Is DevSecOps making a Difference in Information Security?

devsecops
It seems nary a week passes without a story about a hacking incident making the evening news. Additionally, many CIOs report a skills gap when it comes to employing experienced information security professionals. As such, the demand for these IT pros is now going through the roof – as well are their salaries.

So what about DevSecOps, the cybersecurity focused variant of the DevOps methodology, slash, organizational structure? We’ve talked about it in the past and are wondering if it is truly making a difference in today’s technology world. Let’s take a closer look.

The Current State of DevSecOps in the Industry

Last month, SD Times looked at what inroads DevSecOps is making throughout the software development industry. They asked the same question as us: is it truly making a difference considering the never-ending scourge of cyber attacks and similar forms of nefarious behavior. Considering the difficulties some organizations encounter when implementing DevOps itself, it is simply too new to make much impact?

Derek Weeks, vice president and DevOps advocate at Sonatype, echoes that opinion. “I will say I think we’re early on in the DevSecOps movement of practices that are being implemented. I think with the organizations that have attempted to do it, they are seeing early successes and are happy with that. The vast majority of the market has not gotten their feet wet with DevSecOps practices yet,” said Weeks.

When looking at the recent tech news, however, it becomes time to quote Spock: “Mr. Scott, speed is of the essence.” The core of the issue involves successfully implementing security within a software engineering organization’s current DevOps initiatives. If those practices are still emerging, obviously adding the “Sec” to DevOps becomes more difficult.

A Cultural Change is Essential for a DevSecOps Implementation

A successful DevSecOps implementation requires both a cultural shift within a software development shop as well as buy-in from the executive team. Of course, these same things are necessary for switching to DevOps itself. Obviously, a mature DevOps organization will likely find it easier adding security to an existing framework.

Weeks feels security practices need to be actually embedded in the software development workflow, as opposed to tacked to the process after the fact. Making information security practitioners serve as a gatekeeper instead of collaborator isn’t the best approach. They need empathy for the entire SDLC. 

Training software engineers in the proper application of cybersecurity technology ultimately works better. This serves to foster the kind of teamwork and collaboration that is the hallmark of DevOps itself. It also provides companies the chance to close their information security skills gap in an internal fashion.

John Martinez, vice president of customer solutions at Evident.io, commented on the inroads DevSecOps is making at his firm: “I think the DevOps side of DevSecOps has definitely been much faster to respond and I think we’re starting to see, at least on our side, the cross-pollination on the security side where a lot of the agile practices are starting to fit over on the SecOps side.”

Ultimately, DevSecOps is a still emerging practice. However, the importance of companies successfully implementing it cannot be overstated.

That’s it for this edition of the Betica Blog. Stay tuned for additional insights from the wide world of software development. Thanks for reading!

Are Developers finally starting to Understand DevOps?

devops-blog

Software developers remain a curious and opinionated bunch. Over the last few decades they tend to adapt slowly to new methodologies, with DevOps offering little exception to this golden rule. A recent survey reveals things are finally beginning to change, as it shows application engineers beginning to actually “get” DevOps.

Of course, we recently wrote about network administrators feeling DevOps is all about the “Dev” in the first place. What follows is an analysis of the survey to see what these changing opinions mean for the process of software engineering. Perhaps you might gain an insight or two to help your own team’s project work?

Survey says DevOps makes Software Development Faster

Most organizations implementing DevOps do so in the hopes of making their software development process faster and more efficient. A survey of software engineers, CTOs, and IT pros by application maker, GitLab, notes that these wishes appear to be coming true. News about the survey appeared last month on the Developer Tech website.

According to the GitLab study, two-thirds of those polled feel DevOps greatly improves the speed of the software development process. This 65 percent moves upwards to 81 percent when only taking into account the opinion of managers. 29 percent of those surveyed plan new DevOps investments in the current year.

The best shops using the methodology are able to spend at least half of their workday actually writing code. Changes get deployed on demand. In short, these top organizations are twice as productive as those whose DevOps implementation is either immature or nonexistent.

Challenges to Efficient Application Engineering Remain

In their survey, GitLab highlighted a few challenges to the software development process. Two-thirds of the respondents noted the lack of clear direction on application engineering projects. Slightly over half mentioned the need for rework and unexpected scope creep, while 31 percent felt unrealistic expectations hampered their efforts.

Leveraging automated processes to improve efficiency is a high priority at 60 percent of the surveyed organizations. Around 90 percent of those companies are currently using Agile, DevOps, or a mixture of both. 16 percent are still using the venerable Waterfall methodology for some or all of their development work.

Continuous testing also plays an important role in the ultimate success of any company’s DevOps adoption, a concept highlighted by Razi Siddiqui, SVP and CIO at GCi Technologies. “It’s a key indicator that your DevOps/agile practice is mature, and your QA strategy must take into account that 100% test automation is not practical – nor is it possible,” said Siddiqui.

Sid Sijbrandij, CEO and co-founder of GitLab, commented on their survey conclusions. “The survey reveals software professionals finally see the need for DevOps in their workflow and are beginning to adapt their workstyle in order to make this a reality. Despite the progress in the shift in mindset, current DevOps practices are not cutting it. Instead of a single application that accomplishes the goals of both Dev and Ops, many glue together the tools for the two departments, which has proven to be an ineffective means for collaboration,” said Sijbrandij.

It definitely appears that any enterprise software development not using DevOps runs the risk of being left behind in today’s business landscape. Thanks for reading this edition of the Betica Blog. Keep returning for additional insights on the wide world of software development.

News from the World of Software Development — February 2018

devnewsfeb

Welcome to this month’s edition of our regular software development news digest. We try to cover a few recent stories of interest to both software engineers and QA professionals. Hopefully, the insights within help foster some ideas to help your own team’s application development efforts.

If you are interested in checking out last month’s digest, simply click on the following link.

Apple actually slowing down its Software Development Process

Given that hardware – the iPhone, iPad, and even the new HomePod smart speaker – drives Apple’s enormous revenue, sometimes we forget they remain one of the largest software development companies in the world. Recently, Cupertino suffered a few highly publicized bugs in its iOS mobile operating system. Perhaps the company approaches the SDLC in a too “agile” fashion?

As such, Apple plans on slowing down the rate in which it releases iOS and macOS updates. The company hopes to increase its focus on stability and bug fixes as opposed to trying to fit a ton of new features into every release. News about Apple’s shifting development cycle appeared this month in ExtremeTech among other sources.

Major iOS version releases are now expected to take place every other year instead of on an annual basis. Given that the older iPhone battery slowdown “bug” attracted interest from the U.S. Government, it is a smart move for Apple to take a more measured approach to OS releases. It will be interesting to see how well they keep to a more deliberate schedule in a competitive computing industry.

If you want to read more on this topic, check out former Microsoft engineer Steven Sinofsky’s blog entry. Considering Sinofsky’s role in leading Windows OS and Microsoft Office development, his insights are worth your time.

Automated QA Tool Company gets Venture Capital

Giving software engineers the ability to test their code in an automated fashion remains a key part of any Agile or DevOps implementation. A Boston-based startup led by former Stackdriver principals is building an automated testing tool suitable for continuous delivery scenarios. Their nascent product shows promise as evidenced by the $10 million in venture capital awarded to their firm, named Mabl.

News about Mabl’s venture capital success appeared this week in Xconomy. The fact that Mabl’s chiefs, Dan Belcher and Izzy Azeri, sold Stackdriver – a Cloud management software company – to Google in 2014 likely helped attract funding for their new venture. In an era where continuous deployment is the Holy Grail for many companies, automated testing is vital.

At the core of Mabl’s tool is a service that operates like a virtual QA engineer. Dan Belcher described the approach of Mabl. “Think of Mabl as an extension to your QA team, like you hired a new QA person. Just as you’d train the person about your app, you train Mabl, and expect [it] to write new tests, new test cases, run tests automatically, and find defects based on an understanding of how the application works,” said Belcher.

The tool leverages machine learning routines to improve its ability to find bugs and even predict their existence. It integrates with Slack as well as other email and messaging tools. If Mabl looks like something your development team needs, explore the information on the company’s website.

That’s it for this edition of the Betica Blog News Digest. As always, thanks for reading!