Application governance in actionDelivering value throughout the application lifecycleBusiness white paper

Table of contentsThe case for application governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

IT’s navigation system for managing the application lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Extending the definition of the application lifecycle and application lifecycle management . . . . . . . . . . 4What’s lacking in traditional definitions of ALM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5The critical role of metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6The critical role of collaboration—automating lifecycle handoffs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6An example of the value of application governance: Automating the flow of vital information between applications and operations teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The application lifecycle—and its many stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Governing a growing range of applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Why governance now, not later? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Application governance in action: Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Use case 1: Enabling consistency with best practices and standards . . . . . . . . . . . . . . . . . . . . . . . . . . 10Use case 2: Providing adoption of enterprise architecture requirements by all development teams . . . . . 11Use case 3: Guiding the work of outsourced development teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Use case 4: Automating the IT‑to‑operations application handoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Automating application governance with software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13HP SOA Systinet software for application governance and lifecycle management . . . . . . . . . . . . . . . . 14Enhancing the application lifecycle with quality integrated with application governance . . . . . . . . . . . . 14

HP Quality Center software and HP Unified Functional Testing software . . . . . . . . . . . . . . . . . . . . . 14HP Requirements Management software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Performance integrated with application governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14HP Performance Center software and HP LoadRunner software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Operations integrated with application governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15HP Business Availability Center for SOA software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Get started with application governance today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3

The case for application governanceIT’s navigation system for managing the application lifecycleAround the world, enterprises are embarking on modernization initiatives to support IT’s strategic objective to become a core source of business innovation . Gone are the days of large, monolithic applications . Today’s modern applications are made up of smaller, potentially reusable and accessible parts allowing for more rapid assembly . Ultimately this brings IT greater flexibility and the ability to compose application components into orchestrated business processes that can be adapted at the speed of business .

While the architectural best practices and adoption benefits of application modernization are becoming more broadly understood, many organizations are just beginning to grasp the scope and scale of challenges that emerge from modernizing applications . As an example, the adoption of the proven architectural best practice known as service‑oriented architecture, or SOA, intrinsically increases the number of moving parts, and corresponding complexity . While the IT complexity challenges of SOA are becoming better understood by the industry‑at‑large, less recognized is the increased complexity from adopting other modern application technologies driving componentization and reuse, such as scripting languages like Python or Web application frameworks like Ruby on Rails . The tradeoff that IT must address when adopting modern application styles is that while the smaller parts allow IT to effectively address rapidly changing business requirements, IT needs to invest significantly more in the management of these moving parts throughout their lifecycle .

Moreover, increased complexity does not stop with technology . When IT organizations evolve toward modern application environments, the application teams themselves tend to become distributed . Even more challenges come when IT organizations choose to outsource key application lifecycle functions .

Application modernization brings an explosion of information to track who owns application components or shared services, who is accessing and using the components in the creation of new application compositions or business processes, how the specific components are meeting their service level agreements (SLAs) with increased use, what changes are in plan, and more . As modernized applications progress through lifecycles, the concept of a lifecycle becomes much more involved . Applications evolve more rapidly and with more dependencies resulting in faster advancement through lifecycle stages while also resulting in greater change impact . These new lifecycle challenges require proactive impact analysis, fluid stakeholder communication, and automated system support to enhance IT’s ability to manage all the moving parts .

In addition, with this rapid growth in information, increased pace of application lifecycle events, and greater interdependencies across applications and their underlying components, IT organizations must put an effort in place to support cross‑team visibility and well‑defined and understood application lifecycle processes . A key to IT success in managing this new, more complex modern application lifecycle is to ensure that information flows to the right people at the right time—so they can make informed decisions on deploying, accessing, reusing, and managing the increased number of moving parts behind the scenes of a modern application .

Realize all applications go through a lifecycleand a managed lifecycle lowers costs and speeds time to service

Design

Development and Quality Management

StagingDeployment

Operations

Business and IT collaboration

Design-time

Run-time

Change eventBusiness or

operations-driven

Go/no-go decision“Ready for

consumption”

Information flow

Collaboration creates efficiency

Application GovernancePeople, processes, and software

4

Figure 1: A simple example of an application lifecycle With application governance in place, critical information flows to the right people at the right time .

So what is a time‑pressured, cost‑conscious IT organization to do about this? IT—and by extension, the business—wants and needs the agility made possible by modern applications . But this agility is realized only when IT departments effectively manage this modern, distributed, frequently changing application landscape . With distributed teams, increased complexity, and rapid change, a system to support and automate application governance is essential .

Application governance gives IT a vehicle to define a lifecycle for the technical elements that make up critical business projects: The underlying applications and components . As a result, application governance provides IT with a way to confirm the right information gets to the right people at the right time . Application governance guides desired behavior across teams as applications and components progress through their application lifecycles . Application governance involves creating and enforcing policies and policy‑driven lifecycle processes for how applications are proposed, designed, built, tested, delivered, and evolved . Application governance manages the business and technical relationship between the provider of application functionality and those who need to access or use it (the consumers), through a well‑understood system of contracts and consumption

management . Also, application governance provides a system and supporting processes for the capture and sharing of key information, often termed as metadata, which drives collaboration and feedback among all stakeholders in the application lifecycle . Ultimately, application governance is IT’s navigation system for managing the complex and dynamic lifecycle of modern applications .

To better understand why formal systems for governance are now essential to IT’s success with application modernization, let us take a more detailed look at the concept of a modern application lifecycle .

Extending the definition of the application lifecycle and application lifecycle managementHistorically, the term “application lifecycle management,” or ALM, has applied to the concept of managing the processes of application requirements planning and definition, application development, including build and source code management, functional and performance testing, triage and management of defects, design‑time change management, and readiness for deployment . The limitations of this definition are felt quickly, however, when the enterprise embarks on modernizing its applications .

All modern applications have similar challenges

What do we have?

Where did it come from?

Can I use it?

Who owns it?

Can I trust it? Will it work for me?

What happens when something changes?

Where do I go to learn more?

Move from ad hoc processes and existing “tools” to automated application governance

5

Figure 2: Managing modern applications as they progress through their lifecycle is difficult. Application governance addresses a wide range of today’s application challenges .

At the highest level, all applications have several things in common that can benefit from governance across the application lifecycle: Metadata about the applications themselves, various forms of functional and non‑functional requirements documentation, technical specifications, data schemas, implementation information, deployment requirements, and SLAs . In a legacy landscape of application silos that change infrequently, managing all these artifacts as the application progresses through its lifecycle is difficult, but clearly not impossible, with a system of manual or static processes—spreadsheets, e‑mails, and meetings . However, fast‑forward to today’s modern application and a very different scenario emerges .

What’s lacking in traditional definitions of ALM?First, the concept of the monolithic application having a self‑contained lifecycle needs to change . Instead of silos, applications are evolving to be made up of even more discrete parts—such as loosely coupled modules, scripts, models, shared services, and components to support mash‑ups . Each of these parts has a unique lifecycle with inherent interdependencies . The application lifecycle is actually a set of interdependent lifecycles—the lifecycle of the module or service and the lifecycle of the composite application or orchestrated business process that depends on the service .

A change to either side—either the module or the business process or composite application that uses it—can have an impact on these interdependent lifecycles—and may require re‑planning; change management; new development; functional, regression, or performance testing; and re‑deployment . These impacts can be multiplied when many modules become accessed and used by many composite applications or business processes . Without software to automatically capture critical information about the state of the discrete parts, the compositions, specific owners, dependencies, and critical associated policies, keeping track of this dynamic environment can rapidly become difficult .

Secondly, IT must connect the goals of business‑driven application projects with the reality of the technical underpinnings that support them—the technical implementations that result from a project definition . While project and portfolio management processes and tools can address the financial, IT resource, and project planning aspects of the lifecycle, key IT stakeholders, including enterprise architects, development managers, and project team leaders, need a systematic way to keep track of the underlying technical implementations that form the project . They also need a mechanism to drive a higher degree of technical quality for projects in ways that have not

6

been required previously . This includes the creation and publication of the application components that support the higher level defined project and validation of the component’s compliance to the technical standards and architectural best practices that apply to the project .

In addition, as projects and their underlying components progress through their lifecycle, IT also needs to keep track of the owners of such application components who have the ability to funnel in ongoing change requests and to keep track of the users of such components who are impacted by changes . Finally, IT needs to be able to keep track of the testing plans and progress associated with the quality and readiness of the project and its underlying components . This information is required to determine deployment readiness, and subsequently to be able to know how the application ultimately performs in production .

The critical role of metadataA major limitation of the traditional definition of application lifecycle management is that it lacks focus on the capture and use of the technical metadata of a project to help drive lifecycle events and decisions . Examples of technical metadata include a project’s desired architectural pattern and requirements, non‑code‑based descriptions of supporting implementations and artifacts, associated policies designed to drive behavior for design, development, test, and operation of project components, lifecycle status, and owners for the technical components of a project . This metadata is used by the key stakeholders who are making lifecycle decisions that control an application project’s progress, from project definition straight through to production operations and measured business results .

The traditional model of ALM addresses some of this in silos—source code management systems are very good at tracking the progress of a particular code artifact or set of artifacts through its development cycles, and testing frameworks can track the progress and status of functional and performance testing activities that support the quality goals of a project . But what is distinctly lacking is the ability to bring all the sources of key information together in a system of record that supports the progression of an application and its underlying dependencies through its lifecycle, while filling information and decision gaps between individual teams, whether they focus on design, development, testing, or ongoing deployment and operations . Metadata is the key, unifying factor . By bringing together metadata into such a system of record that allows for many existing sub‑systems to maintain their focused roles and functions, while combining the information they contain into a consolidated, searchable view, IT has a single source of insight .

This single source of insight provides a view into the progress and status of the critical technical components that form the basis of modern applications .

The critical role of collaboration—automating lifecycle handoffsIn most IT organizations today, costly delays and errors can occur when information and handoff gaps exist between siloed teams that own a part of the application lifecycle . How often do we hear of examples such as these?

“Our testing teams were unaware that development •had made changes in an application component .”

“The operations teams were unaware that we •needed to deploy a routing policy to improve the response time of a new application for top‑tier customers .”

Commonly, these information and handoff gaps get addressed with people and manual processes—a flurry of e‑mails, spreadsheets, status reports on SharePoint® websites, team wikis, and other people‑driven activity, including daily stand‑up meetings or other periodic review sessions . While this may work for a small number of monolithic applications, manual processes can quickly become based on stale data, error‑prone or break down entirely with the move to modern application styles leveraging many moving parts .

The good news is that there is now a clear solution to address this information and handoff gap: Application governance software . While this class of software has historically been labeled “SOA governance,” it has evolved to be equally applicable and valuable for all types of modern application styles .

An example of the value of application governance: Automating the flow of vital information between applications and operations teamsA well‑tuned application lifecycle needs to support the “steel thread” of information flowing from the applications side of IT to the operations side of IT . With modern applications made up of many moving parts, components, and shared services, vital information can be “lost in translation .” And at deployment time where the application must deliver critical capability to the business, there are key run‑time policies needed to ensure that operational behavior—such as security policies for authentication and authorization, routing policies for quality of service or customer satisfaction, or failover policies—stays in alignment with business needs . In this critical handover from applications to operations, information gaps result in operations drifting out of alignment with the original design goals and assumptions of the project .

Bridging the information gap between applications and operations

Application GovernanceExpression of strategy and intent driven by people and process and supported by technology

Align application initiatives with business and operational objectives

Planned application/component behavior, metrics, feedback, measurement of execution against objectives, reality of consumption

OperationsExecution of strategy supported by people, process, and technology

Policy

SLOs and SLAs

Operational Metrics

7

Figure 3: Bridging the information gap Application governance software bridges the gap between applications and operations .

Information created in design, development, and testing phases pertaining to operational expectations—such as what policies to deploy to manage access and what level of infrastructure to provision the services on to maintain SLA goals—must consistently flow in a usable form to operations . This removes operational guesswork and makes the deployment and provisioning process of components and services, and the applications that use them, much more efficient . Application governance software supports this steel thread and automates this vital information flow from applications to operations .

It is this steel thread of information, policy, and lifecycle governance that enables IT to address the complexity of modern applications while maintaining control .

The application lifecycle—and its many stakeholdersEffective ALM acknowledges that there is a series of critical control points that drive progress and results as an application and its underlying dependencies progress from concept to delivery . It aligns the people, processes, policies, and tools that support the life of an application as it progresses through these critical control points .

Application governance is one of the key ways to coordinate the efforts of all stakeholders involved in managing the application lifecycle . Application governance provides a system of record (through a metadata repository) that provides visibility of application components and their dependencies for the different teams participating in the application lifecycle . Application governance pulls in information from other areas—such as design‑time documents, source code management systems, quality management and testing systems, and run‑time systems—to provide an integrated view of the status and compliance of application components at their various stages of lifecycle progress . As a result, application governance delivers the information needed for distributed team collaboration .

Application governance is particularly important when you consider the diverse roles of the teams involved in the application lifecycle, each of which has its own focus .

Business analysts and architects drive what we want •to build and how we want to build it .

Developers and development managers figure out •the best and fastest way to build the application and then develop the underlying software components and services .

Strategic control points

RequirementsComplete system

validationPortfolioDemand

HP application lifecycle management

The complete

application lifecycle

New deployment

Plan Define/design

Develop/test

LaunchPrioritize and invest

•Business demand•Portfolio management•Projects and programs

Minor release Minor release

Fix/ patch

Fix/ patch

Fix/patch

Minor release Minor release

Fix/ patch

Fix/ patch

Fix/patch

Operation

Establish governance

•Architecture•Policies•Contracts/consumption•Collaboration/feedback

IT keeps track of it all through ALM

ural goals

PoliciesGovernance

End-user management application mapping

Business impactchange management

Policy enforcement

Governance makes sure that applications are built in line with architecture goals

APPLICATIONS OPERATIONSSTRATEGY

8

Figure 4: Maintaining control IT keeps track of the complete application lifecycle through ALM .

Testers align interactively with development to •help ensure that what we are building will be of quality—in terms of functionality, performance, and immediate and ongoing security .

Application delivery teams help ensure that what •we have built and deployed keeps on meeting run‑time requirements, stack requirements, and run‑time policies . These teams provision the operational environment .

Application operations teams help ensure that what •we have built and deployed continues to meet customer and business SLAs . These teams triage when problems occur .

Application governance gives IT a vehicle to define the application lifecycle, its stages, stage events, policies that must be met, owners of stages, decision owners and voters, and escalation points . And application governance software automates the key lifecycle activities, including handoffs, policy compliance checks, and information flow, supporting the critical control points of the application lifecycle . Only when all of these stakeholders actively collaborate and share key data and events, can the application lifecycle progress smoothly .

Governing a growing range of applicationsIT is increasing the pace of innovative technology adoption to leverage proven and promising architectural patterns and application styles . SOA, REST, Web application styles, mash‑ups, business process orchestrations, component architectures, and modular scripting technologies are all being evaluated and worked with by architecture and application teams . And with application modernization, IT is moving to more agile methodologies—to build and test faster, in smaller chunks . At the same time, many IT organizations are outsourcing development work for economic reasons . IT must find ways to work collaboratively with distributed teams in a fast‑paced environment, some of which may be working outside the corporate firewall .

As they deal with these challenges, many IT organizations are running as fast as they can—into a wall . It will truly become “manage the unmanageable” if IT cannot get ahead of this curve and establish repeatable processes, policies, lifecycle controls, visibility, and formal processes for collaboration . Application governance, implemented through automated software, is a key component of making this possible .

Composite Applications

BPM Workflow Open Source

IT view: Complexity

SOA Package Apps

EAI (B2B)Content Mgmt.

Apps. Servers J2EE, .Net

Web 2.0 Mash-ups

Business view: Agile business process

For example: order to cash

What do modern applications look like? Business and IT view of modern applications

Cloud Services

9

Figure 5: Emerging technologies and modern applications The business sees agile processes . IT sees more complexity .

Why governance now, not later?Application governance provides a vehicle for addressing lifecycle management for a wide range of modern applications based on both emerging and established technologies . And governance specifically addresses the challenges that arise from the use of shared components . Componentization and reuse have been goals for applications since the early days of development but have remained challenging to attain . In the 3GL days, we had artifacts such as functions or subroutines and copybooks or “data layouts .” These artifacts, in theory, could be reused but for the most part became locked into siloed applications . The industry evolved to adopt object‑orientation, and we ended up merging data and behavior into objects that could individually be “reused .” But lack of open standards and interfaces made the resulting implementations proprietary and thwarted the goal of modularity and broad‑scale reuse .

However, with the emergence of modern application approaches, reuse and modularity are being realized . We have seen “code‑level” reuse—larger grained entities like components (such as open source projects)—and now SOA adoption that has allowed IT to move from code‑level reuse to “run‑time reuse” through live services . Looking ahead, cloud computing has the potential to expand this concept of re‑use and modularity even further and outside the walls of the individual organization .

With reuse comes the need to have access to sufficient metadata so that those who need to reuse components can find them and make educated decisions around the impact of reuse to their specific project goals . Here is a simple example: If we have a JavaScript function that properly calculates leap years and performs date validation, then that function needs to be described in a way so that other people can find it and take advantage of it in their compositions .

While source‑code‑centric solutions can help with the management of underlying code, they continue to lack this higher‑level metadata . Application governance can deliver user‑consumable metadata on top of the artifacts targeted for deployment and use . Furthermore, application governance can provide a way to categorize and classify technical artifacts and assets . This means that all of the moving parts we have described earlier in this paper can be found in a logical way, independent of the underlying systems that they may be stored in, and in a way that has meaning to stakeholders and, even more importantly, can be assessed in terms of their change impact . With governance as a source of key metadata about the technical artifacts used in an application project and where they are in their lifecycles, IT has an accurate and real‑time record of what is going to be changed and where it is currently being used, and can instantly determine the impact of change .

10

Application governance in action: Use casesTo make the concept of application governance come to life more fully, we will walk through four basic yet important use cases . These use cases illustrate specific examples of the value that application governance delivers at various points in the application lifecycle .

Use case 1: Enabling consistency with best practices and standardsWhen you are developing an application, you need to be certain that what is being built is consistent with your organization’s best practices and standards for application construction and coding . This can be a particularly challenging proposition when software is being developed across a dynamic, distributed IT environment with development teams scattered around the organization and even around the globe . How can you maintain architectural pattern consistency and application construction consistency and be sure that an application in development continues to stay aligned with these standards over time? With modern applications creating more interdependencies between shared components and artifacts, this becomes even more challenging and even more important to enforce as the impact of a misalignment can cause interoperability issues, support issues, access issues, and even outages with tangible business impact .

Here is a specific example of the need for governance of application construction consistency: Imagine that you are a VP or director of applications and that you have an applications environment where many

of your development resources are Java‑trained and many of your application components are Java‑based . Because of the dependencies across your applications environment and the need to stay interoperable and supportable, it becomes important that your underlying Java™ environment stays consistent and supportable across all your applications and shared services .

Imagine that in 2008 you found out that Sun had announced the end of support for JDK version 1 .5 effective October 2009 . In order to keep your organization’s Java‑based applications and services consistent and in compliance, your IT organization needs a policy communicating that no new projects should be started with, or should use, JDK 1 .5 . Your IT organization also needs to establish enforcement (checking) to verify that developers comply with this policy . If you have a foundation for governance, you can clearly define, communicate, and then automate the implementation and enforcement of this policy .

Without governance, you would manage this issue by establishing a policy and announcing it across the distributed organization through e‑mail messages that cascade through the organization . To implement the policy, manual checks could be required, but this leaves a lot to chance . How could you be sure that all affected parties were informed of the policy? What if key development resources are in transition—joining and leaving the organization? What if the e‑mail is ignored? And after that, how could you be sure that the policy was uniformly enforced? You would be forced to rely on manual code reviews and direct contact with developers—managers reaching out to their teams in meetings, for example—to monitor and enforce the policy .

11

Along the way, you would greatly increase the chances of unwelcome surprises . You might, for instance, not know that some development work was done on JDK 1 .5 until the software was handed over to your service delivery/operations teams, who tell you they cannot accept the application because they no longer support JDK 1 .5 . At that point, the target application or service may have to go back to development or testing teams to port to the supported JDK . This may not only delay the project but also other applications that have dependencies on this application or service . With automated governance in place, you can greatly reduce the risk of discovering problems like this when an application is about to go into production .

There is a much more efficient and reliable way to enforce such a design‑time policy: Automated policy enforcement driven by a governed lifecycle event . By using governance software to automate the implementation of the design‑time policy and subsequent policy checks, you can guide behavior and verify that developers implement only on currently supported versions of the JDK for their services and applications .

Once the policy is implemented in a governance environment, you can associate the policy with an application lifecycle step or run ad hoc verification checks . By associating this policy with a lifecycle step or stage (such as check for JDK version and validate that it is 1 .6 or later before an application or service leaves the development stage), you can help ensure that the policy is met and take action early in the lifecycle to make changes if needed, rather than finding out late in the lifecycle (such as in testing, or worse, deployment) when making a change would

be more costly and cause delays . Controlling the high cost of manual intervention is one of the key ROI (return on investment) drivers for application governance . By providing policy compliance checking that developers can do from within their development environment, triggered by a governance lifecycle activity, developers can understand and interact with governance policies within the context of their development tooling and make needed changes early in their development process, where disruption and rework are minimal .

By also supporting ad hoc policy compliance checks, you can help ensure that nothing changes out of phase with the lifecycle and you can check the compliance of services that are already in production or have not yet been governed with lifecycle management . By combining both lifecycle policy management and ad hoc policy management, you can provide the complete automation of this aspect of governance .

Use case 2: Providing adoption of enterprise architecture requirements by all development teamsGovernance is fundamental in maintaining architectural requirements adoption over time, resulting from architecture patterns and best practices, among all development teams—regardless of where they are located inside or outside your organization or team . Without automated governance in place, it can be extremely difficult to establish that the application requirements resulting from new and improved architectural approaches are followed when code and applications are actually developed .

12

Here is a case in point . At HP, our own research and development team is building out our SOA products with the requirement to apply some commonly accepted architectural patterns . One such requirement holds that no modules will make direct, point‑to‑point calls to databases from the user interface . Database calls are required to pass through the business logic layer in the code . However, when code is actually being built, some developers might be inclined to take shortcuts that could break this architectural policy .

There are points in the application lifecycle that should call out and validate such architectural integrity policy checks . Without governance, you might only find out about these shortcuts that break the architectural requirement at the time when the code is complete, through a costly manual code review . Or you might not be able to figure out the problem until the application is in production and not performing well—because of frequent point‑to‑point calls to databases .

With governance and the capabilities found in automated application governance software, you can integrate lifecycle governance information and policy checks with build systems . This integration forces the code that gets built to go through a policy compliance check before the build system accepts the completed package . When the automated governance tools detect the violation of architectural policies, the results can be communicated back to the development and architecture teams . The development teams can then address the problem early in the project lifecycle, while the problem is still relatively easy to fix, and the architecture teams can decide to provide further education and outreach to help development teams understand and support adoption of the key architectural requirements .

Use case 3: Guiding the work of outsourced development teamsIn our rapidly evolving IT world, we have ongoing cost, talent and competitive pressures driving us to move from conventional in‑house dedicated team that build out purpose‑built applications, to outsourced or virtual teams that must collaborate in a highly distributed fashion . These virtual teams must work well together to design, build, test, and deliver applications and shared components, often resulting from exposing and managing legacy functionality as shared services . Increasingly, these teams are distributed across the globe, bringing challenges stemming from differences

in culture, time zone, and language, as well as work styles and experience . Governance is one of the key mechanisms for IT to use to maintain compliance with development best practices and architectural policies when you do not directly manage the people doing the work .

This is the case for an HP public‑sector customer, who outsources all its application development and quality assurance work to third parties worldwide . Through application governance, the customer maintains tight control over development efforts that take place offshore in distant countries . This customer has instituted a well‑defined governance lifecycle process with clear stages, decision makers, and handoff points . The customer has also defined and implemented explicit, documented standards enforced by policies for how code is constructed/built, how services and artifacts are published in a repository, how code and artifacts are validated through policies for architectural pattern and development standard conformance, and then how services and artifacts are discovered and reused by other downstream teams through well‑defined consumption relationships managed by contracts in the governance repository .

Under its governance model, the customer maintains a common library of terms, application components and their sub artifacts, associated policies, and taxonomical models that new projects comply with and build upon . The customer has established as part of its governance processes, a well‑defined way for changes and cross‑project demands to be added to projects in an issue log in the repository . Changes are then discussed and issues are closed in a dedicated governance issue forum . This process helps everyone involved in development efforts, regardless of whether they are onsite or offshore, to work consistently in a more collaborative manner, and compliance makes it easier to leverage each other’s work .

These are just a few examples of the many ways that this customer uses governance to achieve consistently good outcomes from developers working in distant places . The customer uses governance software as a virtual general contractor that keeps tabs on the work conducted by many subcontractors . Governance gives the customer the assurance that what is developed outside its walls will be consistent, interoperable, and integrated with the organization’s existing application environment .

13

Use case 4: Automating the IT‑to‑operations application handoff When an application project development and test team has finished with its code, build, and testing work, it needs to hand the application off to service delivery and operations personnel for provisioning into production . But the team cannot handoff just the application itself . It also needs to pass along detailed requirements for the deployment and ongoing management of the application and/or shared service in a production environment .

Without automated processes that capture operational requirements information about applications and shared services/components before the application goes into production, the handoff can trigger a mad scramble to document assumptions about the application’s expected performance, its expected loads, its committed uptimes, and the SLAs that dictate performance and availability levels that must be met . Additionally, service delivery and operations personnel need to know the application’s requirements for hardware, virtualization software, network infrastructure, and access methods/security .

This data usually exists in functional and non‑functional requirements documents and is reflected in test scripts, but without governance this data does not get captured in a centralized, easily shareable way . With governance, this metadata can be captured whenever it gets created or modified all along the lifecycle and stored and made accessible in a common repository . It can then be automatically compiled and easily presented in a handoff document that can flow automatically to deployment and operations

personnel, resulting in a knowledgeable provisioning and readiness activity . Armed with this key information, operations teams can more efficiently prepare the application for production, or they can engage in a proactive dialog between the applications and operations teams when more clarity is needed .

Ultimately, with this level of automation, development and test teams can have a higher level of confidence that what gets deployed is what was intended to be deployed .

Automating application governance with software HP offers a rich portfolio of software designed to enable application governance . Collectively, these offerings help you:

Drive visibility with metadata to align the •architecture, design, development, quality, and management teams in making application lifecycle decisions

Foster trust for application component use •through consistent policy definition and enforcement and information sharing regarding ongoing policy compliance

Support consumption of services and applications •with contract monitoring and management

Support change impact from design through •development, test, and ongoing operations

Codify technical best practices as applications •progress through their lifecycle, and simplify best practice sharing and adoption across distributed teams

14

HP SOA Systinet software for application governance and lifecycle managementSuccessful application governance comes from spending the time to define the right processes, policies, and practices that you want to put in place to ensure consistency, collaboration, and control as applications progress through their lifecycle, and is greatly assisted through automated software . HP SOA Systinet is one of the industry‑leading software platforms for application governance . Built on standards and adopted by a wide array of customers and partners across industries and geographies, HP SOA Systinet governs applications and their underlying components throughout their lifecycles, regardless of whether they are SOAP‑based services, REST‑style services, Java, .NET applications, or others .

HP SOA Systinet supports application governance through the following key capabilities:

Extensible registry/repository: • HP SOA Systinet contains a standards‑based, scalable, and broadly extensible registry and repository that provides a system of record to drive the capture of key metadata supporting decision making across the application lifecycle . HP SOA Systinet leverages the metadata in the registry/repository to support its automated application governance capabilities, including information, policy, and contract management .

Information management: • HP SOA Systinet drives visibility, information‑based decision making, and customizable reporting across all stages of the application lifecycle by enabling the flow of critical application governance information . HP Systinet automates actions to get the right information to the right stakeholders and decision makers through a wide array of mechanisms, ranging from prepared reports to e‑mails to RSS feeds .

Policy management: • HP SOA Systinet provides architectural, application and production consistency and control . HP SOA Systinet automates processes for validating application and architecture consistency, by establishing and validating design‑time and run‑time policies for interoperability and conformance of application components and associated artifacts as they progress through their lifecycle .

Contract management:• HP SOA Systinet creates trust for use (consumer‑provider) relationships through automated processes . For those who

wish to access and use an application or shared service, HP SOA Systinet automates the process to request consumption, and it enables consumers and providers to negotiate and agree upon the business and technical conditions for use, reducing conflicts and misaligned expectations and enabling proactive communications of application changes .

Enhancing the application lifecycle with quality integrated with application governanceHP Quality Center software and HP Unified Functional Testing software HP Quality Center software and HP Unified Functional Testing software work in a complementary manner to enable modern application quality management and automated functional testing . These products help you verify if the applications you build meet the functional requirements with minimal defects . When this testing information is fed into the application governance lifecycle process, it can trigger policy decisions and help answer critical questions . For example: “Is the application ready to go from the testing phase into production?”

HP Requirements Management softwareHP Requirements Management helps your quality and development teams manage the creation of requirements and ultimately lets you know what to build . Requirements become a key artifact in the governance process in terms of what gets associated with application components being governed . Requirements can also be part of a policy check or lifecycle advancement check—for example, an application does not move to the next phase in governance unless the requirements are there and have been reviewed by the right people .

Performance integrated with application governanceHP Performance Center software and HP LoadRunner softwareHP Performance Center software and HP LoadRunner software work together to provide a platform for automating and enabling optimal performance testing of modern applications . The data from performance tests helps to guide important lifecycle decisions and answers critical questions, such as: “Does this application perform well enough for me to reuse it in my composite application?”

15

Operations integrated with application governanceHP Business Availability Center for SOA softwareHP Business Availability Center for SOA software provides IT operations and business service management personnel with an applications management dashboard and associated software to use at run‑time to verify that applications and services are meeting their SLAs and delivering their expected value to the business . While not technically part of an application governance solution, information from HP Business Availability Center for SOA provides valuable information that developers and architects can use when they are building the next application that may access or use a service or application that is already in production . Through the integration of HP SOA Systinet and HP Business Availability Center for SOA, architects and developers can get real‑time information about whether that service or application component is delivering against all its SLA expectations .

Get started with application governance todayApplication governance is critical to the success of organizations that are modernizing their applications . According to Gartner Group, through 2010, the lack of working (SOA) governance arrangements is expected to be the most common reason for failures .*

By setting up a governance program, adopting application governance software for automation, including integration into quality assurance and operations, and establishing processes and best practices for managing the application lifecycle, IT can improve application development and delivery efficiency, reduce costs, and speed time‑to‑market—ultimately reducing the IT‑business responsiveness gap and freeing up IT resources for innovation .

The result is an IT organization that can deliver modernized applications faster, at a lower cost, and in better alignment with business needs .

For more informationHP delivers industry‑leading software and services to help your IT organization navigate the modern application lifecycle . To learn about HP solutions for application lifecycle management, visit www.hp.com/go/ALM

For more specifics on HP solutions for application governance, and to learn more about HP SOA Systinet, visit www.hp.com/go/SOA

Have a question about HP solutions for application governance? Send us an e‑mail at SOA@hp.com

* “Horror Story Shows How Poor Governance Leads to Failure in SOA Initiatives,” Paolo Malinverno, Gartner Research, June, 30, 2008.

Get connectedwww.hp.com/go/getconnected

Get the insider view on tech trends, alerts and HP solutions for better business outcomes

Technology for better business outcomes

To learn more, visit www .hp .com/go/soa© Copyright 2009 Hewlett‑Packard Development Company, L .P . The information contained herein is subject to change without notice . The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services . Nothing herein should be construed as constituting an additional warranty . HP shall not be liable for technical or editorial errors or omissions contained herein .

Java is a U .S . trademark of Sun Microsystems, Inc .

4AA2‑9997ENW, November 2009