Adopting DevSecOps

Photo by cottonbro on Pexels.com

Dev Ops brings the software development and software operations together, usually delivered by the same people rather than the handoffs in traditional IT deliveries between the delivery teams to the operations teams.

Dev Ops has been around for quite a while now and brings with it many benefits including :

  • better team and stakeholder collaboration;
  • quicker time to develop and deploy software (faster return on investment);
  • save time on incident resolution
  • reliable and robust deliveries;
  • better customer satisfaction;
  • innovative tooling;
  • integration with software as infrastructure;
  • reduces risk through automation;
  • complements agile approaches to project delivery;
  • operational intelligence;
  • continuous improvement with feedback loops.

Today’s virtual world necessitates for security to be across all areas of our IT systems. Protecting digital assets is critical to ensure the integrity of systems and data.

Cyber crime is becoming more and more sophisticated as hackers get smarter and more vicious with their attacks. There are many threats to IT security including malware and malicious software which can cripple a business if the digital terrorist is successful with their attack.

A business could suffer many ways, for example a successful Ransomware attack would bring a business or service trading to a standstill and have different types of financial implication due to the ransom payment as well as losing the ability to trade or carry on with business and services. This can have life threatening impacts for example, where a ransomware attack is made to a health provider. There are many other outcomes of a cyber attack including data breach, access to secure information, reputational damage etc.

Wrapping security around every aspect of delivery puts the Sec into DevSecOps.

Dev Sec Ops Roadmap

When a business decides that it will move into a Dev Sec Ops model there are a number of areas that require consideration including

  • People
  • Practices and Processes
  • Tooling
  • Agile Methods
  • Growth and Scale

People

Adopting DevSecOps starts with a Mindset change. Thinking differently and being open to working in new ways is critical for the success of a DevSecOps model.

Once our people are willing to adopt and accept DevSecOps there are a number of things to introduce:

  • Upskilling and multiskilling your team in the latest DevSecOps technology (look at online training, on the job, technology partners often provide free training)
  • Create T and X shaped technical resources and develop their soft skills including communication, pitching, influencing
  • Build cross functional, non-siloed teams
  • Hire some experts to mentor and coach the team. Build up and scale the team around the experts
  • Hire some future gurus who have high learnability
  • Build the future workforce via relationships with technical universities. Get high potential students excited and interested in the possibilities of the company and show them how they can develop their career
  • Provide an option for collaborative environments that promote creativity and innovative thinking (whiteboards, standup space, design thinking space, UX labs). Even in the post pandemic environment, occasional face to face collaboration is important to foster the team collaboration and culture.
  • Create and enviable work culture where ideas and feedback are listened to and the team feel they can blossom.
  • Jointly build a “work mojo” career and motivational development plan for each team member to identify and work on what really motivates and engages the team members as individuals.

Practices and Processes – Continuous Everything

DevSecOps focuses on the continuous improvements and automation of software deliveries. No DevSecOps model is complete without considering the following :

  • Implement effective code and version control systems. This will allow for a Continuous Development model. Solid configuration management tooling will track, merge and manage code being developed. Tooling will be able to analyse code and identify and resolve issues and logical code bugs.
  • Continuous Automated Testing can bring huge improvements to quality and speed of deliveries. Every line of code that is written can be automatically tested. Taking a Test Driven Development approach also puts testing at the heart of the delivery.
  • Continuous Integration will bring all of the code being developed together into the main code branch / repository regularly and allow for continuous testing to also happen to ensure that no code integration has impacted the quality of the product.
  • Continuous Delivery automatically promotes code changes to a pipeline environment ready for deployment. The code will be deemed ready for deployment, but not actually deployed automatically. The decision can then be made to move deliveries into production.
  • Continuous Deployment will automate the code deliveries into production. This allows for small incremental deployments to be made regularly.
  • Continuous monitoring provides tooling, dashboards and tracking of the code products in operations and infrastructure for any issues, bugs, failures or incidents. This will provide a feedback loop that will help identify opportunities for future improvements to be made as well as potentially provide intelligent self healing for defects.
  • Infrastructure As Code will automate the creation of environments to host the code releases.
  • Security throughout all of the phases of dev ops security needs to be a key consideration from development of the business code, testing, code control, delivery, deployment and monitoring. There are lots of security policies and practices that can be included e.g. threat modelling, encryption etc.

Most of today’s DevSecOps model is involve in the journey to the cloud. However, the journey should not end once you are up and running in a cloud environment. A true progressive model with constantly think about the strategy “in” the cloud and “beyond” the cloud.

Site Reliability Engineering (SRE) is very similar to DevSecOps processes. An SRE would focus on taking elements of software development and making continuous improvements to operations and infrastructure. An SRE would look at making efficiencies and improvements tp monitoring, system availability, capacity planning, incident handling, system monitoring etc.

Tooling

As DevSecOps is primarily around the automation of the software development life cycle, this is enabled by the DevSecOps toolchain.

All of the tools involved are there to automate the various phases of the lifecycle. They also bring accuracy, speed and quality improvements. The following shows a sample of tools used at various DevOps lifecycle stages (as shown in the diagram above).

DevSecOps PhaseDescriptionTypical Tools
PlanSupports the agile delivery processes and ceremonies including the user storie, backlog, sprint plans, communication, reporting, metrics etcJira, Confluence, Git, Trello
DevelopCutting the code.GitHub, GitLab, Stash, Bitbucket
TestAutomated or manual testing to ensure the quality of the code and identify bugs and defects. JUnit, Selenium, Sonarcube
DeliverCreates the software builds and versions, compiles and packages code ready for release. Docker, Puppet, Chef, Ansible, Maven, JFrog Artifactory
DeployManages, co-ordinates, schedules and moves code to production environmentsPuppet, Chef, Ansible, Jenkins, Kubernetes, Openshift, OpenStack, Docker, Jira
OperationsManages code products that are live in the production environment. Ansible, Puppet, PowerShell, Chef, Openshift
MonitorConstantly tracks, reports, monitors and can automatically fix live issues in productionSplunk, Nagios, Dynatrace, Grafana, Datadog
SecurityIdentifies weaknesses in the production codeset and prevents exploitation or attacks by hackers and unauthorised usersDocker, Jenkins, Kube-bench, Datadog, Acunetix, Elk, Grafana

The DevSecOps toolchain is constantly improving and increasing. In particular, Opensource software can provide many solutions to problems for the DevSecOps environment. Care must be taken however, to ensure that opensource software does not bring any vulnerabilities to a system.

Agile

One of the best complements to a DevSecOps model is to introduce Agile delivery methods. There are several different agile methodologies depending on what you are delivery, the size and scale of your project and the type of project. Agile, Kanban, Scrum, SAFe, Nexus, etc. are all different flavours of agile and they may be more suited to the type of different types of projects.

If your team is new to Agile and you are looking to implement a DevSecOps approach then one of the first things you need to do is get your team trained in Agile and hire an Agile Coach to guide you through the early days of agile adoption. The coach will be able to support your team as follows:

  • Set up the Agile tooling e.g. Jira to get the most out of the tool and to support the team who may be new to using agile methods
  • Establish the scrum team roles and responsibities including scrum master and team members. Also, help understand the relationship with the product owners and their responsibilities in helping define and shape the backlog priorities
  • Establish the initial agile ceremonies to be performed during the project e.g. sprint planning, retrospectives, standups, sprint reviews, show and tells
  • Help support the scrum master if they are new to the role to change their mindset and be a servant leader who is enabling the scrum team and removing blockers
  • Introduce best practices e.g. the right questions to ask at the stand up ie what went well? what are your blockers, what help do you need?
  • Guide inexperienced scrum teams through specific activities e.g. estimation and sizing, spikes, backlog refinement, definition of ready and done, user stories writing etc.

See other blogs on this site on more detailed discussions around Agile.

Growth and Scale

As a product or service grows, managing within one scrum team may not be practical and you may want to look at scaling out.  There are many methods of scaled agile, but to keep things simple as a small business grows implementing a scrum of scrums model can be very effective to support daily decisions and priorities across all scrum teams, cross team support and collaboration as well as an effective way for the delivery leader to appreciate the key issues, successes or deliverables across all of the teams.

As the business scales further other more complex models could be introduced e.g. tribes (groups of linked scrum teams working on a portfolio), squads (another name for scrum teams), chapters  (capability based groups), guilds (interest and innovation groups).  Examples of more complex models include the Spotify model, Nexus and SAFe.

Adoption

Bringing a robust DevSecOps model to an enterprise is not easy and there are many aspects to getting the right model, tooling, processes etc. for each individual business, but hopefully this has given you lots to think about if you are looking to develop a DevSecOps adoption plan for your business.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s