measure-devops-success-4-key-metrics-to-know/</link><guid isPermaLink="true">https://es.nl/2023/how-to-measure-devops-success-4-key-metrics-to-know/</guid><description>The four DORA metrics that actually measure DevOps success, with 2025 benchmarks, the new terminology, and what AI does to them.</description><pubDate>Thu, 10 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you lead a delivery organisation, you have probably been handed a dashboard with twenty &quot;DevOps metrics&quot; on it. Most of them are vanity numbers. The signal that has survived a decade of scrutiny is narrow: four metrics, validated annually across tens of thousands of practitioners by Google&apos;s DORA research program, that predict both software delivery performance and organisational outcomes. This is a working brief on what those four metrics are in their current form, what good actually looks like in numbers, and the single biggest thing that has changed since 2023: AI now sits in the middle of your pipeline and is quietly reshaping these numbers, not always in your favour.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Engineering-Productivity-pillars.webp&quot; srcset=&quot;/content/uploads/2025/06/Engineering-Productivity-pillars-600w.webp 600w, /content/uploads/2025/06/Engineering-Productivity-pillars-1120w.webp 1120w, /content/uploads/2025/06/Engineering-Productivity-pillars.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of engineering productivity pillars showing how the four DORA delivery metrics balance throughput against stability&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;p&gt;Two things to internalise before the metric-by-metric walkthrough. First, the four metrics are deliberately split into two opposing pairs: &lt;strong&gt;throughput&lt;/strong&gt; (deployment frequency, lead time) and &lt;strong&gt;stability&lt;/strong&gt; (change failure rate, recovery time). You read them &lt;em&gt;together&lt;/em&gt;. A team that ships ten times a day but breaks production on a third of those deploys is not high-performing, it is reckless. The research is consistent here: high performers excel across all four, and a team that is weak on one is usually weak on all four, because the same underlying practices (small batches, automated testing, fast feedback) drive every one of them (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;InfoQ, 2024 DORA analysis&lt;/a&gt;). Second, the terminology has moved. If you are still quoting &quot;MTTR&quot; in a steering committee, you are a version behind.&lt;/p&gt;

&lt;h2&gt;The four metrics, in their current form&lt;/h2&gt;

&lt;h3&gt;1. Deployment Frequency&lt;/h3&gt;
&lt;p&gt;How often you successfully release to production. This is the cleanest proxy for batch size: teams that deploy frequently are, by necessity, shipping small changes, which is what makes everything downstream safer. The elite band is &lt;strong&gt;on-demand, many deploys per day&lt;/strong&gt;; low performers sit between once a week and once a month (&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Octopus Deploy / DORA benchmarks&lt;/a&gt;). The trap is celebrating the number in isolation. Frequency is only meaningful when stability holds at the same time, which is exactly why you never report it alone.&lt;/p&gt;

&lt;h3&gt;2. Lead Time for Changes&lt;/h3&gt;
&lt;p&gt;The elapsed time from a commit landing to that commit running in production. This is your pipeline&apos;s true cycle time, and it exposes everything between an engineer&apos;s keyboard and the customer: review queues, manual approval gates, flaky test suites, release trains that only depart on Thursdays. Elite teams achieve &lt;strong&gt;less than a day, commit to production&lt;/strong&gt;; low performers measure this in weeks or months (&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Octopus Deploy / DORA benchmarks&lt;/a&gt;). For regulated teams, lead time is where your change-management and segregation-of-duties controls become visible as latency. The goal is not to remove the controls, it is to automate the evidence so the control costs milliseconds, not days.&lt;/p&gt;

&lt;h3&gt;3. Change Failure Rate&lt;/h3&gt;
&lt;p&gt;The percentage of deployments that result in a degraded service requiring remediation (a hotfix, rollback, or patch). This is the stability counterweight to deployment frequency. The bands are concrete and worth memorising: &lt;strong&gt;elite is 5%, high 10%, medium 15%, and low performers run all the way up to roughly 64%&lt;/strong&gt; (&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Octopus Deploy / DORA benchmarks&lt;/a&gt;). A change failure rate above 15% is rarely a tooling problem; it usually points to testing and review gaps that no amount of dashboarding fixes.&lt;/p&gt;

&lt;h3&gt;4. Failed Deployment Recovery Time&lt;/h3&gt;
&lt;p&gt;This is the metric most leaders still get wrong by name. DORA has retired &quot;Mean Time to Recovery (MTTR)&quot; and now reports &lt;strong&gt;Failed Deployment Recovery Time&lt;/strong&gt;: specifically, how long it takes to restore service after a &lt;em&gt;failed deployment&lt;/em&gt;, not after any incident (&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Octopus Deploy / DORA benchmarks&lt;/a&gt;; &lt;a href=&quot;https://dora.dev/insights/dora-metrics-history/&quot;&gt;DORA metrics history&lt;/a&gt;). The scoping is deliberate, because it isolates the part of recovery you actually control through your release process. Elite teams recover in &lt;strong&gt;less than an hour&lt;/strong&gt;; high performers in under a day. Note also that DORA groups this metric with throughput rather than stability, on the reasoning that fast recovery is itself a function of how quickly you can ship a fix (&lt;a href=&quot;https://dora.dev/insights/dora-metrics-history/&quot;&gt;DORA metrics history&lt;/a&gt;). The practical takeaway is unchanged: invest in instant, no-questions-asked rollback. A one-click revert is worth more than any post-incident process document.&lt;/p&gt;

&lt;h2&gt;Beyond the four: Rework Rate and Reliability&lt;/h2&gt;
&lt;p&gt;The canonical four remain the industry standard, but treating them as the complete picture is now a mistake. DORA has added a fifth metric, &lt;strong&gt;Rework Rate&lt;/strong&gt;, defined as the proportion of deployments that are unplanned fixes triggered by a production issue, as a complement to change failure rate. Where change failure rate captures the deploys that &lt;em&gt;broke&lt;/em&gt;, rework rate captures the instability that surfaces afterwards as unplanned production work (&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Octopus Deploy / DORA benchmarks&lt;/a&gt;). DORA also tracks a broader &lt;strong&gt;Reliability&lt;/strong&gt; dimension covering whether the service meets its own availability and latency targets (&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Octopus Deploy / DORA benchmarks&lt;/a&gt;). If your team is mature on the four, rework rate is the next number I would put on the board, because it catches a failure mode the original four miss: the slow drip of &quot;we shipped it, then spent the next three days babysitting it.&quot;&lt;/p&gt;

&lt;h2&gt;The AI variable: an amplifier, not a fix&lt;/h2&gt;
&lt;p&gt;This is the part that has genuinely changed since the 2023 version of this advice, and the part most worth your attention. In the 2025 DORA report, drawn from nearly 5,000 respondents, &lt;strong&gt;90% now use AI at work and over 80% report productivity gains&lt;/strong&gt;, and for the first time AI&apos;s relationship with throughput turned positive (&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Google Cloud, 2025 DORA report&lt;/a&gt;). That is the good news, and it is real. The uncomfortable news is that AI continues to correlate with &lt;strong&gt;worse delivery stability&lt;/strong&gt;: higher change failures and more rework (&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Google Cloud, 2025 DORA report&lt;/a&gt;). The 2024 report quantified the drag plainly: a 25% increase in AI adoption tracked with roughly a &lt;strong&gt;1.5% drop in throughput and a 7.2% reduction in stability&lt;/strong&gt;, alongside 39% of practitioners reporting little or no trust in AI-generated code (&lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;Google Cloud, 2024 DORA report&lt;/a&gt;). The mechanism is not mysterious: AI makes it trivial to produce &lt;em&gt;larger&lt;/em&gt; changesets, which directly violates the small-batch principle that every one of the four metrics rewards (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;InfoQ, 2024 DORA analysis&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;DORA&apos;s headline conclusion is the line to take into your next planning meeting: &lt;strong&gt;&quot;AI doesn&apos;t fix a team; it amplifies what&apos;s already there&quot;&lt;/strong&gt; (&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Google Cloud, 2025 DORA report&lt;/a&gt;). A team with strong tests, fast feedback, and disciplined batch sizes converts AI&apos;s speed into &lt;em&gt;safe&lt;/em&gt; speed. A team without those foundations converts the same AI into faster production incidents. This is precisely why you measure all four metrics rather than chasing velocity alone: the four are your early-warning system for whether AI is amplifying your strengths or your weaknesses. The report is equally clear that the largest ROI comes not from buying more tooling but from improving the underlying system, and it points to platform engineering as the key enabler. &lt;strong&gt;90% of organisations have now adopted at least one internal developer platform&lt;/strong&gt;, and that platform layer is what makes the small-batch, fast-recovery practices repeatable across teams (&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Google Cloud, 2025 DORA report&lt;/a&gt;).&lt;/p&gt;

&lt;h2&gt;How to use this&lt;/h2&gt;
&lt;p&gt;Instrument the four metrics directly from your deployment pipeline and incident tooling, not from a survey. Report throughput and stability side by side, every time, and add rework rate once the four are stable. Set targets against the published bands rather than inventing your own. And when an AI coding assistant lands in your stack, watch your change failure rate and rework rate for the following quarter as closely as you watch the productivity gains, because the second number is where the bill comes due. The metrics have not become more complicated since 2023. The environment around them has, and that is exactly why measuring them well matters more now than it did then. For how this connects to our broader delivery work, see our &lt;a href=&quot;/devops/&quot;&gt;DevOps and Cloud engineering&lt;/a&gt; practice.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-Assisted Software Development&lt;/a&gt; - Google Cloud (DORA Research Program), 2025-09-23&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;State of AI-assisted Software Development 2025 (DORA report)&lt;/a&gt; - DORA / Google Cloud, 2025-09&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/insights/dora-metrics-history/&quot;&gt;A history of DORA&apos;s software delivery metrics&lt;/a&gt; - DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;Announcing the 2024 DORA report&lt;/a&gt; - Google Cloud (DORA Research Program), 2024-10-23&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report Shows Pros and Cons of AI&lt;/a&gt; - InfoQ (Matt Saunders), 2024-11-28&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://octopus.com/devops/metrics/dora-metrics/&quot;&gt;Understanding The 4 DORA Metrics And Top Findings From 2024/25 DORA Report&lt;/a&gt; - Octopus Deploy, 2025-07-30&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-to-measure-devops-success-4-key-metrics-to-know/&quot;&gt;How To Measure DevOps Success: The 4 Key Metrics To Know (DORA, 2025)&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Understanding the Software Development Life Cycle (SDLC) at Scale</title><link>https://es.nl/2023/understanding-the-software-development-life-cycle-sdlc/</link><guid isPermaLink="true">https://es.nl/2023/understanding-the-software-development-life-cycle-sdlc/</guid><description>A staff-level guide to the SDLC for high-scale and regulated teams: security, supply chain, AI, and the discipline that holds delivery together.</description><pubDate>Tue, 08 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Every engineering organisation runs an SDLC whether or not anyone has written it down. The question is not whether you have one, but whether it is explicit, measured and resistant to the pressures that erode delivery at scale: regulatory audits, security incidents, AI-assisted commits of uncertain quality, and the slow accretion of third-party dependencies nobody fully owns. This is a practitioner&apos;s view of the software development life cycle for teams where &quot;move fast&quot; has consequences measured in fines, outages and breach disclosures.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration-600w.webp 600w, /content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of the software development life cycle showing requirements, design, implementation, testing, deployment and maintenance stages as a continuous loop&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The SDLC is a control system, not a checklist&lt;/h2&gt;
&lt;p&gt;The canonical stages - requirements, design, implementation, testing, deployment, maintenance - are real, but treating them as a linear sequence you complete once is where teams go wrong. At scale the SDLC is a continuous control loop: every change re-enters the cycle, and the value of the framework comes from the feedback and guardrails between stages, not the stages themselves. The single most durable finding in delivery research is unglamorous. Small batch sizes and robust automated testing are what keep throughput and stability high. The 2024 DORA &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report&lt;/a&gt;, drawn from roughly 39,000 professionals worldwide, reaffirms that these fundamentals matter more as systems grow more complex, not less.&lt;/p&gt;
&lt;p&gt;Concretely, this means your SDLC should make the small, well-tested change the path of least resistance and the large, unreviewed change painful. If your branching, review and deployment process rewards big-bang merges, no amount of process documentation will save delivery stability.&lt;/p&gt;

&lt;h2&gt;AI changes the inputs to every stage&lt;/h2&gt;
&lt;p&gt;AI-assisted development is now an input to requirements, implementation and review, and the data should make any director cautious about uncritical rollout. DORA found that AI adoption reliably lifts individual productivity, flow and job satisfaction, yet for every 25% increase in AI adoption, estimated delivery throughput dropped around 1.5% and delivery stability fell roughly 7.2%. The mechanism is intuitive: AI makes it cheap to produce &lt;em&gt;more&lt;/em&gt; code, and larger changesets carry more delivery risk. Independent analysis from &lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;InfoQ&lt;/a&gt; notes that &lt;strong&gt;39% of respondents reported low or no trust in AI-generated code&lt;/strong&gt;, and that AI usage correlates with exactly the larger changes the same report flags as risky.&lt;/p&gt;
&lt;p&gt;The implication for your SDLC is not to ban AI. It is to treat AI as a way to reduce administrative burden while holding the line on the controls that catch its failure modes: human code review, comprehensive automated testing, and batch-size limits. AI productivity gains that bypass the testing stage are borrowing against future incidents.&lt;/p&gt;

&lt;h2&gt;Security belongs in every stage, not a gate at the end&lt;/h2&gt;
&lt;p&gt;The most consequential shift in modern SDLC thinking is that security is no longer a phase. NIST created its Secure Software Development Framework precisely because, in its own words, &quot;few SDLC models explicitly address software security in detail.&quot; The &lt;a href=&quot;https://www.nist.gov/news-events/news/2025/12/secure-software-development-framework-ssdf-version-12-available-public&quot;&gt;SSDF (SP 800-218)&lt;/a&gt; is not a competing methodology; it is a set of high-level secure-development practices you integrate into whatever SDLC you already run. Version 1.2 was released for public comment in December 2025 under U.S. Executive Order 14306, and its three objectives are worth internalising: reduce vulnerabilities in released software, mitigate the impact of vulnerabilities that slip through, and address root causes so the same classes of defect stop recurring.&lt;/p&gt;
&lt;p&gt;For regulated and high-scale teams, one detail matters disproportionately. NIST explicitly expects &lt;strong&gt;acquirers to use the SSDF when communicating security requirements to suppliers&lt;/strong&gt;. If you sell software to enterprises or government, your SDLC&apos;s security practices are increasingly a procurement gate, not an internal nicety. Mapping your stages to SSDF practices is becoming a commercial requirement, not a maturity badge.&lt;/p&gt;

&lt;h2&gt;Your dependencies are part of your SDLC now&lt;/h2&gt;
&lt;p&gt;Most production code your team ships was written by someone else. The SSDF treats software supply chain security as a first-class SDLC responsibility spanning design, implementation and maintenance: securely acquiring and maintaining third-party components, tracking provenance through &lt;strong&gt;Software Bills of Materials (SBOMs)&lt;/strong&gt;, and continuously monitoring dependencies for newly disclosed vulnerabilities. The practical test is whether, on the day a critical CVE lands in a widely used library, you can answer &quot;are we affected, and where?&quot; in minutes rather than days. If your SDLC has no inventory and no continuous monitoring, that answer is a fire drill every time.&lt;/p&gt;
&lt;p&gt;The same expansion now reaches AI systems themselves. In July 2024 NIST released &lt;a href=&quot;https://csrc.nist.gov/projects/ssdf/news&quot;&gt;SP 800-218A&lt;/a&gt;, an SSDF community profile adding secure-development practices for generative AI and dual-use foundation models. The signal for governance is clear: if your organisation builds or fine-tunes models, those models are software in your SDLC, with their own provenance, testing and maintenance obligations.&lt;/p&gt;

&lt;h2&gt;Platform engineering: real gains, real transition cost&lt;/h2&gt;
&lt;p&gt;Internal developer platforms are the current answer to SDLC friction at scale, and the evidence supports them - with a caveat worth quoting to anyone selling you a platform as a silver bullet. DORA found that platform engineering improves developer productivity and organisational performance, with the largest benefit accruing to large organisations. But it also cautions that platforms can &lt;em&gt;temporarily reduce&lt;/em&gt; change stability and throughput if rolled out without care, and that smaller organisations face real implementation friction. A platform is itself a product subject to the SDLC: it has users, requires testing, and degrades delivery if shipped half-finished. Budget for the dip, measure it, and do not let the migration become an unmonitored big-bang change of the kind the same research warns against.&lt;/p&gt;

&lt;h2&gt;What this means for how you run the cycle&lt;/h2&gt;
&lt;p&gt;For a director or staff engineer, a credible modern SDLC has a few non-negotiable properties. Keep batch sizes small and automated testing comprehensive, because these are the controls every other trend stresses. Treat AI as leverage on routine work while keeping human review and testing as hard gates, since trust in generated code is not yet earned. Embed SSDF-style security practices into each stage rather than bolting on a pre-release scan. Maintain a live inventory of third-party and model dependencies with continuous vulnerability monitoring. And instrument the whole loop so you can see throughput and stability move, rather than asserting that your process works.&lt;/p&gt;
&lt;p&gt;The SDLC&apos;s value was never in the diagram. It is in making the disciplined path the easy one - small changes, tested thoroughly, with security and provenance baked in - so that scale and regulation become constraints you operate within rather than crises you react to. At &lt;a href=&quot;/about-us/&quot;&gt;Expeditious Software&lt;/a&gt; we help engineering teams turn that discipline into running infrastructure, from &lt;a href=&quot;/devops/&quot;&gt;DevOps&lt;/a&gt; and CI/CD pipelines to platform and security practices that hold up under audit.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report Shows Pros and Cons of AI&lt;/a&gt; - InfoQ&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.nist.gov/news-events/news/2025/12/secure-software-development-framework-ssdf-version-12-available-public&quot;&gt;Secure Software Development Framework (SSDF) Version 1.2 is Available for Public Comment&lt;/a&gt; - NIST&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://csrc.nist.gov/projects/ssdf/news&quot;&gt;Secure Software Development Framework (SSDF) Project - News&lt;/a&gt; - NIST CSRC&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/understanding-the-software-development-life-cycle-sdlc/&quot;&gt;Understanding the Software Development Life Cycle (SDLC) at Scale&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>DevOps vs SRE: 4 Key Differences That Actually Matter at Scale</title><link>https://es.nl/2023/devops-vs-sre-4-key-differences/</link><guid isPermaLink="true">https://es.nl/2023/devops-vs-sre-4-key-differences/</guid><description>DevOps vs SRE for senior engineers: origin, role design, SLO/SLI/SLA rigour and error budgets - grounded in Google SRE and DORA, with the AI angle.</description><pubDate>Sat, 05 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&quot;DevOps vs SRE&quot; is usually framed as a turf war, which is the wrong question. DevOps is a set of goals - faster, safer delivery through tighter collaboration between development and operations. Site Reliability Engineering is one specific, opinionated implementation of those goals, born at Google to run large-scale systems and codified in the 2017 O&apos;Reilly &lt;a href=&quot;https://sre.google/sre-book/service-level-objectives/&quot;&gt;SRE Book&lt;/a&gt;. The useful comparison is not &quot;which is better&quot; but &quot;where does SRE get prescriptive in exactly the places DevOps leaves to taste&quot; - because those places are where regulated, high-scale teams get burned. Below are the four differences that survive contact with production, plus why AI makes them more important rather than less.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Engineering-Productivity-pillars.webp&quot; srcset=&quot;/content/uploads/2025/06/Engineering-Productivity-pillars-600w.webp 600w, /content/uploads/2025/06/Engineering-Productivity-pillars-1120w.webp 1120w, /content/uploads/2025/06/Engineering-Productivity-pillars.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of engineering productivity and reliability pillars: service level indicators, objectives, agreements and error budgets that distinguish SRE from generic DevOps&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;1. Origin and philosophy: a culture vs a concrete implementation&lt;/h2&gt;

&lt;p&gt;DevOps emerged as a cultural correction to the dev-throws-it-over-the-wall-to-ops failure mode. Its philosophy is collaboration and flow, and its industry-standard scorecard is the DORA research programme, which measures delivery on two axes - &lt;strong&gt;throughput&lt;/strong&gt; and &lt;strong&gt;stability&lt;/strong&gt; - and clusters teams into elite, high, medium and low tiers. The 2024 report drew on more than 39,000 professionals, which is why DORA, not vendor marketing, is the reference point for &quot;are we good at this&quot; (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;InfoQ, 2024 DORA coverage&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;SRE starts from a different premise: treat operations as a software problem. Where DevOps says &quot;developers and operators should collaborate,&quot; SRE says &quot;here is the engineering discipline, the error budget, and the on-call model you will use.&quot; The practical consequence for a director: you can adopt DevOps and still have a dozen teams measuring reliability a dozen different ways. SRE removes that ambiguity by mandating a shared vocabulary. That rigidity is a feature in regulated environments, where &quot;we collaborate well&quot; is not an answer an auditor accepts.&lt;/p&gt;

&lt;h2&gt;2. Role definition: shared ownership vs a distinct engineering function&lt;/h2&gt;

&lt;p&gt;In a DevOps model the dev and ops responsibilities merge into the delivery team. There may be no dedicated reliability role at all; the team that ships also runs. SRE deliberately keeps a distinct function - the Site Reliability Engineer - who works alongside product development but retains separate identity, separate budget, and the authority to push back on velocity when reliability is at risk.&lt;/p&gt;

&lt;p&gt;That separation is not bureaucracy; it is a governance mechanism. A merged DevOps team under feature pressure will quietly trade away reliability because the same people own both sides of the trade-off and the loudest stakeholder usually wants the feature. An independent SRE function gives reliability its own seat, its own metrics, and a mandate that survives a tight quarter. For teams under SLAs with financial penalties, that organisational firewall is often the difference between &quot;we missed a target&quot; and &quot;we paid out.&quot;&lt;/p&gt;

&lt;h2&gt;3. Measurable objectives: SRE is prescriptive where DevOps is vague&lt;/h2&gt;

&lt;p&gt;This is the difference that matters most, and it is where the original distinction between the two is sharpest. DevOps cares about metrics, but it does not tell you which ones or how to define them. SRE does, through a precise three-term hierarchy taken straight from Chapter 4 of the SRE Book (&lt;a href=&quot;https://sre.google/sre-book/service-level-objectives/&quot;&gt;Jones, Wilkes, Murphy &amp; Smith&lt;/a&gt;):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;SLI&lt;/strong&gt; - a Service Level Indicator is a carefully defined quantitative measure of one aspect of the service: request latency, error rate, availability. It is a number you actually measure, not an aspiration.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SLO&lt;/strong&gt; - a Service Level Objective is a target value or range for an SLI. &quot;99.9% of requests succeed over a rolling 30 days&quot; is an SLO.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SLA&lt;/strong&gt; - a Service Level Agreement is an explicit or implicit contract with users that carries &lt;strong&gt;consequences&lt;/strong&gt; for missing its SLOs.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The book gives a one-line test that cuts through most internal confusion: to tell an SLO from an SLA, ask &lt;strong&gt;&quot;what happens if the objective is not met?&quot;&lt;/strong&gt; If the answer is a financial credit or a contractual penalty, it is an SLA. If the answer is &quot;we have an internal conversation,&quot; it is an SLO. Most teams conflate the two and then discover, during an incident, that a number they treated as advisory was actually contractual. SRE forces you to draw that line up front. DevOps, left to its own devices, rarely does - and &quot;we track uptime&quot; is not the same as &quot;we have agreed which indicator, at which target, with which consequence.&quot;&lt;/p&gt;

&lt;h2&gt;4. Error budgets: turning reliability into a currency both sides can spend&lt;/h2&gt;

&lt;p&gt;The error budget is the mechanism that makes the velocity-vs-reliability argument quantitative instead of political. It is defined simply as &lt;strong&gt;1 minus the SLO&lt;/strong&gt; (&lt;a href=&quot;https://sre.google/workbook/implementing-slos/&quot;&gt;Google SRE Workbook&lt;/a&gt;). A 99.9% availability SLO leaves a 0.1% error budget - the total time the service is allowed to be noncompliant before it breaches. Tighten the target to a rolling 30-day 99.99% and the budget collapses to just over &lt;strong&gt;4 minutes of downtime per month&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;That single number reframes the whole organisational dynamic. As long as budget remains, the team ships aggressively; reliability work is not blocking feature work. When the budget is exhausted, releases freeze and the team&apos;s priority shifts to reliability until the budget recovers. Nobody has to win an argument about whether a risky deploy is &quot;worth it&quot; - the budget answers it. Traditional DevOps tends to manage uptime reactively and case by case; the error budget makes it a pre-agreed, self-enforcing policy. For an engineering director, this is the cleanest way to give product and reliability a shared currency they both understand, instead of relitigating the trade-off every sprint.&lt;/p&gt;

&lt;h2&gt;Why AI raises the stakes on all four&lt;/h2&gt;

&lt;p&gt;The reason this comparison is more urgent in 2026 than it was when the article was first written is AI-assisted development. The 2025 DORA report, based on nearly 5,000 respondents, found that &lt;strong&gt;90% of professionals now use AI at work&lt;/strong&gt; and over 80% report productivity gains - but it also found AI is &quot;the great amplifier&quot;: it magnifies whatever discipline a team already has, good or bad (&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Google Cloud / DORA, 2025&lt;/a&gt;). Crucially, AI still shows a &lt;strong&gt;negative relationship with delivery stability&lt;/strong&gt;; the 2024 data measured a 7.2% drop in stability and a 1.5% drop in throughput tied to AI adoption, and nearly &lt;strong&gt;40% of engineers report little or no trust in AI-generated code&lt;/strong&gt; (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;InfoQ&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;The implication is direct: when generated code increases change volume and decreases stability, the SRE guardrails - SLOs, error budgets, an independent reliability function - become the counterweight that keeps acceleration from turning into outages. AI makes the reliability discipline of SRE more valuable, not obsolete. The 2025 report adds a second structural signal: 90% of organisations have adopted at least one internal platform, and Gartner expects 80% of large engineering organisations to run platform teams by 2026, up from 45% in 2022. &lt;strong&gt;Platform engineering is becoming the connective tissue&lt;/strong&gt; between the DevOps culture and the SRE discipline - the place where SLOs, paved-road CI/CD, and error-budget policy are encoded once and inherited by every team, which is also what high-quality internal platforms correlate with when it comes to extracting value from AI.&lt;/p&gt;

&lt;h2&gt;So which do you need?&lt;/h2&gt;

&lt;p&gt;Treat it as a layering decision, not a choice. Adopt DevOps as the operating culture - the collaboration, the flow, the DORA scorecard. Adopt SRE where the cost of unreliability is high enough to justify the rigour: a distinct reliability function, explicit SLIs and SLOs, an honest SLA-vs-SLO distinction, and error budgets that automatically arbitrate velocity against stability. At meaningful scale, and especially under regulation or AI-accelerated change, you are not picking one. You are running DevOps as the philosophy and SRE as the enforcement layer - increasingly delivered through a shared internal platform. The teams that get burned are the ones that adopt the DevOps vocabulary and skip the SRE specifics, then wonder why &quot;we value reliability&quot; did not survive the next release crunch.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-assisted Software Development&lt;/a&gt; - Google Cloud / DORA, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report Shows Pros and Cons of AI&lt;/a&gt; - InfoQ (Matt Saunders), 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://sre.google/sre-book/service-level-objectives/&quot;&gt;Site Reliability Engineering, Chapter 4: Service Level Objectives&lt;/a&gt; - Google / O&apos;Reilly (Jones, Wilkes, Murphy &amp; Smith), 2017&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://sre.google/workbook/implementing-slos/&quot;&gt;Service Level Objectives &amp; Error Budgets (Google SRE Workbook)&lt;/a&gt; - Google SRE, 2018&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/devops-vs-sre-4-key-differences/&quot;&gt;DevOps vs SRE: 4 Key Differences That Actually Matter at Scale&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Private Cloud vs. Public Cloud: A Workload-by-Workload Decision Framework</title><link>https://es.nl/2023/private-cloud-vs-public-cloud-which-is-right-for-your-business/</link><guid isPermaLink="true">https://es.nl/2023/private-cloud-vs-public-cloud-which-is-right-for-your-business/</guid><description>Private cloud vs public cloud is not a binary choice. A senior framework for placing workloads across a hybrid estate by cost, compliance and data gravity.</description><pubDate>Fri, 04 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you are still framing this as a one-time, organization-wide choice between private and public cloud, you are answering the wrong question. The teams shipping reliably at scale stopped picking a single deployment model years ago. The real decision is per workload, made repeatedly, against cost, compliance, latency and data-gravity constraints that change as the system grows. This is a placement problem, not a procurement vote.&lt;/p&gt;
&lt;p&gt;The market data backs this up bluntly. &lt;a href=&quot;https://www.flexera.com/about-us/press-center/flexera-2024-state-of-the-cloud-managing-spending-top-challenge&quot;&gt;Flexera&apos;s 2024 State of the Cloud report&lt;/a&gt; found multi-cloud usage at 89% of organizations, and &lt;a href=&quot;https://www.ciodive.com/news/cloud-spend-growth-forecast-2025-gartner/733401/&quot;&gt;Gartner expects 90% of organizations to run hybrid cloud deployments by 2027&lt;/a&gt;. &quot;Private vs. public&quot; describes a spectrum your estate already straddles, not a fork in the road. Treat the following not as two camps to choose between, but as properties you assign workload by workload.&lt;/p&gt;
&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of cloud services connecting compute, storage and networking across a hybrid public and private cloud estate&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;
&lt;h2&gt;Public cloud is the default, and it is not free&lt;/h2&gt;
&lt;p&gt;The momentum is not subtle. Gartner forecasts &lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025&quot;&gt;worldwide public cloud end-user spending of $723.4 billion in 2025, up 21.5% from $595.7 billion in 2024&lt;/a&gt;, driven heavily by AI demand. For most greenfield workloads, public cloud is the correct default: elastic capacity, managed services, and a global footprint you would spend years and a hardware budget reproducing. That part of the original &quot;public cloud is cheaper and more scalable&quot; story holds.&lt;/p&gt;
&lt;p&gt;What does not hold is the assumption that cost-effectiveness is automatic. It is the single biggest operational pain point in the industry. &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;Flexera&apos;s 2025 report found 84% of organizations say managing cloud spend is their top challenge&lt;/a&gt;, with budgets overshooting by roughly 17% and about 27% of cloud spend wasted. Public cloud is cost-effective only with active governance. Absent rightsizing, commitment management, and architecture that respects egress and storage-tier pricing, the meter runs against you. The honest framing for a VP: public cloud trades capital expenditure and provisioning lead time for an ongoing operating discipline you have to staff.&lt;/p&gt;
&lt;p&gt;That discipline now has a name and an org chart. The same Flexera data shows &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;FinOps team adoption rising about eight percentage points year over year&lt;/a&gt;. Cloud cost optimization has shifted from a one-time procurement comparison into a permanent operating capability. If your plan is &quot;move to public cloud to save money&quot; and there is no FinOps function attached, you have a budget overrun scheduled, not a saving.&lt;/p&gt;
&lt;h2&gt;Private cloud and on-prem earn specific workloads, not the whole estate&lt;/h2&gt;
&lt;p&gt;Private infrastructure still wins clear, defensible cases: dedicated tenancy for regulated or sensitive data, predictable high-utilization workloads where reserved hardware beats metered compute, latency-critical paths, and systems with strong data-gravity where moving the data costs more than moving the compute to it. Those are real and worth defending. The mistake the original article made was implying these properties recommend private cloud as a posture. They recommend it for the workloads that actually have those constraints.&lt;/p&gt;
&lt;p&gt;The most useful recent signal here is repatriation, and it needs to be read carefully because it is widely overstated. Per IDC, &lt;a href=&quot;https://www.cio.com/article/2520890/the-great-repatriation-it-leaders-reset-cloud-strategies-to-optimize-value.html&quot;&gt;around 80% of organizations expect some repatriation of compute and storage within 12 months, yet fewer than 10% have moved entire workloads back&lt;/a&gt;. This is selective rebalancing, not a public cloud exodus. Teams are pulling specific workloads back for cost, performance, or compliance reasons while the bulk of their estate stays public. That is exactly the workload-by-workload model in action, and it is the strongest available evidence against any &quot;pick one and standardize&quot; mandate.&lt;/p&gt;
&lt;h2&gt;A decision framework you can defend in a review&lt;/h2&gt;
&lt;p&gt;Replace the security-vs-cost binary with an explicit placement test applied to each workload. For any given service, score it against:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Data classification and regulatory surface.&lt;/strong&gt; Does this workload touch data with residency, sovereignty, or audit requirements that dedicated tenancy materially simplifies? If yes, private or a sovereign region is on the table. If no, this is not a reason to leave public cloud.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Demand shape.&lt;/strong&gt; Spiky, unpredictable, or seasonal load favors public cloud elasticity. Flat, high, sustained utilization is where owned or reserved capacity starts to win on unit economics.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Data gravity and egress.&lt;/strong&gt; Where does the data live, how large is it, and what does it cost to move? Egress fees and data volume often decide placement more than compute price does.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Latency and locality.&lt;/strong&gt; Hard real-time or edge-adjacent paths may justify on-prem or specific regions regardless of the broader strategy.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operational cost-to-serve, fully loaded.&lt;/strong&gt; Compare public cloud run cost plus FinOps overhead against private cloud hardware, refresh cycles, and the engineering headcount to run it. Count the people, not just the invoices.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Run that test and most estates land in the same place the data predicts: a hybrid, multi-cloud spread where the majority of new work goes to public cloud and a deliberate minority of workloads sits on private or on-prem for concrete reasons you can name in a sentence each.&lt;/p&gt;
&lt;h2&gt;Governance, portability, and the lock-in tax&lt;/h2&gt;
&lt;p&gt;One factor the original ignored and a senior reviewer will not: the public side of your estate is concentrated, and that concentration has a cost. For significant workloads, &lt;a href=&quot;https://www.flexera.com/about-us/press-center/flexera-2024-state-of-the-cloud-managing-spending-top-challenge&quot;&gt;AWS leads at 49%, followed by Azure at 45% and Google Cloud at 21%&lt;/a&gt;. Spreading across providers buys leverage and resilience but makes spend governance and skills harder, not easier. Lock-in is a tax you pay later, in migration cost and pricing power surrendered at renewal.&lt;/p&gt;
&lt;p&gt;The mitigation is architectural, decided up front: containerized, infrastructure-as-code-defined workloads with managed-service dependencies isolated behind interfaces you control. That does not eliminate lock-in, but it converts a rewrite into a redeploy and keeps the workload-by-workload model viable as constraints shift. Portability is what lets a repatriation decision or a provider switch be a quarter of work instead of a year of it.&lt;/p&gt;
&lt;h2&gt;The brief to take upstairs&lt;/h2&gt;
&lt;p&gt;The question is not &quot;private or public.&quot; It is &quot;for this workload, where does the evidence put it, and how will we govern it once it is there.&quot; Public cloud is the fast-growing default and the right starting point for most new work, but its economics demand a standing FinOps discipline. Private and on-prem earn the specific workloads with real compliance, data-gravity, or steady-state-utilization arguments, which is why selective repatriation is rising while wholesale exodus is not. Build a hybrid estate on purpose, keep workloads portable, and make placement a repeatable decision rather than a one-time bet.&lt;/p&gt;
&lt;p&gt;At &lt;a href=&quot;/about-us/&quot;&gt;Expeditious Software&lt;/a&gt; we help engineering teams build that placement model, instrument cost governance, and keep workloads portable across a hybrid estate. For our cloud and DevOps engineering work, see &lt;a href=&quot;/devops&quot;&gt;Freelance DevOps Services&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/flexera-2024-state-of-the-cloud-managing-spending-top-challenge&quot;&gt;Flexera 2024 State of the Cloud: Managing Spending is the Top Challenge of Cloud Computing&lt;/a&gt; - Flexera&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2024-11-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-total-723-billion-dollars-in-2025&quot;&gt;Gartner Forecasts Worldwide Public Cloud End-User Spending to Total $723 Billion in 2025&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.ciodive.com/news/cloud-spend-growth-forecast-2025-gartner/733401/&quot;&gt;Global cloud spend to surpass $700B in 2025 as hybrid adoption spreads (Gartner expects 90% of organizations to have hybrid cloud deployments by 2027)&lt;/a&gt; - CIO Dive&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.cio.com/article/2520890/the-great-repatriation-it-leaders-reset-cloud-strategies-to-optimize-value.html&quot;&gt;The great repatriation? IT leaders reset cloud strategies to optimize value&lt;/a&gt; - CIO (Foundry / IDG), citing IDC&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;New Flexera Report Finds that 84% of Organizations Struggle to Manage Cloud Spend (2025 State of the Cloud Report)&lt;/a&gt; - Flexera&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/private-cloud-vs-public-cloud-which-is-right-for-your-business/&quot;&gt;Private Cloud vs. Public Cloud: A Workload-by-Workload Decision Framework&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>5 Factors To Look For When Choosing A DevOps Service Provider</title><link>https://es.nl/2023/5-factors-to-look-for-when-choosing-a-devops-service-provider/</link><guid isPermaLink="true">https://es.nl/2023/5-factors-to-look-for-when-choosing-a-devops-service-provider/</guid><description>A senior, evidence-based checklist for evaluating a DevOps service provider: delivery discipline, platform engineering, integration, DevSecOps and managed operations.</description><pubDate>Tue, 01 Aug 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Choosing a DevOps service provider is no longer a procurement exercise about who has the longest tool list. The managed-services market is large and compounding fast: Market.us puts it at roughly USD 4.5 billion in 2024, heading toward about USD 54.8 billion by 2034 at a &lt;a href=&quot;https://market.us/report/devops-managed-services-market/&quot;&gt;~28.4% CAGR, with managed security services the single largest segment (~32.8%)&lt;/a&gt;. That growth means most providers will tell you they do everything. The job of an engineering director is to separate teams that can demonstrably move your delivery metrics from teams that will hand you more dashboards. The five factors below are reordered and rewritten around what actually predicts outcomes at scale and under regulatory load.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing the continuous loop of plan, code, build, test, release, deploy, operate and monitor stages&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;1. Delivery discipline, not tool inventory&lt;/h2&gt;
&lt;p&gt;The most useful filter is whether a provider can articulate how they protect throughput and stability while shipping faster. This matters more now because the obvious lever, AI tooling, cuts both ways. DORA&apos;s &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 Accelerate State of DevOps Report&lt;/a&gt; found that AI adoption raises individual productivity and code quality, yet is correlated with worse delivery outcomes: an estimated &lt;strong&gt;1.5% decline in delivery throughput and a 7.2% decline in delivery stability for every 25% increase in AI adoption&lt;/strong&gt;. Around 76% of developers now use AI in daily work, so this is not a fringe risk. The implication is direct: a provider&apos;s competence shows up in delivery discipline, small batch sizes, trunk-based workflows, robust automated testing and fast rollback, not in how many AI assistants they have wired in.&lt;/p&gt;
&lt;p&gt;Ask candidates to walk you through a real change moving from commit to production: what the batch size looks like, where the quality gates sit, how they measure lead time and change-failure rate, and what their rollback path is when a deploy goes wrong. A provider who answers in DORA metrics and concrete pipeline mechanics is operating at the level you need. One who answers with logos has not done the work.&lt;/p&gt;

&lt;h2&gt;2. Platform engineering and self-service scalability&lt;/h2&gt;
&lt;p&gt;&quot;Scalable, custom solutions&quot; is the vaguest claim in any DevOps pitch, so anchor it to where the industry is actually heading. Gartner predicts that &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;by 2026, 80% of large software engineering organizations will run platform engineering teams&lt;/a&gt; as internal providers of reusable services, components and tools, up from 45% in 2022, and that by 2027, 80% of large organizations will use platform engineering to scale DevOps in hybrid cloud, up from under 30% in 2023. The dominant model is no longer one-off automation scripts; it is an internal developer platform that gives teams paved, self-service paths.&lt;/p&gt;
&lt;p&gt;There is a critical nuance here that separates good providers from harmful ones. DORA 2024 found that internal developer platforms improve productivity and organizational performance, &lt;strong&gt;but can reduce change stability and throughput when they remove developer independence&lt;/strong&gt;. So &quot;scalability&quot; should be judged on whether a provider builds golden paths that teams can still step off when they need to, not a centralized bottleneck that every change must queue behind. A capable partner builds for autonomy with guardrails. A weaker one builds a platform that quietly becomes the new constraint.&lt;/p&gt;

&lt;h2&gt;3. Integration that consolidates rather than accumulates&lt;/h2&gt;
&lt;p&gt;Integration with your existing systems is table stakes, but the harder, more revealing question is whether a provider reduces complexity or adds to it. This is most visible in the security stack. Black Duck&apos;s &lt;a href=&quot;https://www.blackduck.com/blog/black-duck-devsecops-report.html&quot;&gt;2024 Global State of DevSecOps Report&lt;/a&gt;, drawn from over 1,000 respondents, found that &lt;strong&gt;82% of organizations run between 6 and 20 different security tools&lt;/strong&gt;, that 60% report 21 to 60% of their security results are noise, and that 86% say security testing slows development to some degree. Tool sprawl is not a hypothetical; it is the default end state.&lt;/p&gt;
&lt;p&gt;A provider worth hiring integrates into your CI/CD pipeline in a way that consolidates signal, deduplicates findings and tunes out false positives, rather than bolting on another scanner that floods your engineers with alerts they learn to ignore. During evaluation, ask how they would reduce your current tool count and noise ratio, not just what they would add. The right answer involves rationalizing the stack and wiring results back into developer workflow; the wrong answer is a longer shopping list.&lt;/p&gt;

&lt;h2&gt;4. Security built into the pipeline, including AI and supply chain&lt;/h2&gt;
&lt;p&gt;Security has moved from a late-stage gate to a pipeline property, and the threat surface has shifted under everyone&apos;s feet. The headline risk from the same Black Duck research: over &lt;strong&gt;90% of organizations now use AI tools in development, but only 24% are highly confident in their ability to test AI-generated code&lt;/strong&gt;. That gap is a concrete, current reason the security factor can no longer mean &quot;they run a SAST scan.&quot; A serious provider treats AI-generated and third-party code as a first-class supply-chain risk, with software composition analysis, provenance and dependency controls, secrets scanning, and continuous monitoring of what is actually running in production.&lt;/p&gt;
&lt;p&gt;For regulated teams this is also where audit and traceability live. Evaluate whether security controls are enforced as code in the pipeline, whether evidence is generated automatically for audits, and whether the provider can show continuous detection and remediation rather than point-in-time assessments. The market data reinforces the priority: managed security services are the largest sub-segment of the DevOps managed-services market precisely because this is where most teams need outside depth.&lt;/p&gt;

&lt;h2&gt;5. Managed operations and knowledge transfer that outlive the engagement&lt;/h2&gt;
&lt;p&gt;Implementation is the easy part; what you are really buying is sustained operational capability. The fast growth of managed DevOps services exists because continuous operations, on-call, incident response, patching, platform maintenance, are genuine specialist work that most internal teams cannot staff deeply enough on their own. But continuous support has a failure mode: lock-in. The strongest providers run your operations &lt;em&gt;and&lt;/em&gt; transfer knowledge, so your own engineers gain capability rather than dependency.&lt;/p&gt;
&lt;p&gt;Probe the exit, not just the onboarding. Who owns the platform configuration and infrastructure-as-code if you part ways? How is institutional knowledge documented and handed back? What does training for your teams actually look like? A provider confident in their value will happily make themselves replaceable; one that resists knowledge transfer is protecting renewal revenue, not your delivery capability.&lt;/p&gt;

&lt;h2&gt;How to run the evaluation&lt;/h2&gt;
&lt;p&gt;Put these five factors to candidates as questions with verifiable answers: show me your DORA metrics on a comparable engagement; walk me through a golden path that preserves team autonomy; tell me how you would cut my security tool count and noise; show me how you secure AI-generated and third-party code in the pipeline; and explain how you hand the platform back. The fluff falls away quickly under that line of questioning. For a deeper view of how these practices fit together across the lifecycle, our &lt;a href=&quot;/devops/&quot;&gt;DevOps and Cloud engineering&lt;/a&gt; work covers the underlying delivery model, and &lt;a href=&quot;/news/&quot;&gt;Software Development News&lt;/a&gt; tracks how the standards above keep shifting. The right partner will not just survive this scrutiny; they will expect it.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Unlock Infrastructure Efficiency with Platform Engineering (Strategic Predictions)&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.blackduck.com/blog/black-duck-devsecops-report.html&quot;&gt;2024 Global State of DevSecOps Report&lt;/a&gt; - Black Duck&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://market.us/report/devops-managed-services-market/&quot;&gt;DevOps Managed Services Market Size, Share | CAGR of 28.4%&lt;/a&gt; - Market.us&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/5-factors-to-look-for-when-choosing-a-devops-service-provider/&quot;&gt;5 Factors To Look For When Choosing A DevOps Service Provider&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>6 Benefits of DevOps Automation for Your Business (And the Discipline Behind Them)</title><link>https://es.nl/2023/6-benefits-of-implementing-devops-automation-for-your-business/</link><guid isPermaLink="true">https://es.nl/2023/6-benefits-of-implementing-devops-automation-for-your-business/</guid><description>Six DevOps automation benefits backed by DORA data: speed and stability together, small batches, platform engineering, and the foundation AI needs.</description><pubDate>Fri, 28 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most arguments for DevOps automation read like a vendor brochure: faster, better, cheaper, pick all three. If you run delivery at scale or under a regulator, you have learned to distrust that framing. The useful question is not whether automation helps but &lt;strong&gt;which mechanism produces the benefit, and what it costs you when the discipline underneath it is missing&lt;/strong&gt;. This piece keeps the six classic benefits but grounds each one in what a decade of &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;DORA research&lt;/a&gt; and current industry data actually show. The headline you should take away first: speed and stability are not a trade-off, and automation is the prerequisite for getting value from AI rather than a competing initiative.&lt;/p&gt;
&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing the automated loop of plan, build, continuous integration, test, deploy, operate and monitor feeding back into planning&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;
&lt;h2&gt;1. Increased efficiency, because manual steps force large batches&lt;/h2&gt;
&lt;p&gt;The efficiency win is real, but the causal chain matters. Automating test, build and deploy does not just save the wall-clock time of running those steps by hand. The deeper effect is on &lt;strong&gt;batch size&lt;/strong&gt;. When a release requires manual gates, teams naturally batch more change into each release to amortise the human cost, and bigger changesets are riskier and slower to diagnose. The 2024 &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report&lt;/a&gt;, drawn from over 39,000 professionals, is explicit that manual steps in the pipeline drive larger batch sizes, which increase risk. Automating the path to production is what lets you keep batches small. This is also where the &lt;a href=&quot;/2022/how-to-enable-continuous-integration-using-jenkins/&quot;&gt;continuous integration&lt;/a&gt; investment earns its keep: not as a buzzword, but as the thing that makes a one-line change cheap enough to ship on its own.&lt;/p&gt;
&lt;h2&gt;2. Faster time-to-market without paying for it in incidents&lt;/h2&gt;
&lt;p&gt;The most durable finding in the DORA dataset, and the one worth repeating to a skeptical VP, is that &lt;strong&gt;throughput and stability are not in tension&lt;/strong&gt;. A decade of data shows teams that automate their deployment pipeline deploy more often &lt;em&gt;and&lt;/em&gt; fail less often &lt;em&gt;and&lt;/em&gt; recover faster. The mechanism is the same small-batch dynamic from the previous section: frequent, small, automated releases are easier to verify, easier to roll back, and easier to reason about when something breaks. Speed and safety come from the same place.&lt;/p&gt;
&lt;p&gt;This is the claim that separates a mature DevOps practice from a fast-and-fragile one. If your &quot;faster time-to-market&quot; arrives with a rising change failure rate, you have bought speed by skipping the automated verification that makes it safe, and DORA&apos;s evidence says that is a choice, not a law of physics.&lt;/p&gt;
&lt;h2&gt;3. Improved reliability through reproducible, observable releases&lt;/h2&gt;
&lt;p&gt;Reliability follows directly once deployment is automated and deterministic. A pipeline that builds, tests and deploys the same way every time removes the entire class of incidents caused by manual, environment-specific drift. Pair that with automated monitoring and alerting and you shorten time to restore, one of the four core DORA metrics (alongside lead time for changes, deployment frequency and change failure rate) that remain the standard for measuring delivery performance. If you are not yet instrumenting these four, our note on &lt;a href=&quot;/2023/how-to-measure-devops-success-4-key-metrics-to-know/&quot;&gt;measuring DevOps success&lt;/a&gt; is the place to start, because you cannot defend a reliability claim you are not measuring.&lt;/p&gt;
&lt;h2&gt;4. Scalability comes from platform engineering, not just more servers&lt;/h2&gt;
&lt;p&gt;Scaling is where the conversation has genuinely moved since the original version of this article. Infrastructure as code, containers and orchestration still do the obvious work of letting you provision and scale on demand. But the structural shift is the rise of the &lt;strong&gt;internal developer platform&lt;/strong&gt;. The 2025 &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;DORA Report&lt;/a&gt; found that 90% of organisations have adopted at least one internal platform, and platform quality correlates directly with organisational outcomes.&lt;/p&gt;
&lt;p&gt;For a high-scale or regulated team, this is the realistic path to scaling delivery without scaling headcount linearly: golden paths, paved pipelines and self-service environments that bake your compliance and security controls into the platform rather than relying on every team to re-implement them. One honest caveat from the 2024 data: platform adoption can &lt;strong&gt;temporarily reduce change stability&lt;/strong&gt; as teams gain independence, so treat a platform as a product with its own guardrails, not a finished deliverable.&lt;/p&gt;
&lt;h2&gt;5. Improved collaboration as a property of shared tooling&lt;/h2&gt;
&lt;p&gt;Collaboration is the benefit most prone to fluff, so be concrete about what produces it. Teams do not collaborate better because someone declared a culture change; they collaborate better when they share the same pipeline, the same definition of done encoded as automated checks, and the same observable view of production. The platform is the collaboration surface. When the path to production is a paved road that development, operations and security all use, the silos the original DevOps movement set out to break down stop reforming around handoffs. If you are weighing how to structure these teams, our piece on &lt;a href=&quot;/2023/what-you-need-to-know-about-devops/&quot;&gt;what DevOps actually involves&lt;/a&gt; covers the operating-model side.&lt;/p&gt;
&lt;h2&gt;6. A foundation that lets you actually benefit from AI&lt;/h2&gt;
&lt;p&gt;This is the benefit that did not exist when this article was first written, and it reframes everything above. The 2025 DORA Report, surveying roughly 5,000 professionals, found that 90% now use AI for software development, up around 14 points year over year, and over 80% report productivity gains. But the central, hard-won finding is the one to internalise: &lt;strong&gt;AI amplifies the team it lands on rather than fixing it&lt;/strong&gt;. Its benefits materialise only when automated testing, version control, fast feedback loops and CI/CD are already in place.&lt;/p&gt;
&lt;p&gt;The two reports together tell a cautionary story worth quoting to anyone treating AI as a shortcut. In the 2024 data, a 25% rise in AI adoption tracked with a 1.5% drop in throughput and a &lt;strong&gt;7.2% drop in stability&lt;/strong&gt;, as &lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;analysed by InfoQ&lt;/a&gt;, because AI tends to inflate changeset size and bigger changesets are riskier. By 2025 the relationship with throughput and product performance turned positive, while the pressure on stability remained. The variable that explains the difference is the same one this entire article is about: small batches and automated testing are what keep AI-accelerated speed from becoming AI-accelerated risk. Notably, 39% of 2024 respondents still expressed low or no trust in AI-generated code, which is exactly why automated verification, not optimism, has to be the gate.&lt;/p&gt;
&lt;h2&gt;What this means for your roadmap&lt;/h2&gt;
&lt;p&gt;If you are deciding where to spend the next two quarters, the data points one way. Automate the path to production first, because it is the lever that keeps batches small and makes every later benefit possible. Instrument the four DORA metrics so reliability is a measurement rather than an assertion. Then invest in platform quality, because it is now the multiplier on both developer productivity and AI value. Done in that order, DevOps automation is not a cost centre or a fashion; it is the foundation everything else, including AI, is built on. This is the work we do with clients through our &lt;a href=&quot;/devops/&quot;&gt;DevOps services&lt;/a&gt;, and for regulated teams in particular we have written separately on &lt;a href=&quot;/2026/devops-under-dora-regulated-financial-delivery/&quot;&gt;delivering under DORA&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report: State of AI-Assisted Software Development&lt;/a&gt; - Google Cloud (DORA Research Program), 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - Google Cloud (DORA Research Program), 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 Accelerate State of DevOps Report Shows Pros and Cons of AI&lt;/a&gt; - InfoQ, 2024&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/6-benefits-of-implementing-devops-automation-for-your-business/&quot;&gt;6 Benefits of DevOps Automation for Your Business (And the Discipline Behind Them)&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>6 Software Development Life Cycle Models To Consider For Your Business</title><link>https://es.nl/2023/6-software-development-life-cycle-models-to-consider-for-your-business/</link><guid isPermaLink="true">https://es.nl/2023/6-software-development-life-cycle-models-to-consider-for-your-business/</guid><description>Six SDLC models compared for engineering leaders: where Waterfall, V-Model, Iterative, Spiral, Agile and DevOps fit, with DORA evidence on what works.</description><pubDate>Fri, 28 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Choosing a software development life cycle (SDLC) model is not a branding exercise. It is a decision about how you sequence requirements, build, verification and release - and therefore about where risk accumulates and how fast you can absorb change. Most teams inherit a model by accident, then bend it until the friction becomes visible in lead times and incident counts. This piece walks through six models worth a deliberate decision, what each is genuinely good at, and where each one fails at scale or under regulatory load. The honest caveat first: a model is scaffolding, not a guarantee. &lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;DORA&apos;s 2025 research&lt;/a&gt; across nearly 5,000 professionals lands on a blunt thesis - your tooling and process are amplifiers. They magnify the strengths and weaknesses you already have rather than manufacturing excellence. Pick the model that fits your constraints, then invest in the foundations underneath it.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration-600w.webp 600w, /content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of the software development life cycle showing the flow from requirements and design through build, testing, deployment and maintenance&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;1. Waterfall&lt;/h2&gt;
&lt;p&gt;Waterfall runs the phases in strict sequence: requirements, design, implementation, verification, maintenance. Each phase completes and signs off before the next begins. Its reputation as outdated is mostly deserved for product work, but it is not dead - it remains defensible where requirements are genuinely fixed and the cost of late change is bounded by contract rather than by code. Fixed-scope government deliverables, hardware-coupled firmware, and systems where a formal specification is the contract still suit it.&lt;/p&gt;
&lt;p&gt;The failure mode is well known: requirements drift, integration surprises surface only at the verification phase, and the feedback loop from production back to design is measured in months. For anything where you learn about the problem by shipping, Waterfall converts learning into rework. Treat it as a niche tool, not a default.&lt;/p&gt;

&lt;h2&gt;2. V-Model&lt;/h2&gt;
&lt;p&gt;The V-Model is Waterfall folded into a V, pairing every design phase with a corresponding test phase: unit tests validate detailed design, integration tests validate architecture, acceptance tests validate requirements. The discipline is that you define how you will verify each level before you build it.&lt;/p&gt;
&lt;p&gt;This is the model regulated teams reach for - medical devices, avionics, automotive safety systems - because it produces traceability between a requirement and the test that proves it, which auditors require. The cost is the same rigidity as Waterfall: it assumes requirements are stable enough that the verification plan written up front still applies at the end. Where it works, it works because the regulatory regime makes that assumption true.&lt;/p&gt;

&lt;h2&gt;3. Iterative and Incremental&lt;/h2&gt;
&lt;p&gt;The iterative model builds the system in repeated cycles, each delivering a working subset and refining what came before. Incremental delivery layers functionality in slices. Together they relax Waterfall&apos;s fatal assumption - that you understand the full requirement before you start - without abandoning structure entirely.&lt;/p&gt;
&lt;p&gt;This is the pragmatic middle ground for large systems where pure Agile feels too loose for the stakeholders but Waterfall is too brittle for the unknowns. You get early integration, which surfaces architectural problems while they are still cheap to fix, and you get a partial system in front of users sooner. The discipline required is real: each iteration needs a definition of done and a regression safety net, or the increments quietly accumulate defects that the next cycle inherits.&lt;/p&gt;

&lt;h2&gt;4. Spiral&lt;/h2&gt;
&lt;p&gt;The Spiral model is risk-driven. Each loop through the spiral does four things: identify objectives, evaluate alternatives and risks, develop and verify, then plan the next iteration. The defining move is that you confront the highest risks first - through prototyping, analysis or proof-of-concept - before committing significant build effort.&lt;/p&gt;
&lt;p&gt;Spiral earns its keep on large, expensive, high-uncertainty programs where a wrong architectural bet is ruinously costly: novel platforms, systems with severe performance or safety constraints, or anything where the technical feasibility itself is in question. The overhead of formal risk assessment at every loop makes it heavy for routine product work. Use it when the dominant question is &quot;will this even work&quot; rather than &quot;what should we build next.&quot;&lt;/p&gt;

&lt;h2&gt;5. Agile and Scrum&lt;/h2&gt;
&lt;p&gt;Agile reorganises delivery around short iterations, continuous stakeholder feedback and working software over comprehensive documentation. Scrum operationalises it with fixed sprints, defined roles and a backlog. For products where requirements emerge from contact with users, this is the default for good reason - it shortens the loop between a decision and the evidence that it was right or wrong.&lt;/p&gt;
&lt;p&gt;The skeptical caveat for senior readers: Agile is frequently adopted as ceremony without the engineering practices that make it safe. Sprints without automated testing, trunk discipline and a real definition of done produce fast delivery of accumulating debt. DORA&apos;s data is pointed here - in 2024 only about 19% of teams reached elite delivery performance, which tells you that the practices, not the framework name, are the scarce ingredient. Agile also strains when organizational priorities are unstable; DORA&apos;s &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 report&lt;/a&gt; found that shifting priorities measurably cut productivity and increased burnout, and no sprint cadence fixes a leadership problem.&lt;/p&gt;

&lt;h2&gt;6. DevOps and Continuous Delivery&lt;/h2&gt;
&lt;p&gt;DevOps extends Agile past the deploy boundary, treating build, release, operations and feedback as one continuous loop automated through CI/CD pipelines. This is where the benefits leaders actually want live - shorter lead times, more frequent and more reliable releases, faster recovery. The four &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;DORA metrics&lt;/a&gt; (deployment frequency, lead time for changes, change failure rate, mean time to recovery) are the standard way to confirm those benefits are real rather than asserted, and you should instrument them before claiming the model is working.&lt;/p&gt;
&lt;p&gt;The 2024-to-2026 evolution of this model is platform engineering. Rather than every team assembling its own pipeline, an internal developer platform provides self-service &quot;golden paths&quot; - standardized, automated workflows that lower cognitive load and let developers ship without reinventing delivery plumbing. &lt;a href=&quot;https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/&quot;&gt;Gartner predicts&lt;/a&gt; that by 2026, 80% of large engineering organizations will run platform engineering teams, up from 45% in 2022, and DORA 2025 found roughly 90% of organizations already operate an internal developer platform. The &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;quality of that platform&lt;/a&gt; is what matters: high-quality platforms amplify automation benefits, low-quality ones deliver close to nothing.&lt;/p&gt;

&lt;h2&gt;Which model, and the part the model cannot fix&lt;/h2&gt;
&lt;p&gt;The selection logic is straightforward. Fixed scope and contractual stability point to Waterfall or, under regulation, the V-Model. Large uncertain systems point to Iterative or Spiral depending on whether your dominant risk is requirements or feasibility. Evolving products point to Agile, and operational maturity points to DevOps with a platform underneath it. Most mature organizations end up running more than one - V-Model rigor for the regulated core, DevOps velocity for the surrounding services.&lt;/p&gt;
&lt;p&gt;The harder truth is that the model is the smaller half of the outcome. DORA&apos;s 2025 finding that AI is an amplifier rather than a fix applies equally to process models: teams with clean CI/CD, real test coverage and stable priorities turn any reasonable model into an accelerator, while teams carrying technical debt and process chaos see the same model magnify the mess. That same report found roughly 90% of professionals now use AI in daily development and over 80% report meaningful productivity gains - yet about 30% still have little or no trust in AI-generated code, which is why human review and change governance stay non-negotiable. And the speed those tools deliver still correlates with higher instability, so whichever model you choose, the deliberate stability controls - testing, monitoring, change management - are what keep velocity from becoming an outage. Choose the model for your constraints; then spend most of your energy on the foundations every model depends on.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - Google Cloud (DORA / DevOps Research and Assessment)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;State of AI-assisted Software Development 2025 (DORA Report 2025)&lt;/a&gt; - Google Cloud (DORA), with IT Revolution, GitHub, GitLab&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://about.gitlab.com/the-source/platform/driving-business-results-with-platform-engineering/&quot;&gt;Driving business results with platform engineering&lt;/a&gt; - GitLab (citing Gartner)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Unlock Infrastructure Efficiency with Platform Engineering&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/6-software-development-life-cycle-models-to-consider-for-your-business/&quot;&gt;6 Software Development Life Cycle Models To Consider For Your Business&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How Much Does Software Development Really Cost?</title><link>https://es.nl/2023/how-much-does-software-development-cost/</link><guid isPermaLink="true">https://es.nl/2023/how-much-does-software-development-cost/</guid><description>What software actually costs over its life: maintenance dominates the bill, technical debt and AI add hidden cost, and DevOps platforms are the real lever.</description><pubDate>Fri, 28 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&quot;How much does it cost to build the software?&quot; is the wrong question, or at least the smallest part of the right one. The build is the down payment. The mortgage is everything that comes after: maintenance, rework, incident response, and the slow tax of technical debt. If you are sizing a budget against the initial development quote, you are budgeting for a fraction of what you will actually spend. This piece lays out where the money really goes and which levers measurably move it, grounded in current industry data rather than vendor optimism.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp&quot; srcset=&quot;/content/uploads/2025/06/Software-Development-Life-Cycle-illustration-600w.webp 600w, /content/uploads/2025/06/Software-Development-Life-Cycle-illustration.webp 1024w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of the software development life cycle showing build, test, deploy, and maintenance phases that drive total cost of ownership&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The build is the cheap part&lt;/h2&gt;
&lt;p&gt;Estimates vary, but study after study lands on the same uncomfortable conclusion: maintenance and support, not the initial build, account for the majority of total software lifecycle cost. Commonly cited figures range from O&apos;Reilly&apos;s &quot;60/60 rule&quot; (roughly &lt;strong&gt;60 percent&lt;/strong&gt; of lifecycle expense going to maintenance) through later estimates of &lt;strong&gt;75 percent and above&lt;/strong&gt;, with no single universally accepted benchmark because complexity and operating context vary so widely (&lt;a href=&quot;https://ventionteams.com/enterprise/software-maintenance-costs&quot;&gt;Software Maintenance Costs - 2024 Benchmark Overview&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;This single fact should reframe how you read every development quote that crosses your desk. A team that ships fast but leaves behind brittle, poorly tested, undocumented code is not cheaper. It has simply moved the cost downstream, off the build line item and onto your operating budget, where it compounds. The cheapest software to build is rarely the cheapest software to own.&lt;/p&gt;

&lt;h2&gt;Poor quality is the hidden multiplier&lt;/h2&gt;
&lt;p&gt;The downstream cost is not theoretical. CISQ&apos;s 2022 analysis put the cost of poor software quality in the US at &lt;strong&gt;at least $2.41 trillion&lt;/strong&gt;, of which roughly &lt;strong&gt;$1.52 trillion was accumulated technical debt&lt;/strong&gt;, the cost of reworking suboptimal software (&lt;a href=&quot;https://www.it-cisq.org/the-cost-of-poor-quality-software-in-the-us-a-2022-report/&quot;&gt;The Cost of Poor Software Quality in the U.S.: A 2022 Report&lt;/a&gt;). The report frames the dominant cost drivers as cybersecurity failures, supply-chain weaknesses in open-source dependencies, and unaddressed technical debt, and it makes the point that matters most for budgeting: these costs are largely preventable.&lt;/p&gt;
&lt;p&gt;For regulated and high-scale teams this is not an abstraction. Every shortcut taken to hit a deadline becomes a line in next year&apos;s rework budget, and in a regulated context it can also become an audit finding or a breach. When you estimate development cost, you are implicitly choosing a quality level, and that choice sets the size of the rework bill you will pay later.&lt;/p&gt;

&lt;h2&gt;What &quot;efficient delivery&quot; actually means&lt;/h2&gt;
&lt;p&gt;&quot;Efficient&quot; is a word vendors love and rarely define. DORA has defined it, and the definition is measurable. Its four metrics, lead time for changes, deployment frequency, change-failure rate, and time to restore service, give you a vocabulary for delivery performance that maps directly to cost. The 2024 Accelerate State of DevOps report, built on responses from &lt;strong&gt;over 39,000 professionals&lt;/strong&gt;, found that only about &lt;strong&gt;19 percent of teams reach &quot;elite&quot; performance&lt;/strong&gt;: lead time under a day, on-demand deployment, a change-failure rate around 5 percent, and recovery in under an hour (&lt;a href=&quot;https://research.google/pubs/dora-accelerate-state-of-devops-2024-report/&quot;&gt;Accelerate State of DevOps 2024 Report&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;Those numbers are a cost model in disguise. A team with a 30 percent change-failure rate and multi-day recovery is paying for the same feature several times over in rollbacks, hotfixes, and firefighting. Moving toward elite performance is not engineering vanity; it is the most direct way to shrink the rework-driven costs that dominate total cost of ownership. When you assess a quote, ask where the team sits on these four metrics. The answer predicts your real spend better than any hourly rate.&lt;/p&gt;

&lt;h2&gt;AI changes the math, but not the way you think&lt;/h2&gt;
&lt;p&gt;AI is now unavoidable in any cost conversation. In the 2025 DORA report, around &lt;strong&gt;90 percent of practitioners use AI in their work&lt;/strong&gt; (&lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;State of AI-assisted Software Development 2025&lt;/a&gt;). The naive conclusion is that coding got cheaper, so software got cheaper. The data says otherwise.&lt;/p&gt;
&lt;p&gt;DORA characterizes AI as an &lt;strong&gt;amplifier&lt;/strong&gt;: it improves throughput while increasing delivery instability, and its payoff depends entirely on the strength of the underlying system. The 2024 data was blunt about the tradeoff, with AI adoption correlated with a &lt;strong&gt;1.5 percent drop in throughput and a 7.2 percent drop in stability&lt;/strong&gt;, and &lt;strong&gt;39 percent of respondents reporting low or no trust in AI-generated code&lt;/strong&gt; (&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 DORA Report coverage, InfoQ&lt;/a&gt;). Nearly a third of practitioners in the 2025 report still say they do not trust AI-generated code.&lt;/p&gt;
&lt;p&gt;Translate that into budget terms. AI can cut time at the keyboard, but if it is generating code your engineers do not trust and your pipeline does not rigorously verify, the savings move straight into QA, review, rework, and maintenance, the exact categories that already dominate lifecycle cost. AI without governance does not lower your total cost; it relocates it and adds instability on top.&lt;/p&gt;

&lt;h2&gt;Platforms are the proven cost lever&lt;/h2&gt;
&lt;p&gt;If there is one finding that should shape where you put money, it is this. The 2025 DORA report finds that &lt;strong&gt;90 percent of organizations now run some form of internal developer platform&lt;/strong&gt; and &lt;strong&gt;76 percent have dedicated platform engineering teams&lt;/strong&gt;. DORA frames a strong platform as the amplifier that determines whether AI and automation investments actually deliver business value, and the 2024 data showed the largest organizational gains accruing where internal platforms are strongest.&lt;/p&gt;
&lt;p&gt;This is the substance behind the otherwise generic claim that DevOps &quot;optimizes cost.&quot; The specific mechanism is that automation, continuous testing, and a well-built internal platform are what move a team toward elite throughput and stability, and away from the rework that drives technical debt. A platform standardizes the paths to production so that quality, security, and compliance checks are enforced by default rather than bolted on per project. That is what bends the maintenance curve, and it is why the platform is the highest-leverage place to spend before you scale AI on top of it.&lt;/p&gt;

&lt;h2&gt;How to read a software development quote&lt;/h2&gt;
&lt;p&gt;Take the build estimate and assume the true ten-year cost is substantially larger, weighted heavily toward maintenance and rework. Then ask three questions that actually predict that larger number. Where does this team sit on the four DORA metrics? Is there an internal platform enforcing testing, security, and compliance by default, or is every project reinventing the path to production? And is AI usage governed by review and automated verification, or is it quietly inflating the rework bill? Cost optimization is not about finding the cheapest build. It is about minimizing the multiplier on everything that follows.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/dora-report-2025/&quot;&gt;State of AI-assisted Software Development 2025 (DORA Report)&lt;/a&gt; - DORA / Google Cloud, 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://research.google/pubs/dora-accelerate-state-of-devops-2024-report/&quot;&gt;Accelerate State of DevOps 2024 Report&lt;/a&gt; - DORA / Google Cloud, 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.it-cisq.org/the-cost-of-poor-quality-software-in-the-us-a-2022-report/&quot;&gt;The Cost of Poor Software Quality in the U.S.: A 2022 Report&lt;/a&gt; - CISQ, 2022&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 DORA Report coverage&lt;/a&gt; - InfoQ, 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://ventionteams.com/enterprise/software-maintenance-costs&quot;&gt;Software Maintenance Costs - 2024 Benchmark Overview&lt;/a&gt; - Vention, 2024&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/how-much-does-software-development-cost/&quot;&gt;How Much Does Software Development Really Cost?&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>What Is Cloud Computing? What Senior Engineers Actually Need to Know</title><link>https://es.nl/2023/what-is-cloud-computing-all-you-need-to-know/</link><guid isPermaLink="true">https://es.nl/2023/what-is-cloud-computing-all-you-need-to-know/</guid><description>A senior engineering view of cloud computing in 2026: elasticity over lift-and-shift, FinOps against 27% waste, platforms, AI as amplifier, and DevSecOps.</description><pubDate>Fri, 28 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Cloud computing is, at its most literal, renting someone else&apos;s computers over a network and paying for what you use. That definition is correct and useless. If you run engineering at a high-scale or regulated team, the question is not &quot;what is the cloud&quot; but &quot;what does moving to it actually change about how we deliver, what it costs, and what breaks.&quot; The honest answer in 2026 is that the cloud changes far less than the brochure implies and far more than the skeptics admit, and which way it lands depends almost entirely on whether you adopt its operating model or just its data centers. This piece is the brief I would give before a migration sign-off: the parts that matter, the failure modes, and the evidence.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of cloud computing services connecting compute, storage, networking and platform layers across distributed infrastructure&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;The cloud is an operating model, not a location&lt;/h2&gt;
&lt;p&gt;The single most expensive misconception is that the value is in the venue. Take a monolith off your own racks, run it on rented instances of the same shape, and you have a lift-and-shift: same architecture, same provisioning cadence, now with a metered bill. DORA&apos;s research is direct that this is where outcomes go wrong. &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;The 2024 Accelerate State of DevOps report finds that flexible cloud infrastructure directly increases performance, but adopting the cloud without that flexibility, elasticity and on-demand provisioning, can actually harm outcomes.&lt;/a&gt; The cloud&apos;s leverage is in capabilities you cannot easily build on-premise: provisioning capacity in seconds, scaling a service to zero between bursts, treating infrastructure as versioned code, and standing up a disposable copy of production for a test run. If your team still files a ticket and waits a week for a VM, you have bought the location and skipped the model. You will see the bill and none of the benefit.&lt;/p&gt;

&lt;h2&gt;Cost-effective is a claim you have to earn, not a property you buy&lt;/h2&gt;
&lt;p&gt;The original case for cloud was usually &quot;it&apos;s cheaper.&quot; On its own that is false, and the data has caught up with it. &lt;a href=&quot;https://www.flexera.com/about-us/press-center/flexera-2024-state-of-the-cloud-managing-spending-top-challenge&quot;&gt;Flexera&apos;s 2024 State of the Cloud report, surveying 753 cloud decision-makers, found that managing cloud spend is the number-one challenge for the second year running, with 84% of organizations struggling to manage it, respondents estimating that roughly 27% of public cloud spend is wasted, and 29% spending over $12 million a year.&lt;/a&gt; A quarter of the bill, gone, at organizations large enough to feel it. That waste is not a vendor problem; it is an engineering-discipline problem. Idle instances left running, over-provisioned databases sized for a peak that never recurs, storage tiers no one revisits, and environments nobody tore down. Cloud economics reward elasticity and punish set-and-forget, which is exactly the inversion of how on-premise capacity planning trained your team to think. The correction is FinOps: cost as a first-class engineering signal, right-sizing and autoscaling as defaults, and spend attributed back to the teams that incur it. The cloud is cost-effective when you continuously make it so, and a steady tax otherwise.&lt;/p&gt;

&lt;h2&gt;Scalability is real, and it is mostly a platform problem now&lt;/h2&gt;
&lt;p&gt;Elastic scale is the capability the cloud delivers most cleanly, but at organizational scale, raw IaaS primitives are not what teams consume. They consume a platform. &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Gartner predicts that by 2026, 80% of large software engineering organizations will establish platform engineering teams as internal providers of reusable services, components and tools, up from 45% in 2022.&lt;/a&gt; That shift is well underway, and DORA&apos;s evidence says it pays off rather than just adding a layer. &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;The 2025 DORA report, drawing on roughly 5,000 professionals, found that 90% of organizations have adopted at least one internal platform, and DORA&apos;s research ties these platforms to improvements in individual productivity, team performance and overall organizational performance.&lt;/a&gt; The mechanism is the &quot;golden path&quot;: a self-service way to provision, deploy and scale that bakes in the right defaults so engineers do not reinvent infrastructure per service. For a director, this reframes the scalability conversation. The question is not &quot;can the cloud scale&quot; - it can - but &quot;does my team have a paved road onto it, or is every team negotiating with raw cloud APIs and arriving at five incompatible answers.&quot; The second case scales your infrastructure and your operational sprawl in equal measure.&lt;/p&gt;

&lt;h2&gt;AI changes the throughput math, but only if your foundations are real&lt;/h2&gt;
&lt;p&gt;No 2026 brief on cloud delivery is honest without addressing AI, because the workloads, the tooling and the workflow have all absorbed it. &lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;In the 2025 DORA survey, 90% of respondents now use AI at work, and the report&apos;s central finding is that &quot;AI doesn&apos;t fix a team; it amplifies what&apos;s already there.&quot;&lt;/a&gt; AI raises throughput and product performance, but it harms delivery stability unless the fundamentals are already in place: automated testing, version control, fast feedback loops and small batch sizes. This is the same lesson as lift-and-shift, one layer up. A capability poured onto a weak delivery system does not repair the system; it accelerates whatever the system already produces, including the defects. The cloud is what makes those fundamentals affordable - ephemeral test environments, pipeline-driven deployment, infrastructure you can recreate from code - which is precisely why DORA names high-quality internal platforms as the strongest lever for unlocking AI value. The sequencing matters: get the foundations right on the cloud&apos;s operating model, then let AI amplify a system worth amplifying. Invert the order and you ship instability faster.&lt;/p&gt;

&lt;h2&gt;Security is built in, or it is theater&lt;/h2&gt;
&lt;p&gt;The old framing treated security as a gate at the end: audit before release, hope nothing slips. At cloud scale and deployment cadence, a gate that humans operate per release is a gate that gets skipped under pressure. The modern model is DevSecOps, embedded into the same platform that delivers everything else. &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Gartner&apos;s platform engineering research ties the shift to platform teams to DevSecOps becoming non-negotiable, with self-service golden paths building security in so that controls are automated and self-service reduces risk.&lt;/a&gt; In practice this means policy-as-code enforced in the pipeline, secrets and identity managed by the platform rather than per team, vulnerability scanning on every build, and an audit trail that is a byproduct of how you ship rather than a document reconstructed for the auditor. For regulated teams the payoff is direct: when controls are encoded in the golden path, compliance evidence is generated continuously instead of assembled in a fire drill. Security stops being the function that slows delivery and becomes a property of the delivery system itself.&lt;/p&gt;

&lt;h2&gt;What this means before you sign off&lt;/h2&gt;
&lt;p&gt;So, what is cloud computing, for someone accountable for the outcome? It is a bet that you will replace fixed, slow, manually-provisioned infrastructure with elastic, coded, self-service infrastructure, and that you will run your delivery and your spend differently as a result. The bet pays when you adopt the model:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Use elasticity, not just the venue.&lt;/strong&gt; If you are not scaling on demand and provisioning from code, DORA&apos;s evidence says you are likely to harm outcomes, not help them.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Treat cost as an engineering signal.&lt;/strong&gt; With roughly 27% of public cloud spend wasted across the industry, right-sizing, autoscaling and team-level cost attribution are not optimizations; they are the difference between cost-effective and a recurring tax.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Build the paved road.&lt;/strong&gt; An internal platform with a golden path is how scalability, security and AI value actually reach your teams, and it is where 80% of large orgs are heading by 2026.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sequence AI after the fundamentals.&lt;/strong&gt; AI amplifies what exists. Automated testing, small batches and fast feedback first; acceleration second.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Embed security in the platform.&lt;/strong&gt; Controls and evidence as pipeline artifacts, not a gate someone remembers to open.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The cloud is not magic and it is not a scam. It is a lever, and the length of the lever is set entirely by the discipline of the team pulling it. Buy the data centers and you get a bill. Adopt the operating model and you get the thing the bill was supposed to pay for.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/ai-machine-learning/announcing-the-2025-dora-report&quot;&gt;Announcing the 2025 DORA Report (State of AI-assisted Software Development)&lt;/a&gt;, Google Cloud / DORA, September 2025&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt;, DORA (Google Cloud), November 2024&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Platform Engineering&lt;/a&gt;, Gartner, 2023&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/flexera-2024-state-of-the-cloud-managing-spending-top-challenge&quot;&gt;Flexera 2024 State of the Cloud Report: Managing Cloud Spending is the Top Challenge&lt;/a&gt;, Flexera, March 2024&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/what-is-cloud-computing-all-you-need-to-know/&quot;&gt;What Is Cloud Computing? What Senior Engineers Actually Need to Know&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How to Hire a Healthcare Software Development Company: A Technical Buyer&apos;s Guide</title><link>https://es.nl/2023/your-guide-to-hiring-the-best-healthcare-software-development-company/</link><guid isPermaLink="true">https://es.nl/2023/your-guide-to-hiring-the-best-healthcare-software-development-company/</guid><description>A senior buyer&apos;s guide to hiring a healthcare software development partner: EHDS compliance, secure-by-design, and DORA delivery metrics over fluff.</description><pubDate>Tue, 25 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most guides to hiring a healthcare software development company read like a checklist anyone could write: &quot;look for experience,&quot; &quot;check reviews,&quot; &quot;consider scalability.&quot; If you are an engineering director or staff engineer evaluating a partner for a regulated, high-volume clinical system, that advice is worse than useless - it gives you false confidence while skipping the criteria that actually predict whether the relationship ends in a shipped product or a breach notification. This is the version I would hand to a VP before a vendor shortlist: what to measure, what to demand in writing, and where most procurement processes go wrong.&lt;/p&gt;

&lt;p&gt;The stakes are not abstract. Healthcare has been the most expensive industry for data breaches for &lt;a href=&quot;https://www.hipaajournal.com/cost-healthcare-data-breach-2024/&quot;&gt;14 consecutive years, averaging $9.77M per breach in 2024&lt;/a&gt; against an all-industry global average of $4.88M. Roughly &lt;a href=&quot;https://www.ibm.com/think/insights/cost-of-a-data-breach-healthcare-industry&quot;&gt;$2.8M of that average is lost business and post-breach response&lt;/a&gt; - the part that lands on your roadmap and your reputation, not the attacker&apos;s. So the first reframe: you are not buying features. You are buying down the probability and blast radius of a security and compliance failure. Everything below follows from that.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/engineering_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/engineering_illustration-600w.webp 600w, /content/uploads/2025/05/engineering_illustration-1120w.webp 1120w, /content/uploads/2025/05/engineering_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of an engineering team collaborating on healthcare software architecture, security and delivery practices&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Treat security as architecture, not a line item&lt;/h2&gt;

&lt;p&gt;A vendor that lists &quot;HIPAA compliant&quot; on a slide and moves on has already told you something. Ask where security lives in their design process. In healthcare the slowest, most damaging breach vectors are not exotic zero-days - they are &lt;a href=&quot;https://www.hipaajournal.com/cost-healthcare-data-breach-2024/&quot;&gt;stolen or compromised credentials (292 days average to identify and contain), phishing (261 days) and social engineering (257 days)&lt;/a&gt;. Those numbers are an indictment of identity and access controls, not firewalls.&lt;/p&gt;

&lt;p&gt;So press on specifics that bolt-on security can&apos;t fake:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Identity and access management&lt;/strong&gt; as a first-class design concern: least-privilege by default, short-lived credentials, no shared service accounts, full audit trails on who accessed which patient record and when.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secrets management&lt;/strong&gt; that is centralised and rotated automatically. If they are storing connection strings in config files or CI variables, that is a finding.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Secure-by-design practices&lt;/strong&gt; baked into the SDLC: threat modelling at design time, dependency and SAST scanning in the pipeline, and a documented process for triaging and patching CVEs - not an annual pen test that gets filed and forgotten.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A mature partner will walk you through these without flinching, because they already do them. A weak one will reassure you that they &quot;take security very seriously.&quot; Believe the artefacts, not the adjectives.&lt;/p&gt;

&lt;h2&gt;The compliance bar moved: HIPAA is no longer the ceiling&lt;/h2&gt;

&lt;p&gt;If you are a Dutch or EU buyer, scoping your vendor to HIPAA is scoping to the wrong jurisdiction and the wrong decade. The &lt;a href=&quot;https://www.skadden.com/insights/publications/2025/06/the-european-health-data-space&quot;&gt;European Health Data Space (EHDS) Regulation (EU) 2025/327 entered into force on 26 March 2025&lt;/a&gt;. It makes interoperability, security, safety and privacy &lt;strong&gt;certification mandatory for all electronic health record systems before they can be placed on the EU market&lt;/strong&gt;, with secondary-use provisions phasing in through 2029.&lt;/p&gt;

&lt;p&gt;That changes the conversation from &quot;future-proofing&quot; to concrete, dated obligations. The original generic advice to &quot;consider scalability and support&quot; should be reframed as &lt;strong&gt;regulatory-grade data governance&lt;/strong&gt;: can the vendor demonstrate harmonised EU interoperability (the EEHRxF exchange format), secure processing environments for any secondary data use, audit logging that satisfies a regulator, and the patient access and control rights EHDS strengthens? Ask whether they have actually read the regulation and mapped their architecture to it, or whether EHDS is a phrase they picked up in this meeting. The phased deadlines are public; a serious partner already has a position on them.&lt;/p&gt;

&lt;h2&gt;Benchmark delivery maturity with numbers, not anecdotes&lt;/h2&gt;

&lt;p&gt;&quot;Proven track record&quot; is unfalsifiable. Engineering maturity, by contrast, is measurable - and you should make the vendor produce the measurements. The &lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;2024 DORA Accelerate State of DevOps Report (39,000+ respondents)&lt;/a&gt; defines elite delivery performance precisely: deploy on demand, lead time for changes under a day, change-failure rate under 5%, and recovery from incidents in under an hour. Only &lt;strong&gt;19% of teams clear that bar&lt;/strong&gt;. In a domain where a failed deploy can mean a clinician can&apos;t pull up a medication list, those four metrics are a direct proxy for the operational risk you are taking on.&lt;/p&gt;

&lt;p&gt;Ask every shortlisted vendor for their DORA metrics on a comparable, regulated project. Three things to watch for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Refusal or vagueness&lt;/strong&gt; (&quot;we don&apos;t really track that&quot;) tells you they are not measuring their own reliability, which means they cannot improve it and you cannot verify it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Suspiciously perfect numbers&lt;/strong&gt; with no incident history. Mature teams have postmortems and a mean-time-to-recovery story. Ask to see how they handled a recent production incident.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Change-failure rate over recovery time.&lt;/strong&gt; In healthcare, a sub-hour recovery on a contained failure beats a low deploy frequency that hides risk in big-bang releases.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;Probe how they use AI - because in 2024 it cut both ways&lt;/h2&gt;

&lt;p&gt;Every vendor now claims AI makes them faster. The DORA data complicates that claim in a way worth raising directly. A &lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;25% increase in AI adoption correlated with a 1.5% drop in delivery throughput and a 7.2% drop in delivery stability&lt;/a&gt;, even as it improved documentation (+7.5%) and code quality (+3.4%). The same report found platform engineering boosts productivity but causes a temporary performance dip before maturity.&lt;/p&gt;

&lt;p&gt;The takeaway is not &quot;avoid AI.&quot; It is that &lt;strong&gt;unmanaged AI use erodes exactly the delivery stability regulated healthcare systems depend on&lt;/strong&gt;. A strong partner pairs AI assistance with disciplined human review, strong platform engineering, and the test and pipeline guardrails that catch what a model gets confidently wrong. Ask how AI-generated code is reviewed before it touches a system that handles patient data. If the answer is &quot;the same as any other code,&quot; good - that is the right answer, and you should confirm the &quot;any other code&quot; path is itself rigorous.&lt;/p&gt;

&lt;h2&gt;What a defensible shortlist looks like&lt;/h2&gt;

&lt;p&gt;By the time you commit, you should be able to point at evidence, not impressions. Define your requirements as a clinical workflow and data-flow model, not a feature wishlist - that exposes where PHI moves and where the compliance and audit obligations actually bite. Then weight your scoring toward what the cost data says matters: security architecture and identity controls, demonstrable EHDS and interoperability readiness, DORA-grade delivery metrics on comparable work, and a sober, governed approach to AI. Portfolios and case studies are still useful, but read them for security and compliance maturity, not for visual polish.&lt;/p&gt;

&lt;p&gt;Most vendors will pass the generic checklist. Far fewer will produce their change-failure rate, walk you through their secrets rotation, or show you their EHDS mapping. That gap is the entire point of doing this properly - it is where the $9.77M downside lives, and it is the only part of the evaluation a competitor can&apos;t copy off a brochure.&lt;/p&gt;

&lt;p&gt;At Expeditious Software we build healthcare systems to this bar - secure-by-design, measured against DORA, and architected for EU regulatory requirements rather than retrofitted to them. If you want a partner who will hand you the metrics before you ask, &lt;a href=&quot;/contact/&quot;&gt;get in touch&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.hipaajournal.com/cost-healthcare-data-breach-2024/&quot;&gt;Average Cost of a Data Breach Rises to $4.88M; Falls to $9.77M in Healthcare&lt;/a&gt; - The HIPAA Journal (reporting on IBM / Ponemon Institute Cost of a Data Breach Report 2024)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.ibm.com/think/insights/cost-of-a-data-breach-healthcare-industry&quot;&gt;Cost of a data breach: The healthcare industry&lt;/a&gt; - IBM (Cost of a Data Breach Report 2024, conducted by Ponemon Institute)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.skadden.com/insights/publications/2025/06/the-european-health-data-space&quot;&gt;The European Health Data Space - What EU Health Care Providers and Data Holders Need To Know&lt;/a&gt; - Skadden, Arps, Slate, Meagher &amp;amp; Flom LLP&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report&quot;&gt;Announcing the 2024 DORA report (Accelerate State of DevOps Report 2024)&lt;/a&gt; - Google Cloud / DORA&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/your-guide-to-hiring-the-best-healthcare-software-development-company/&quot;&gt;How to Hire a Healthcare Software Development Company: A Technical Buyer&apos;s Guide&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>On-Premise vs. Cloud: The Major Differences (And Why It&apos;s Now a Per-Workload Decision)</title><link>https://es.nl/2023/on-premise-vs-cloud-the-major-differences/</link><guid isPermaLink="true">https://es.nl/2023/on-premise-vs-cloud-the-major-differences/</guid><description>On-premise vs cloud in 2026: a workload-placement decision driven by cost discipline, data control, and operating model - not a binary choice.</description><pubDate>Tue, 18 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you are still framing the infrastructure conversation as a single architectural choice - on-premise or cloud, pick one and commit - you are answering a question your peers stopped asking around 2023. The differences that the old comparison tables list (capital vs. operating cost, who controls the data, how fast you can scale, who carries the maintenance burden) are all still real. What has changed is the decision they feed into. For any serious engineering organization in 2026, this is no longer a venue selection made once at the platform level. It is a per-workload placement decision, justified individually on cost, data sensitivity, performance, and operational fit, and revisited as those variables move. This piece walks the four classic differences with that reframing, and grounds each in what the current data actually shows rather than the marketing version of it.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/05/cloud_services_illustration.webp&quot; srcset=&quot;/content/uploads/2025/05/cloud_services_illustration-600w.webp 600w, /content/uploads/2025/05/cloud_services_illustration-1120w.webp 1120w, /content/uploads/2025/05/cloud_services_illustration.webp 1536w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Illustration of cloud services connecting to on-premise infrastructure, representing hybrid workload placement across cloud and data-center environments&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;Cost: the pay-as-you-go story has not aged well&lt;/h2&gt;

&lt;p&gt;The conventional pitch is that on-premise demands heavy upfront capital while cloud&apos;s consumption model is inherently cheaper and more efficient. The first half is true. The second half is the part that has quietly become the biggest operational headache in the industry. Flexera&apos;s 2025 State of the Cloud Report, drawn from more than 750 technical professionals and executives, found that &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;84% of organizations name managing cloud spend as their top cloud challenge&lt;/a&gt;, that organizations exceed their cloud budgets by 17% on average, and that roughly 27% of cloud spend is wasted. Cloud is not reliably cheaper. It is reliably easier to overspend on, because the same elasticity that lets you scale up at 3am also lets idle resources, oversized instances, and forgotten environments accrue charges with nobody in the approval loop.&lt;/p&gt;

&lt;p&gt;The strategic correction is not &quot;go back on-premise.&quot; It is to treat cost as something you engineer and govern, not something the billing model hands you. The same report shows &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;87% of organizations now rank cost efficiency and savings as their number-one metric&lt;/a&gt;, and a majority lean on FinOps practices and managed service providers to regain control. For an engineering director, the practical implication is concrete: cloud placement is defensible only when it comes with forecasting discipline, tagging and showback, rightsizing, and someone accountable for the run-rate. On-premise still wins on unit economics for steady, predictable, high-utilization workloads - the ones where you are paying cloud premium for elasticity you never actually use. Notably, even with all this scrutiny, &lt;strong&gt;cloud spend is still projected to grow 28% year over year&lt;/strong&gt;, which tells you the answer is governance, not retreat.&lt;/p&gt;

&lt;h2&gt;Security and data control: this is where placement is least negotiable&lt;/h2&gt;

&lt;p&gt;The old comparison treats security as a wash - on-premise gives you direct control and full responsibility, cloud providers invest more in security infrastructure than you ever could. Both remain accurate, and for most workloads the major hyperscalers genuinely raise your baseline. But security is rarely the deciding variable anymore. Data control and sovereignty are. The question that actually drives placement is not &quot;is the cloud secure&quot; but &quot;where is this specific dataset legally and contractually allowed to live, who can be compelled to hand it over, and can I prove residency to an auditor.&quot; For regulated data - payment records, health data, anything under sovereignty or sector-specific residency requirements - those answers can force a workload on-premise or into a specific jurisdiction regardless of how good the provider&apos;s encryption is.&lt;/p&gt;

&lt;p&gt;This is exactly why a binary platform-wide choice fails: a single organization will legitimately run customer-facing stateless services in public cloud while keeping a regulated system of record on-premise or in a sovereign region. The differentiator at the workload level is data sensitivity and the cost of proving control, not a global verdict on whether &quot;the cloud&quot; is safe.&lt;/p&gt;


&lt;figure style=&quot;margin:28px auto;max-width:100%;&quot;&gt;
&lt;img src=&quot;/content/uploads/2026/06/ext-datacenter-racks.webp&quot; srcset=&quot;/content/uploads/2026/06/ext-datacenter-racks-600w.webp 600w, /content/uploads/2026/06/ext-datacenter-racks-1120w.webp 1120w, /content/uploads/2026/06/ext-datacenter-racks.webp 1400w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Interior of a data center showing multiple rows of tall metal server racks filled with networking and computing equipment.&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;width:100%;height:auto;&quot; /&gt;
&lt;figcaption style=&quot;font-size:13px;color:#6c757d;text-align:center;margin-top:8px;&quot;&gt;Photo: &lt;a href=&quot;https://commons.wikimedia.org/wiki/File:Datacenter_Server_Racks_(22370909788).jpg&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Carl Lender from Sunrise, USA&lt;/a&gt; / &lt;a href=&quot;https://creativecommons.org/licenses/by/2.0/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;CC BY 2.0&lt;/a&gt;, via Wikimedia Commons&lt;/figcaption&gt;
&lt;/figure&gt;

&lt;h2&gt;Scalability: the value is in the operating model, not the migration&lt;/h2&gt;

&lt;p&gt;Cloud&apos;s scalability advantage is real and largely uncontested - you can add and remove capacity in minutes instead of procurement cycles. The trap is assuming that the benefit arrives the moment your workload lands in a cloud account. It does not. DORA&apos;s 2024 Accelerate State of DevOps Report is blunt about this: &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;leveraging flexible cloud infrastructure directly increases organizational performance, but simply migrating to the cloud without adopting its inherent flexibility &quot;can be more harmful than staying in a traditional data center.&quot;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;That sentence should reframe how you justify a migration. Lift-and-shift - taking a statically provisioned, vertically scaled, manually operated application and running the identical thing on rented hardware - keeps every constraint of on-premise and adds a metered bill on top. You get the cost profile of cloud with the rigidity of a data center. The scalability difference only becomes an advantage when the workload is re-architected to use it: horizontal autoscaling, infrastructure as code, decoupled state, and elastic capacity that actually contracts when demand drops. If a workload cannot or will not adopt that operating model - because it is a legacy monolith, a licensing-bound database, or a steady batch job - then &quot;cloud is more scalable&quot; is true in the abstract and irrelevant in practice for that workload. That is a strong signal to leave it on-premise.&lt;/p&gt;

&lt;h2&gt;Maintenance: the burden moves, it does not disappear&lt;/h2&gt;

&lt;p&gt;On-premise means you own the full stack: hardware, patching, capacity, the lot. Cloud shifts infrastructure maintenance to the provider, which genuinely frees teams from a class of undifferentiated work. But the framing that cloud lets you &quot;focus on core competencies&quot; oversells it. The maintenance burden changes shape rather than vanishing. You trade hardware lifecycle and physical capacity planning for managing IAM sprawl, networking, service limits, version deprecations on managed services, and - as the cost section made clear - continuous spend governance. Teams that migrate expecting maintenance to drop, then staff accordingly, tend to discover the cloud operating model needs at least as much engineering discipline as the data center did, just aimed at different problems.&lt;/p&gt;

&lt;h2&gt;The honest answer: deliberate hybrid, justified per workload&lt;/h2&gt;

&lt;p&gt;The market has already converged on this. IDC&apos;s mid-2024 research found that &lt;a href=&quot;https://www.cio.com/article/2520890/the-great-repatriation-it-leaders-reset-cloud-strategies-to-optimize-value.html&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;around 80% of organizations expected some repatriation of compute and storage within 12 months, yet fewer than 10% had moved entire workloads back on-premise&lt;/a&gt;. Read carefully, that is not a cloud exodus - it is selective correction. Foundry/CIO frames it precisely: this is a refinement of cloud strategy toward hybrid as the ideal, not a rejection of cloud. Flexera&apos;s data lands in the same place, with roughly 55% of workloads currently in public cloud and about 21% repatriated. The numbers describe an industry moving workloads back and forth at the margin to optimize value, not one declaring a winner.&lt;/p&gt;

&lt;p&gt;So the four differences still hold - but they are inputs to a placement decision, not arguments for a side. The defensible position for a high-scale or regulated team is a deliberate hybrid model where each workload&apos;s home is justified on four axes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Cost and utilization.&lt;/strong&gt; Steady, high-utilization workloads often pencil out cheaper on-premise; spiky or unpredictable demand is where cloud elasticity earns its premium - provided you have the FinOps discipline to stop the 27% waste.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Data sensitivity and sovereignty.&lt;/strong&gt; Residency, regulatory, and contractual constraints can pin a workload regardless of every other factor. Decide this first, because it is the least flexible input.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Performance and architecture fit.&lt;/strong&gt; Latency-sensitive or hardware-bound workloads, and anything that cannot adopt cloud-native elasticity, gain little from migration and may regress.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operating model.&lt;/strong&gt; Per DORA, the workloads that benefit are the ones whose teams will actually use cloud flexibility. If you will not re-architect, you will not get the upside.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The teams getting this right are not the ones who &quot;went to the cloud&quot; or &quot;stayed on-prem.&quot; They are the ones who stopped treating it as one decision, built the cost governance and architectural discipline to make each placement defensible, and accepted that the right answer for a given workload can change as cost, regulation, and demand shift. The differences are still worth understanding in detail. Just stop using them to pick a winner.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;New Flexera Report Finds that 84% of Organizations Struggle to Manage Cloud Spend - 2025 State of the Cloud Report (Flexera)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://www.cio.com/article/2520890/the-great-repatriation-it-leaders-reset-cloud-strategies-to-optimize-value.html&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;The great repatriation? IT leaders reset cloud strategies to optimize value (CIO / Foundry)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://my.idc.com/getdoc.jsp?containerId=US50903124&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Assessing the Scale of Workload Repatriation: Insights from IDC&apos;s Server and Storage Workloads Surveys, 1H23 and 2H23 (IDC)&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot; target=&quot;_blank&quot; rel=&quot;noopener&quot;&gt;Accelerate State of DevOps Report 2024 (DORA / Google Cloud)&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/on-premise-vs-cloud-the-major-differences/&quot;&gt;On-Premise vs. Cloud: The Major Differences (And Why It&apos;s Now a Per-Workload Decision)&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>Is Hiring a DevOps Service Provider Worth It? A Pragmatic Look at the Advantages</title><link>https://es.nl/2023/is-hiring-devops-service-providers-worth-it-here-are-the-advantages/</link><guid isPermaLink="true">https://es.nl/2023/is-hiring-devops-service-providers-worth-it-here-are-the-advantages/</guid><description>A senior, evidence-based look at when hiring a DevOps service provider pays off - and when it backfires - grounded in DORA, Gartner, Flexera and GitLab data.</description><pubDate>Tue, 11 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;If you run a high-scale or regulated engineering organization, &quot;should we hire a DevOps service provider?&quot; is not really a question about tooling. You already have CI runners, a cloud account and an incident channel. The real question is whether buying outside expertise will measurably move your delivery metrics, your cloud bill and your audit posture - or whether it will just add a vendor invoice on top of the problems you already have. This article treats it as that kind of capital-allocation decision, not a sales pitch.&lt;/p&gt;

&lt;p&gt;The honest answer is &quot;it depends, and here is what it depends on.&quot; Below are the advantages that hold up under scrutiny, the conditions under which they materialize, and the failure modes a good provider is supposed to prevent.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/06/Engineering-Productivity-pillars.webp&quot; srcset=&quot;/content/uploads/2025/06/Engineering-Productivity-pillars-600w.webp 600w, /content/uploads/2025/06/Engineering-Productivity-pillars-1120w.webp 1120w, /content/uploads/2025/06/Engineering-Productivity-pillars.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;Diagram of engineering productivity pillars - delivery throughput, stability, developer experience and platform foundations - that a DevOps service provider is meant to strengthen&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;This is now the mainstream operating model, not a niche&lt;/h2&gt;
&lt;p&gt;The first thing to understand is that delivering DevOps capability &quot;as a service&quot; - whether through an internal platform team or an external partner - has already won the architectural argument. Gartner forecasts that &lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2025-07-01-gartner-identifies-the-top-strategic-trends-in-software-engineering-for-2025-and-beyond&quot;&gt;by 2026, 80% of large software engineering organizations will run platform engineering teams that act as internal providers of reusable services, components and tools&lt;/a&gt; for application delivery, up from 45% in 2022. The unit of value is a provided, paved-road capability that application teams consume on demand.&lt;/p&gt;
&lt;p&gt;That reframes the buy-versus-build decision. You are not choosing whether to treat DevOps as a service; the industry has already done that. You are choosing who staffs and operates that service, how fast you want it stood up, and whether you have the in-house depth to run it well. A service provider is one credible answer to &quot;we need this capability in quarters, not years, and we do not want to learn every lesson the expensive way.&quot;&lt;/p&gt;

&lt;h2&gt;The advantage is expertise and governance, not tooling&lt;/h2&gt;
&lt;p&gt;The most important caveat comes from the data that is friendliest to DevOps in general. DORA&apos;s &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;2024 Accelerate State of DevOps Report&lt;/a&gt; finds that internal developer platforms improve individual productivity, team performance and organizational performance - but it explicitly warns that platforms without good governance can &lt;strong&gt;reduce&lt;/strong&gt; change stability and throughput. A platform is a force multiplier in both directions. The same report notes that AI adoption raised individual productivity and job satisfaction while it could hurt delivery stability and throughput, which makes the same point a different way: capability without discipline is not a win.&lt;/p&gt;
&lt;p&gt;This is the strongest argument for a provider, and also the strongest reason to be skeptical of a weak one. The value is not &quot;they have Terraform and a pipeline template.&quot; The value is whether they bring the governance, golden paths and operational practices that keep a platform from degrading your &lt;a href=&quot;/2023/how-to-measure-devops-success-4-key-metrics-to-know/&quot;&gt;delivery metrics&lt;/a&gt;. DORA centers software delivery performance on four measures - &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;deployment frequency, lead time for changes, change failure rate and time to restore service&lt;/a&gt; - and the gap between the strongest and weakest performers on them is large enough that closing even part of it is worth real money. A provider earns its fee by moving you toward the high end of those four metrics and proving it with numbers - not by shipping a reference architecture and leaving.&lt;/p&gt;
&lt;p&gt;Practical test for any provider: ask how they will instrument and report the four DORA metrics for your teams, what their target change-failure rate is, and what governance they put around the platform so it does not quietly regress throughput. If the answer is a tool list, keep looking. If the answer is about guardrails, paved roads and measured outcomes, you are talking to someone who has read the same research you have.&lt;/p&gt;

&lt;h2&gt;Cost-effectiveness: the cloud-waste argument is real and quantified&lt;/h2&gt;
&lt;p&gt;The cost case for a provider used to be hand-wavy. It is not anymore. Flexera&apos;s 2025 State of the Cloud report found that &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;84% of organizations name managing cloud spend as their top cloud challenge&lt;/a&gt;, respondents self-estimate that about 27% of cloud spend is wasted, and budgets already overrun by about 17%. For most organizations at scale, that waste is a larger, more recoverable number than any headcount line a provider would replace.&lt;/p&gt;
&lt;p&gt;The market response is telling: in the same report, &lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;60% of organizations turn to managed service providers&lt;/a&gt;, and a growing majority adopt FinOps practices to bring spend under control. That is the cost-effectiveness argument stated honestly: you are not paying a provider to save money in the abstract, you are paying them to recover a quantifiable slice of the roughly 27% you are currently wasting, and to put FinOps discipline and &lt;a href=&quot;/2023/understanding-the-software-development-life-cycle-sdlc/&quot;&gt;right-sizing&lt;/a&gt; into your delivery process so the waste does not creep back. Run that as a simple calculation against your own cloud bill before you sign anything. If a provider cannot point at a credible percentage of recoverable spend, the cost story does not hold and you should weigh them on delivery speed alone.&lt;/p&gt;

&lt;h2&gt;Security and CI/CD: this is where automation actually compounds&lt;/h2&gt;
&lt;p&gt;Security has quietly become the headline reason to bring in serious DevOps expertise. GitLab&apos;s 2024 Global DevSecOps Report, covering 5,315 professionals, found that &lt;a href=&quot;https://www.infoworld.com/article/2510360/gitlab-devsecops-survey-finds-progress-new-priorities.html&quot;&gt;security is now the number-one IT investment priority&lt;/a&gt; - cloud computing fell from first to fifth - and that C-level leaders name &quot;more secure applications&quot; as the top benefit of DevSecOps. Two-thirds of teams now report a mostly or fully automated software development lifecycle.&lt;/p&gt;
&lt;p&gt;The same survey exposes the gap a competent provider is supposed to close: &lt;a href=&quot;https://www.infoworld.com/article/2510360/gitlab-devsecops-survey-finds-progress-new-priorities.html&quot;&gt;67% of teams use 25% or more open-source code, but only 21% generate a software bill of materials&lt;/a&gt;. That is exactly the kind of supply-chain control that gets skipped under delivery pressure and gets you in trouble during an audit or after a CVE. Embedding security into &lt;a href=&quot;/2023/6-benefits-of-implementing-devops-automation-for-your-business/&quot;&gt;automated CI/CD&lt;/a&gt; - SBOM generation, dependency and container scanning, policy-as-code gates, signed artifacts and provenance - is the work that pays off precisely because it runs on every commit instead of once a quarter. For regulated teams, this is also where a provider with audit experience earns its keep; see our note on &lt;a href=&quot;/2025/devops-under-dora-regulated-financial-delivery/&quot;&gt;DevOps under DORA-style regulated delivery&lt;/a&gt; and the broader &lt;a href=&quot;/2023/devops-vs-devsecops-whats-the-difference/&quot;&gt;DevSecOps distinction&lt;/a&gt; for why &quot;security throughout the lifecycle&quot; is a delivery property, not a checklist.&lt;/p&gt;

&lt;h2&gt;Reliability and scale: buy the operating model, not just capacity&lt;/h2&gt;
&lt;p&gt;Reliability and scalability are the advantages most often oversold, so be precise about what you are buying. Containerization, autoscaling and infrastructure-as-code give you elastic capacity, but capacity is the easy part. The hard part is the operating model: SLOs and error budgets, blameless incident response, on-call discipline, change management that does not throttle throughput, and observability that catches regressions before customers do. That is what shows up as a low change-failure rate and a fast time-to-restore - two of the four DORA metrics - and it is mostly culture and practice, not infrastructure.&lt;/p&gt;
&lt;p&gt;A provider is worth hiring here when they transfer that operating model and the runbooks to your teams, not when they make themselves a permanent dependency in your incident path. Insist on a knowledge-transfer plan and an exit ramp. The goal is a platform your engineers can own.&lt;/p&gt;

&lt;h2&gt;So - is it worth it?&lt;/h2&gt;
&lt;p&gt;Yes, under specific conditions, and the conditions are the whole answer. It is worth it when you need elite-level delivery practice faster than you can hire and grow it internally; when a real fraction of your cloud spend is recoverable; when security and supply-chain controls have to be embedded into CI/CD rather than bolted on; and when the provider commits to measured outcomes on the four DORA metrics and to handing the platform back to your teams. It is not worth it when you are buying tooling you could template yourself, when there is no governance behind the platform, or when the engagement is structured to keep you dependent. Hold any provider to that standard - including us. If you want to pressure-test the decision, start with the &lt;a href=&quot;/2025/5-factors-to-look-for-when-choosing-a-devops-service-provider/&quot;&gt;factors that actually distinguish a strong DevOps partner&lt;/a&gt; and bring your own numbers to the conversation.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA / Google Cloud&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/newsroom/press-releases/2025-07-01-gartner-identifies-the-top-strategic-trends-in-software-engineering-for-2025-and-beyond&quot;&gt;Gartner Identifies the Top Strategic Trends in Software Engineering for 2025 and Beyond&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.flexera.com/about-us/press-center/new-flexera-report-finds-84-percent-of-organizations-struggle-to-manage-cloud-spend&quot;&gt;New Flexera Report Finds that 84% of Organizations Struggle to Manage Cloud Spend&lt;/a&gt; - Flexera&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoworld.com/article/2510360/gitlab-devsecops-survey-finds-progress-new-priorities.html&quot;&gt;GitLab devsecops survey finds progress, new priorities (2024 Global DevSecOps Report)&lt;/a&gt; - InfoWorld&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/is-hiring-devops-service-providers-worth-it-here-are-the-advantages/&quot;&gt;Is Hiring a DevOps Service Provider Worth It? A Pragmatic Look at the Advantages&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>6 Mistakes to Avoid When Implementing DevOps in Your Company</title><link>https://es.nl/2023/6-mistakes-to-avoid-while-implementing-devops-in-your-company/</link><guid isPermaLink="true">https://es.nl/2023/6-mistakes-to-avoid-while-implementing-devops-in-your-company/</guid><description>Six DevOps implementation mistakes that stall high-scale, regulated teams - and what the 2024 DORA and GitLab data say about fixing them.</description><pubDate>Tue, 04 Jul 2023 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most failed DevOps programs do not fail because the team picked the wrong CI server. They fail because a new tool gets dropped into an unchanged organization and everyone expects the chart to bend. The 2024 evidence is blunt about this. In the &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt;, which surveyed more than 39,000 professionals, a 25% increase in AI adoption was associated with a roughly 1.5% drop in software delivery throughput and a 7.2% drop in stability - because the surrounding culture, batch sizes, and review practices did not change. If you are an engineering director or staff engineer running a high-scale or regulated platform, that is the headline: the mistakes that matter are organizational, not technical. Here are the six that do the most damage, and what to do instead.&lt;/p&gt;

&lt;img src=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram.webp&quot; srcset=&quot;/content/uploads/2025/04/DevOps-lifecycle-diagram-600w.webp 600w, /content/uploads/2025/04/DevOps-lifecycle-diagram-1120w.webp 1120w, /content/uploads/2025/04/DevOps-lifecycle-diagram.webp 1600w&quot; sizes=&quot;(max-width: 600px) 100vw, 560px&quot; alt=&quot;DevOps lifecycle diagram showing the continuous loop of plan, build, integrate, deploy, operate and monitor stages&quot; class=&quot;img-fluid rounded-lg shadow-sm&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; style=&quot;display:block;max-width:100%;height:auto;margin:28px auto;&quot; /&gt;

&lt;h2&gt;1. Buying tools instead of changing how the team works&lt;/h2&gt;
&lt;p&gt;The most expensive mistake is treating DevOps as a procurement decision. A platform license is easy to approve and easy to point at in a status update; rewiring incentives, on-call ownership, and approval gates is neither. GitLab Field CTO Stephen Walters summarized the DORA findings precisely: failure happens because &lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;&quot;the tool is implemented in the same culture with the same working practices.&quot;&lt;/a&gt; If your developers still hand work to a separate ops team behind a ticket queue, a shiny pipeline just automates the handoff - it does not remove it.&lt;/p&gt;
&lt;p&gt;The fix is to make the operational consequences of a change land on the team that made it. Shared on-call, error budgets, and deployment ownership change behavior in a way no tool can. Decide the working-practice changes first, then choose tooling that enforces them.&lt;/p&gt;

&lt;h2&gt;2. Treating partial automation as if it were done&lt;/h2&gt;
&lt;p&gt;A few years ago the realistic pitfall was the absence of CI/CD. That is no longer true. In the &lt;a href=&quot;https://www.infoworld.com/article/2510360/gitlab-devsecops-survey-finds-progress-new-priorities.html&quot;&gt;GitLab 2024 Global DevSecOps Report&lt;/a&gt;, 67% of organizations said their software development lifecycle is mostly or fully automated. The modern failure mode is &lt;strong&gt;uneven&lt;/strong&gt; automation: the build is automated but provisioning is a runbook, deploys are scripted but rollbacks are manual, and the staging-to-production step still needs someone to babysit it at 2 a.m.&lt;/p&gt;
&lt;p&gt;Partial automation is dangerous because it hides risk. The pipeline looks green right up to the one manual step that fails under load or during an incident. Audit your value stream for the seams between automated and manual work, and treat every manual handoff as an outage waiting for a bad night. For regulated teams, the same applies to evidence: if change approval is automated but the audit trail is assembled by hand at quarter-end, you have automated the easy half.&lt;/p&gt;

&lt;h2&gt;3. Bolting security on at the end&lt;/h2&gt;
&lt;p&gt;Security as a late, separate gate is now both a delivery bottleneck and a competitive disadvantage. In the GitLab 2024 report, security is the top investment priority and a leading benefit organizations expect from a DevOps platform, and shifting security left was respondents&apos; top focus for the year ahead. Treating a security review as a stage that happens after the code is written guarantees that vulnerabilities are found at the most expensive possible moment - after the design is frozen and the deadline is near.&lt;/p&gt;
&lt;p&gt;Build the checks into the pipeline: dependency and container scanning on every merge request, secrets detection before code lands, policy-as-code on infrastructure changes, and signed artifacts through to production. For regulated environments this is not optional polish - it is how you make compliance continuous instead of a pre-release scramble. The goal is that &quot;secure&quot; and &quot;shippable&quot; are the same gate, not two.&lt;/p&gt;

&lt;h2&gt;4. Letting the toolchain fragment until cognitive load becomes the constraint&lt;/h2&gt;
&lt;p&gt;As an organization scales, every team picks its own CI config, its own deployment scripts, its own observability stack. Each choice is locally reasonable; the aggregate is a sprawl that no single engineer can hold in their head. The bottleneck stops being compute and becomes the cognitive load of navigating the toolchain. &lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Gartner forecasts&lt;/a&gt; that by 2026, 80% of large software engineering organizations will have platform engineering teams providing self-service internal platforms, up from 45% in 2022 - precisely because fragmented toolchains and developer overload became the dominant tax on delivery.&lt;/p&gt;
&lt;p&gt;The answer is a paved road: an internal developer platform that offers golden paths for the common cases - provisioning, deploying, observing - as self-service, while still allowing teams to step off the road when they genuinely need to. The discipline is to build the platform as a product with real users, not as a mandate. A platform nobody adopts adds an abstraction layer without removing any toil.&lt;/p&gt;

&lt;h2&gt;5. Adding abstraction layers a fast team does not need&lt;/h2&gt;
&lt;p&gt;The mirror image of fragmentation is over-engineering. The same DORA research warns that platform engineering can &lt;strong&gt;slow down teams that are already highly optimized&lt;/strong&gt; by inserting another layer between them and production. If a small, senior team ships reliably on a thin toolchain, forcing them onto a heavyweight internal platform trades their velocity for organizational consistency they did not need.&lt;/p&gt;
&lt;p&gt;Match the intervention to the maturity. A team drowning in inconsistent tooling benefits enormously from a paved road; a team already at the top of the throughput-and-stability quadrant may only need you to get out of the way. Measure before you standardize, and let the four &lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;DORA metrics&lt;/a&gt; - deployment frequency, lead time, change failure rate, and time to restore - tell you which teams are constrained and which are not.&lt;/p&gt;

&lt;h2&gt;6. Deploying AI into the pipeline without guardrails&lt;/h2&gt;
&lt;p&gt;This mistake did not exist when most DevOps playbooks were written, and it is now the fastest-growing one. In the GitLab survey, 78% of respondents are using or plan to use AI in development. But the DORA data shows the cost of doing it naively: alongside the throughput and stability drops, roughly &lt;strong&gt;39% of respondents reported low or no trust in AI-generated code.&lt;/strong&gt; Generating code faster while review, testing, and batch discipline stay the same simply pushes more volume into the same fragile downstream.&lt;/p&gt;
&lt;p&gt;If you adopt AI tooling, adopt the guardrails with it: human review on AI-authored changes, the same test and security gates applied without exception, smaller batches rather than larger ones, and explicit attention to whether faster individual output is actually improving delivery or just moving the queue downstream. The DORA report also flags that unstable organizational priorities and the resulting churn drive measurable productivity loss and burnout - so the well-being of the people reviewing all that generated code is a delivery metric, not a perk.&lt;/p&gt;

&lt;h2&gt;What actually moves the numbers&lt;/h2&gt;
&lt;p&gt;The pattern across all six is the same: tools amplify the system they are dropped into. Drop CI/CD, security scanning, an internal platform, or AI assistance into a healthy system and you get compounding gains. Drop them into siloed ownership, manual handoffs, and unstable priorities and you get the DORA result - a faster way to ship the same problems. Before you approve the next platform purchase, fix the working practices it is supposed to support. That sequencing, not the tool choice, is what separates the DevOps programs that bend the curve from the ones that just spend the budget.&lt;/p&gt;

&lt;h2&gt;Sources&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://dora.dev/research/2024/dora-report/&quot;&gt;Accelerate State of DevOps Report 2024&lt;/a&gt; - DORA (Google Cloud)&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoq.com/news/2024/11/2024-dora-report/&quot;&gt;2024 DORA Report: AI Adoption Negatively Impacts Software Delivery Performance&lt;/a&gt; - InfoQ&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gartner.com/en/infrastructure-and-it-operations-leaders/topics/platform-engineering&quot;&gt;Platform Engineering&lt;/a&gt; - Gartner&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.infoworld.com/article/2510360/gitlab-devsecops-survey-finds-progress-new-priorities.html&quot;&gt;GitLab 2024 Global DevSecOps Report&lt;/a&gt; - GitLab (via InfoWorld)&lt;/li&gt;
&lt;/ul&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2023/6-mistakes-to-avoid-while-implementing-devops-in-your-company/&quot;&gt;6 Mistakes to Avoid When Implementing DevOps in Your Company&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item><item><title>How to enable Continuous Integration using Jenkins</title><link>https://es.nl/2022/how-to-enable-continuous-integration-using-jenkins/</link><guid isPermaLink="true">https://es.nl/2022/how-to-enable-continuous-integration-using-jenkins/</guid><description>Expeditious Software offers Jenkins CI solutions for seamless code integration, automated builds, and rapid deployment. Learn more about our expertise.</description><pubDate>Fri, 19 Aug 2022 00:00:00 GMT</pubDate><content:encoded>&lt;h1 style=&quot;font-size: 30px;&quot;&gt;Introduction to Continuous Integration&lt;/h1&gt;
&lt;p&gt;&lt;a href=&quot;/2023/what-you-need-to-know-about-devops/&quot;&gt;Software development and IT operations&lt;/a&gt; (DevOps) practices are crucial for effective &lt;a href=&quot;/2023/understanding-the-software-development-life-cycle-sdlc/&quot;&gt;software development life cycle&lt;/a&gt; (SDLC), and high quality of the products. Continuous Integration (CI) is a software development practice, that enables a team to integrate their changes continuously, and even multiple times per day. Ideally, each integration would be built and tested automatically, to detect, and prevent integration issues. This strategy reduces the occurrence of having to solve multiple and large code conflicts at once. In this post, I&amp;#8217;ll describe how to enable Continuous Integration using Jenkins server.&lt;/p&gt;
&lt;p&gt;The rapid growth of tech companies, size, and complexity of software solutions contributed to the need for CI and CD within the software development teams. Without CI, the integration is done manually, often with multiple procedures defined in workflows, and keep Integration Engineers focused on these tasks for most of their working time. This results in a decreased efficiency of engineers, because it is always an ongoing process, and it takes incomparably longer than developing and maintaining automated CI.&lt;/p&gt;
&lt;p&gt;The proposed strategy is to use an &lt;a href=&quot;/2023/6-benefits-of-implementing-devops-automation-for-your-business/&quot;&gt;automation server&lt;/a&gt;, with pipelines that reflect workflow procedures in the source code. Automation servers are a widely used solution, because of their flexibility to adjust to multiple workflows, and they can use private, and 3rd party tools, such as Python, Bash, and Perl scripts.&lt;/p&gt;
&lt;figure&gt;&lt;img loading=&quot;lazy&quot; decoding=&quot;async&quot; src=&quot;/content/uploads/2022/08/Untitled-design.svg&quot; alt=&quot;Software Development Life Cycle diagram&quot; width=&quot;640&quot; height=&quot;640&quot; /&gt;&lt;/figure&gt;
&lt;p&gt;Software Development Life Cycle&lt;/p&gt;
&lt;h2 style=&quot;font-size: 30px;&quot;&gt;Benefits of Continuous Integration&lt;/h2&gt;
&lt;p&gt;By incorporating Continuous Integration practices in the SDLC, you can drastically improve your development process and reduce bugs and errors in the final release. Continuous Integration also provides the following benefits:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Improves code quality by detecting defects as early as possible in the development cycle.&lt;/li&gt;
&lt;li&gt;Increases developer productivity by automating the testing process and delivering new features faster.&lt;/li&gt;
&lt;li&gt;Maintains consistency across builds by identifying and fixing inconsistencies early in the process.&lt;/li&gt;
&lt;li&gt;Provides a clear audit trail of the entire development cycle.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 style=&quot;font-size: 30px;&quot;&gt;Setting up a CI server using Jenkins&lt;/h2&gt;
&lt;p&gt;The first step is to install Jenkins on the machine where you&amp;#8217;ll be running the build processes. There are several free and commercial options available, including Jenkins Community Edition, Jenkins Enterprise and Jenkins X (formerly known as CloudBees Jenkins). Regardless of which option you choose, you can follow the basic setup steps outlined below to install and configure your CI server. Once it is installed, you should modify the default settings to your specific requirements. You can configure the default credentials for your CI server using Jenkins Admin page. For additional details please refer to the &lt;a href=&quot;https://www.jenkins.io/doc/&quot;&gt;official documentation&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Once you have completed the initial setup and installed a pipeline plugin, you can start creating your first project and adding test jobs to it. Create a Jenkinsfile in your Git repository, or write a declarative pipeline script in the Jenkins job configuration of your choice. You can then also create a build trigger or a cron job and schedule it to run at regular intervals. The build can then be executed automatically whenever you push changes to your repository. You can also create as many pipelines as you want and assign different projects to them so that separate teams can use the same CI server without the need for overlapping pipelines.&lt;/p&gt;
&lt;figure&gt;&lt;img data-recalc-dims=&quot;1&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; data-attachment-id=&quot;4670&quot; data-permalink=&quot;/2022/how-to-enable-continuous-integration-using-jenkins/jenkins-dashboard/&quot; data-orig-file=&quot;/content/uploads/2022/08/jenkins-dashboard.png&quot; data-orig-size=&quot;798,389&quot; data-comments-opened=&quot;1&quot; data-image-meta=&quot;{&amp;quot;aperture&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;credit&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;camera&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;caption&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;created_timestamp&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;copyright&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;focal_length&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;iso&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;shutter_speed&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;title&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;orientation&amp;quot;:&amp;quot;0&amp;quot;}&quot; data-image-title=&quot;jenkins-dashboard&quot; data-image-description=&quot;&quot; data-image-caption=&quot;&quot; data-large-file=&quot;/content/uploads/2022/08/jenkins-dashboard.png&quot; class=&quot;alignnone size-full wp-image-4670&quot; src=&quot;/content/uploads/2022/08/jenkins-dashboard.png&quot; alt=&quot;Jenkins automation server dashboard&quot; width=&quot;640&quot; height=&quot;312&quot; srcset=&quot;/content/uploads/2022/08/jenkins-dashboard.png 798w, /content/uploads/2022/08/jenkins-dashboard.png 300w, /content/uploads/2022/08/jenkins-dashboard.png 768w&quot; sizes=&quot;(max-width: 640px) 100vw, 640px&quot; /&gt;&lt;/figure&gt;
&lt;p&gt;Jenkins automation server dashboard&lt;/p&gt;
&lt;h2 style=&quot;font-size: 30px;&quot;&gt;Creating a Pipeline in Jenkins&lt;/h2&gt;
&lt;p&gt;Once your Jenkins server is installed and set up, you can create and manage automated build processes and tasks using Jenkins&amp;#8217; Pipeline feature.&lt;/p&gt;
&lt;p&gt;Each pipeline requires:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Steps, that are single tasks, for example queuing a test. They are a part of a sequence to define what should be done at this specific time. Steps can also work in a parallel,&lt;/li&gt;
&lt;li&gt;Node, that uses available executors on an agent, for example, the user can be an agent, but thebest practice is to set up an agent with permissions to execute pipeline steps because the entire workflow automation should be isolated. The node creates an isolated workspace that only lasts for the duration of a pipeline to ensure performance. It also schedules the steps that are defined in the pipeline source code, by adding them to the build queue, if an agent is free to work, it will start running the defined steps.&lt;/li&gt;
&lt;li&gt;Stages that can have multiple steps, used to compose the pipeline syntax.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Depending on the workflow and required actions, the pipeline allows to also implement:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Additional workspace that will take another executor, especially useful if there are processingheavy tasks that can work in a parallel,&lt;/li&gt;
&lt;li&gt;Define functions that can be used multiple times to make the source code more readable, use Groovy in-built functions, for example, to match regular expressions, conditionals such as “when” and “if/else”. As Java is a parent of the Groovy programming language, the “try/catch/finally” block is also available,&lt;/li&gt;
&lt;li&gt;If required, the default environmental variables can be changed for specified steps, which can be used to change the build tool,&lt;/li&gt;
&lt;li&gt;Pipelines enable engineers to implement build parameters for variables and conditionals that can change from build to build.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;It is important to mention that to use automated builds and tests in the pipeline, these solutions must be developed first. Commonly used tools for the build automation are Gradle and Maven, whereas examples of testing automation tools are LambdaTest, Katalon Studio, and Kobiton. The choice depends on the tech stack and the business rules of the project.&lt;/p&gt;
&lt;figure&gt;&lt;img data-recalc-dims=&quot;1&quot; loading=&quot;lazy&quot; decoding=&quot;async&quot; data-attachment-id=&quot;5470&quot; data-permalink=&quot;/nike-reducing-operational-toil/screenshot-2023-11-05-at-17-39-34/&quot; data-orig-file=&quot;/content/uploads/2023/11/Screenshot-2023-11-05-at-17.39.34-e1699550686590.png&quot; data-orig-size=&quot;397,240&quot; data-comments-opened=&quot;1&quot; data-image-meta=&quot;{&amp;quot;aperture&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;credit&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;camera&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;caption&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;created_timestamp&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;copyright&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;focal_length&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;iso&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;shutter_speed&amp;quot;:&amp;quot;0&amp;quot;,&amp;quot;title&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;orientation&amp;quot;:&amp;quot;0&amp;quot;}&quot; data-image-title=&quot;Jenkins Pipeline Blue Ocean view&quot; data-image-description=&quot;&quot; data-image-caption=&quot;&quot; data-large-file=&quot;/content/uploads/2023/11/Screenshot-2023-11-05-at-17.39.34-e1699550686590.png&quot; class=&quot;alignnone size-large wp-image-5470&quot; src=&quot;/content/uploads/2023/11/Screenshot-2023-11-05-at-17.39.34.png&quot; alt=&quot;Jenkins Pipeline Blue Ocean view&quot; width=&quot;640&quot; height=&quot;193&quot; /&gt;&lt;/figure&gt;
&lt;p&gt;Sample workflow which can be automated using Jenkins automation server&lt;/p&gt;
&lt;h2 style=&quot;font-size: 30px;&quot;&gt;Advantages of CI over traditional QA process&lt;/h2&gt;
&lt;p&gt;Unlike traditional QA processes that focus on manual testing of individual features, continuous integration focuses on testing the entire application every time a change is made. Using this approach, developers can rapidly identify and fix any bugs they discover before deploying the code to production. By eliminating the risk of releasing broken applications, continuous integration increases team productivity and delivers high-quality software on time.&lt;/p&gt;
&lt;h2 style=&quot;font-size: 30px;&quot;&gt;Useful links&lt;/h2&gt;
&lt;p&gt;&lt;a href=&quot;https://www.jenkins.io/&quot;&gt;Jenkins homepage&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;https://www.jenkins.io/doc/&quot;&gt;Jenkins documentation&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;https://www.atlassian.com/continuous-delivery/continuous-integration/how-to-get-to-continuous-integration&quot;&gt;Atlassian&amp;#8217;s take on Continuous Integration&lt;/a&gt;&lt;/p&gt;&lt;p&gt;The post &lt;a href=&quot;https://es.nl/2022/how-to-enable-continuous-integration-using-jenkins/&quot;&gt;How to enable Continuous Integration using Jenkins&lt;/a&gt; appeared first on &lt;a href=&quot;https://es.nl&quot;&gt;Expeditious Software&lt;/a&gt;.&lt;/p&gt;</content:encoded></item></channel></rss>