May 17, 2023 2:00 AM

How to reduce your devops tool sprawl

After a decade of software development and operations teams embracing every ‘right tool for the job,’ it’s time to start tool consolidation efforts. Here’s where to start.

TrifonenkoIvan / Shutterstock

After spending the last decade investing in devops, many companies are experiencing a hangover of sorts: tool sprawl. While their software delivery processes have become more streamlined, more efficient, and more reliable, they also have many more tools to license, maintain, and manage.

Tool sprawl is often seen as a natural result of the flexibility and empowerment of dev teams to choose their own tools, but organizations now understand the need for a single, streamlined system. While flexibility to choose the right tool for the job has enabled teams to move quickly, the result is a complex web of systems and processes to deliver software.

There are three main reasons you should consider tool consolidation now: 

  1. A recession that has every organization re-examining budgets
  2. Heightened focus on security and the impact that sprawl has on securing software supply chains and IT systems
  3. Improved efficiency and developer experience, which is driving the recent interest in platform engineering. Consolidating toolchains directly impacts all three of these areas.

If you’re a devops expert considering a tool consolidation journey, here are three areas ripe for consolidation.

Application security tooling

A recent survey by Gartner found that organizations are making a shift towards consolidating their security vendors, with the number rising from 29% in 2020 to 75% in 2022. “Security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack,” said John Watts, VP Analyst at Gartner. “As a result, they are consolidating the number of security vendors they use.”

Between static application security testing (SAST)dynamic application security testing (DAST), software composition analysis (SCA), and the multiple other types of application security solutions available today, it’s possible for organizations to have a dozen different tools in place to ensure their released software applications are free from exploitable vulnerabilities.

More point solutions, however, don’t guarantee a comprehensive approach to application security. Each tool represents an additional point of complexity in your security workflow, negatively impacting developer velocity and security risk. Ultimately, security and devops teams have to use different applications and policies to attempt to keep security consistent across their component ecosystem.

Package and artifact management and storage

Teams developing new products often have to use free or low-cost solutions. As software engineering and development teams grow, they naturally adopt additional tooling and technologies. Over time, this increases the number of places development teams store their artifacts, creating sprawl, impeding automation, hindering security, and requiring manual efforts to build and release software updates. 

It’s not uncommon for organizations to get to a point where they’re storing software artifacts in any number of the following locations:

  • Package managers such as Maven, PyPI, and NPM
  • Docker Hub or other container registries 
  • GitHub, GitLab, Bitbucket or other version control systems
  • General-purpose storage such as Amazon S3 buckets, Google Drive, and local share drives

Storing and managing artifacts in multiple locations is great for small development projects, but when teams need to speed up releases, or share components across teams (e.g., microservice architectures), or work across geographical boundaries, the ad-hoc web of storage solutions falls flat.

Consolidating onto a single system for all dependencies, build artifacts, and their metadata allows for enhanced automation and a single place to apply your application security efforts.

Systems and data monitoring

The Moogsoft State of Availability Report indicated that, on average, engineers are in charge of overseeing 16 monitoring tools—and this number could rise to 40 when service level agreements (SLAs) become more stringent. Having such a broad selection of tools can be chaotic for your teams, and the costs associated with licensing, managing, and maintaining them are high.

Generally speaking, the more visibility you have over your processes, infrastructure, and applications, the better. But too many monitoring and logging tools generate data silos, keeping you from accessing and exploring your data when you need it. Creating a single-pane-of-glass view across your entire tech stack not only allows for cross-functional insights, but also enhances the value of all those logs your various tools are generating. 

If you’ve already addressed consolidating these areas, here are a few more to consider:

  • CI and CD tooling 
  • Distribution and caching
  • Source and VCS tools

It goes without saying that you can’t consolidate everything. There will always be important features or capabilities that you must maintain in your existing toolsets. But if you’re serious about consolidation, consider the role a single platform can play in not only reducing the number of tools you leverage but connecting and integrating the solutions in your newly consolidated tech stack.

If you’re interested in exploring tips to go about tool consolidation at your organization, check out JFrog’s recent webinar on the topic. To stay up-to-date on the latest devops trends, check out JFrog’s blog.

Sean Pratt is a senior devops evangelist at JFrog, where he is responsible for helping businesses understand the many benefits of devops, tools consolidation, platform engineering, and cloud-native applications.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.