Businesses may be recognising the benefits of DevOps in streamlining cloud development, but one technical lead has warned that companies failing to integrate compliance into their application development processes will struggle to automate their secure development processes.
Conceptually, DevOps links the tools developers use and the cloud platforms where they will run their applications – allowing them, for example, to create a new, pre-configured virtual machine where they can test a new version of an application.
This used to be a manual process that was prone to problems when cloud platforms were misconfigured – as when a wrongly-configured data container led to the leak of over 54,000 NSW driver’s licenses last year.
Just as DevOps manages application development environments, DevSecOps is focused on ensuring that such leaks – and the myriad other security issues that can arise when new operating system images are being set up almost continually – don’t compromise the continuous integration/continuous development (CI/CD) process.
Properly configured, DevSecOps can save application teams from having to start each round of testing from scratch – an ongoing issue that has pushed the average testing cycle out to 23 days – but it can also, Progress senior director of software engineering Prashanth Nanjundappa told Information Age, reduce the risk that developers will inadvertently choose the wrong technical platform.
Even in companies where management has embraced the concept of DevOps, he said, developers were often left to choose what specific tools they wanted to use – inadvertently creating security and compliance problems down the track.
“We had one customer who had to spend about three months of effort addressing security and compliance issues because they chose [the open-source] OpenJDK instead of Oracle JDK,” he said, referring to the Java platform on which the company’s applications were built to run.
“Both are the same and OpenJDK is open source and flexible so it will save the company money,” he explained. “But from a compliance perspective, they know that some of the commercial products fix vulnerabilities in a much more stringent manner.”
Such choices may not seem important to developers that just want to build applications – but they can have serious implications for companies’ overall risk exposure, which is often only measured during compliance audits that may only be run every few months.
“If you’re only doing audits once in six months, developers could have chosen an upgraded or different version of an operating system or software tool,” Nanjundappa explained. “But we don’t know how that affects the compliance posture until we find out that has happened. So, between those audits, we are very vulnerable.”
Shifting compliance to the left
When done right, DevOps translates into faster, less error-prone development: six in 10 developers have been able to release code twice as quickly using DevOps than they could previously, according to a recent GitLab survey that also found 56 per cent of respondents saying their development is now either fully or ‘mostly’ automated.
Yet where it used to require extensive manual work, DevOps is now being packaged into platforms that are much easier for companies to implement and maintain.
Opsera, for one, recently released a ‘no-code DevOps’ tool that automates the CI/CD cycle for companies building Salesforce applications, while DevOps tool vendor GitLab released a complete DevOps platform packaged as a single product.
The automation features of Chef – which Progress bought for $291m ($US220m) in October, and of which Nanjundappa is a global product manager – have put Progress into the game as business managers increasingly inject compliance specialists into the CI/CD process.
By ensuring compliance is ‘shifted left’ so that security is maintained from the beginning of the development process, companies can avoid problems that interrupt their application development down the track.
Just as DevOps has gained maturity for application developers, DevSecOps will do the same to improve organisational security – bolstered by support from increasingly security-aware senior management.
“We have seen a lot of success both where there is a top-down and a bottom-up approach,” Nanjundappa said. “It’s a two-step jump first to DevOps state, then to DevSecOps. An incremental and iterative approach is required, which is also a different mindset.”
Because cloud platforms are fundamental to the post-COVID explosion in digital transformation, embracing that mindset will be key to business recovery as the market rebounds in coming years.
“DevOps teams are maturing and looking to reduce complexity by adopting more standardised toolchains and workflows, and pivoting toward cloud services that embed basic infrastructure automation,” IDC research director Jim Mercer said in forecasting a “somewhat stronger recovery” commencing in 2022.
