Is DevSecOps making a Difference in Information Security?

devsecops
It seems nary a week passes without a story about a hacking incident making the evening news. Additionally, many CIOs report a skills gap when it comes to employing experienced information security professionals. As such, the demand for these IT pros is now going through the roof – as well are their salaries.

So what about DevSecOps, the cybersecurity focused variant of the DevOps methodology, slash, organizational structure? We’ve talked about it in the past and are wondering if it is truly making a difference in today’s technology world. Let’s take a closer look.

The Current State of DevSecOps in the Industry

Last month, SD Times looked at what inroads DevSecOps is making throughout the software development industry. They asked the same question as us: is it truly making a difference considering the never-ending scourge of cyber attacks and similar forms of nefarious behavior. Considering the difficulties some organizations encounter when implementing DevOps itself, it is simply too new to make much impact?

Derek Weeks, vice president and DevOps advocate at Sonatype, echoes that opinion. “I will say I think we’re early on in the DevSecOps movement of practices that are being implemented. I think with the organizations that have attempted to do it, they are seeing early successes and are happy with that. The vast majority of the market has not gotten their feet wet with DevSecOps practices yet,” said Weeks.

When looking at the recent tech news, however, it becomes time to quote Spock: “Mr. Scott, speed is of the essence.” The core of the issue involves successfully implementing security within a software engineering organization’s current DevOps initiatives. If those practices are still emerging, obviously adding the “Sec” to DevOps becomes more difficult.

A Cultural Change is Essential for a DevSecOps Implementation

A successful DevSecOps implementation requires both a cultural shift within a software development shop as well as buy-in from the executive team. Of course, these same things are necessary for switching to DevOps itself. Obviously, a mature DevOps organization will likely find it easier adding security to an existing framework.

Weeks feels security practices need to be actually embedded in the software development workflow, as opposed to tacked to the process after the fact. Making information security practitioners serve as a gatekeeper instead of collaborator isn’t the best approach. They need empathy for the entire SDLC. 

Training software engineers in the proper application of cybersecurity technology ultimately works better. This serves to foster the kind of teamwork and collaboration that is the hallmark of DevOps itself. It also provides companies the chance to close their information security skills gap in an internal fashion.

John Martinez, vice president of customer solutions at Evident.io, commented on the inroads DevSecOps is making at his firm: “I think the DevOps side of DevSecOps has definitely been much faster to respond and I think we’re starting to see, at least on our side, the cross-pollination on the security side where a lot of the agile practices are starting to fit over on the SecOps side.”

Ultimately, DevSecOps is a still emerging practice. However, the importance of companies successfully implementing it cannot be overstated.

That’s it for this edition of the Betica Blog. Stay tuned for additional insights from the wide world of software development. Thanks for reading!

News from the World of Software Development – April 2017

Here is another edition of our monthly news digest at the Betica Blog. We search for interesting and relevant stories to provide insights to your daily application engineering activities. Last month’s digest is available at this link, if you are interested in checking it out.

With spring in full force in the Northern Hemisphere, hopefully these stories inspire your own software development efforts.

The “Internet of Trains” improving the Efficiency of Railroads

The German company, Siemens, plans to open a software development center in Atlanta with the goal of making railroading more efficient. Called the Data Analytics and Applications Center, the company’s efforts are dubbed with the “Internet of Trains” moniker. News about Siemens’ Atlanta investment was reported on in the Atlanta Business Chronicle.

Reducing downtime while increasing the mileage for each train requires an increased investment in digital technology with the hopes of modernizing railway infrastructure as well as the trains and boxcars themselves. Siemens is known all over the world for their power transmission and signaling and control technology used in the rail industry. Their Internet of Trains solution also focuses on data analytics and predictive software.

The company’s Director of Mobility Delivery Services Gerhard Kress commented on the goals of the project. “We are heading towards next-generation maintenance. It is all about increasing up-time and avoiding unplanned downtime. If we predict incidents early enough we, and our customers, can react accordingly,” said Kress.

Siemens’ work is another example of how data analytics and Web-enabled devices are ushering in an era of innovation in many different industries.

The VA hoping to outsource Modernization of its COBOL Systems

The venerable COBOL language surprisingly still lurks in many legacy systems in the financial industry and government agencies. The United States Department of Veterans Affairs hopes to finally enter the 21st Century when it comes to its technology infrastructure, and is looking to outsource the reengineering of their application inventory. News about the VA’s planned migration was published earlier in April at FedScoop.

Acting VA CIO Rob Thomas commented on the reasons behind his department’s move away from internal application development. “We’re going full into commercial — we’re going to be doing software-as-a-service, we’re going to be doing platform-as-a-service, infrastructure-as-a-service. We’re getting out of the software development business — it’s not a core competency. I see a future for us where we go digital platform both on the benefits side and the health side,” Thomas explained.

A business opportunity lurks for software development shops and SaaS providers hoping to gain customers from the government sector. A measure of COBOL knowledge would also help these companies when reverse engineering existing systems.

Incorporate Design Thinking for Better Software Architecture

This week, Forbes published another article by Scott Stiner, CEO of UM Technologies discussing how to incorporate design thinking into the software architecture process. We covered Stiner’s approach to Agile software development in last month’s news digest.

Stiner feels design thinking helps quickly create solutions to solve problems while building a superior user experience. “The Design Thinking process also creates a stronger relationship with the client, considering developers will work closely with the client to understand that client’s core customers. The advantages are many in this regard, and they help speed up the overall development process,” said Stiner.

The entire article is filled with useful insights to help your team build better applications that make your customers happy – and satisfied clients lead to more business opportunities.

Keep coming back to the Betica Blog for additional insights and news from the evolving software development world.

PostgreSQL 10 – New Features and Functionality

PostgreSQL remains a popular option for organizations that need a traditional SQL database, but don’t want to spend the money required for Oracle. We’ve covered this open source database in the past here on the blog. For those companies who want extra support, a commercial Postgre option like EnterpriseDB needs to be considered.

With PostgreSQL 10 scheduled for release later this year, many users are undoubtedly curious about the new features and functionality. Let take a closer look at what’s in the feature set so you can consider either an upgrade or using this new version on your next development project.

Improved Query Performance

One of the most important enhancements in PostgreSQL 10 is its faster query executor. The database is already known for performing essentially as fast as Oracle, so any additional speed boost is sure to make those benchmark comparisons even closer.

Robert Haas, Vice President for Enterprise DB and a major contributor to the PostgreSQL codebase, commented on the technical changes behind the executor’s performance boost. “Hash aggregation has been rewritten to use a more efficient hash table and store narrower tuples in it, and work has also been done to speed up queries that compute multiple aggregates and joins where one side can be proven unique,” said Haas.

Improved parallelism is another enhancement in Postgre aimed at boosting query performance. Haas noted that parallel queries now run two to four times faster in version 10. Index scanning is another function now faster because of parallel processing.

The new XMLTABLE support improves query processing against data stored internally as XML. This is the one PostgreSQL 10 enhancement aimed at the NoSQL market.

Replication is now Better – and Easier

PostgreSQL 10 now supports replication at the table level; previous versions required the full database to be replicated. This additional flexibility comes with the bonus of being easier to use as well. Called Logical Replication, it is a feature greatly anticipated in the PostgreSQL community.

Extended Statistics help with Query Planning

Developers who write complex queries against a PostgreSQL 10 instance enjoy the benefit of expanded statistics that help the query planning process. Haas explains this in more detail: “If the query planner makes a bad row count estimate resulting in a terrible plan, how do you fix it?  With extended statistics, you can tell the system to gather additional statistics according to parameters that you specify, which may help it get the plan right.”

Other PostgreSQL 10 Enhancements

Other significant Postgre 10 improvements include Declarative Partitioning which makes inserting new records faster, among other benefits. Support for SCRAM authentication enhances the security of a database instance. Durable Hash Indexes are another new feature aimed at boosting database performance.

One future enhancement potentially coming out in a point release is just-in-time compilation. This is expected to add yet another performance boost to any PostgreSQL implementation.

PostgreSQL 10 definitely adds enough new functionality for current users as well as organizations interested in an alternative to Oracle. While its NoSQL support remains limited, it is definitely a traditional SQL database worthy of your interest. EnterpriseDB also offers commercial-level support for companies still wary of an open source solution.

Keep returning to the Betica Blog for additional dispatches from the software development world. Thanks for reading!