Revolutionary advances such as the cloud, advanced analytics and expanding mobility have brought no small amount of change to IT departments around the world, as IT and project managers struggle to keep up with an increasingly demanding and nimble user base. In response to the need for a more agile transition between development and operations, these two traditionally siloed aspects of IT are combining into one entity, called DevOps. While the transition toward this new methodology is increasing responsiveness and forging innovation, managing it isn't as easy as just flipping a switch, and in a tech landscape increasingly defined by threat actors, application security has to be viewed in a new way.
The conglomeration of development and operations isn't a change that is occurring overnight, but rather it's a response to the changing needs of the marketplace. Technological advances in cloud computing and mobility mean time to market is more important than ever, and the traditional waterfall development method — where large releases spend months or years in development before being turned over to operations — lacks the alacrity the market demands.
The Agile development methodology was created to address these needs. It utilizes small development teams working on incremental changes in a short time frame, but when put into practice, it quickly becomes apparent that this alone won't meet the time-to-market needs of a modern enterprise. The conflation of development and operations teams that work together to ensure the success of each release is needed in a business where changes to core software can come in a rapid fashion.
This realization has led DevOps to become a buzzword around the industry, but many continue to misunderstand what, exactly, it is.
A recent "Market Trends" report by Gartner describes the merging of development and operations as more philosophy than technology. That is, it isn't some new solution or process that can expedite the development process; rather, it's a new way of looking at development altogether. This means there are few hard-and-fast rules, and instead there are guidelines IT managers can follow and ideas they can execute.
This lack of structure can make the transition difficult, especially in enterprises where development and operations are completely siloed and have been since the dawn of the IT department. The initial change will have to be done through a long communication process, where the benefits of a more agile methodology are expressed and pitfalls of the current methodology are pointed out as they occur.
Once an organization is ready for this change in philosophy, IT managers have to focus on the largest physical aspect of the combination of development and operations: the tools.
Gartner's report focuses on tools because even though DevOps centers around people, technology, processes and information, IT staff will naturally gravitate to the philosophy allowed by their tool sets. Gartner identifies tools that can succeed in this new development and operations philosophy by their ability to adhere to lean and agile principles, such as simplification, standardization and automation. The company also suggests true next-gen tools will have high interoperability, so multiple solutions can seamlessly work together and IT departments can change tools as new ones are developed — without throwing the whole development process into upheaval.
The importance of management tools in this process cannot be overstated. Even the best-run Agile shops have some level of confusion regarding how different small teams are altering core software. Integrating operations into the process so developers can quickly see the results of their actions and remediate as necessary is important, but overall project management is even more crucial to overall success. Tools that are built to monitor the development process — including continuous build management tools, integration tools and testing tools — are increasing in importance, and they may soon be the key to a successful transition to this new IT philosophy.
Gartner breaks down a sample of available tools based on their ability to seamlessly integrate with a development and operations tool chain, separating them into "Ready," "Enabled" and "Capable" categories. While the report only offers a sample list of tools, the importance it places in several areas is worth noting. Code review, static analysis and security testing were all presented as being of high importance, noting an important aspect of advanced development and operations methodology that needs to be addressed.
Given the heightened importance of speed to market in a DevOps environment, IT managers must be vigilant regarding code security. When things become difficult, it may seem easy to be lax on security since IT managers can't simply pray that system integration will "just work," but they can pray that their software won't be attacked. However, the latest research shows large enterprises suffer numerous attacks per year, including dozens or hundreds of failed attacks, so the days of hoping nefarious actors won't attempt to find holes in just about any piece of software are officially over.
With that in mind, security-based solutions take on additional importance. Solutions built for paradigms such as DevOps have to be lightweight, preferably in the cloud, and able to scan code quickly, without significant configuration. Gartner expresses the importance of static analysis, or SAST, which can scan code, bytecode and binaries for potential vulnerabilities when the software is in a non-running state. This enables developers to test their software for issues without waiting for the entire code to be ready, and can greatly increase the utilization rate of one of the most important aspects of code development. SAST can also be utilized without access to the source code, which is critical given the proliferation of open-source or third-party code and libraries in use within an Agile environment.
Code security has undergone a number of changes over the past few years, but given the shifting nature of technology, only companies with an eye toward the future will succeed. Veracode recognized the shift in needs in the development world as Agile took hold and DevOps emerged, and ensured its static analysis and dynamic analysis solutions could be seamlessly integrated with the new, more adaptable tool chains.
Download this SANS webinar to learn how DevOps fosters cooperation and reduces integration issues between security, operations, and development.
Photo Source: Flickr