Star Wars Stormtropper figurine on table

COVID-19 Creates Urgency for DevSecOps

Dave Kearney, Keith Worfolk and Anjan Chatterjee Agile, Covid, DevOps, DevSecOps, Docker, Kubernetes, Security, Software, Thoughts

Mark Zuckerberg has said, “If things aren’t breaking, you’re not moving fast enough. People learn by making mistakes.”  In some regards, this is a guiding principle for agile solution development and DevOps processes.  But moving fast while innovating has its downside as well: it can inadvertently allow outside forces to break or steal your “stuff” – your data, your intellectual property, your applications, or your other assets.  Out in the Internet’s wilds, nefarious operators are continually hoping companies make quick decisions that leave open doors for a host of possible entrances. While I agree with Mark’s sentiment, experience has shown us that the unintended consequences of rapid innovation can make it difficult for our DevOps folks to sleep at night(!).

Of course, COVID-19 is driving an incredible surge in innovations for companies adjusting to the “new normal” and its related opportunities.  Web traffic has skyrocketed by 25% in major cities in the months since the pandemic began[1].  Video conferencing has become the norm, not only for companies but for families trying to stay connected.  This sudden and ongoing spike has left companies without a rock-solid DevOps strategy as they scramble to meet the new demands of business and the market.  Those companies that included Security only as an afterthought and not integrated within their solution DevOps processes are struggling more than ever just to tread water. 

As people flock to new, immature apps, bringing with them an insatiable need for new features and capabilities, the enormous increase in usage and remote access has exposed underlying security concerns hidden in the shadows.  Even before the current crisis, upwards of 90% of companies experienced some kind of Internet security breach, with only 45% being confident that they had stopped the leak.[2]  Zoom experienced well over a 500% increase in usage and, even as a modern software platform, was still not prepared for new security threats.[3]

Communications, project management, strategy, planning, finance, marketing, and engineering are all different when the personnel is not in the adjacent cubicles, let alone the same building. Is it time to revisit your existing DevOps strategy and better incorporate security aspects (DevSecOps) from the ground up?  Or, if you’re now (re)building your DevOps strategy from scratch, are you doing so with proactively integrated Security?

Making DevOps Better for These Times

Photo by Clay Banks on Unsplash

Traditionally, software development engineers were separate from the operations folks who provisioned, tested and deployed production software.  Driven by agile enterprises, DevOps now combines software development and operations into collaborative teams so that the creation, delivery, and operations processes for solutions happen more efficiently. 

The benefits of having all of these cross-functional teams communicate directly include the speed of innovation, increased frequency of releases, higher reliability, better scalability, and improved team collaboration.  Continuous Integration / Continuous Deployment (CI/CD) is part of most DevOps strategies and has become a best practice in modern software deployment.  In simple terms, CI/CD allows for a process flow that takes newly developed and modified software modules and functionality through an automated cycle of extensive testing and deployment.  Hence, CI/CD drastically changed the quality, speed, and scalability of software delivery.

Scalability is Necessary for Business Agility

Newer technologies like Docker and Kubernetes container technologies have drastically improved DevOps engineers’ abilities to manage rapid and massive provisioning and deployment of IT solutions.  Scaling up and down application capacity (elasticity) has never been easier. Containers allow companies to place capacity anywhere in the cloud and make it event-driven to meet peak demand while actively optimizing costs.  Deploying cyclical or emergency demand for resources is as simple as asking (or configuring) for the change in capacity.

As the pandemic rocked our business world, companies that had already adopted a scalable architecture saw far less disruption.  But companies that were late to adopt agile approaches (such as DevOps) and to implement cloud and container management systems were in trouble amidst the business panic that ensued. They were forced to make fast and costly last-minute business model and scalability adjustments to meet shifting market needs.

Microservice Architecture is the Engine for Today’s Agile Enterprise

Data requirements for a growing landscape of new disparate containers have increased the demand and deployment of microservice architectures. If you have distributed, scalable computing power, you also need a data architecture that supports this.  Microservices provide single-function modules that securely access selective data sources only as needed with well-defined scalable application programming interfaces.  Enabling the separation of a service’s data from the broader processing of a complex application allows for more agile enterprises.

Open Source Software Still Complements What we Build

Companies cannot possibly move fast enough to be competitive if they are building everything themselves.  A common practice is to incorporate selective open-source software into their builds and any custom development they are doing.  For example, for Node.js developers, why would you write date and time functionality when you are a click away from including the popular library “moment” into your build?[4]

DevSecOps is the Natural and Necessary Evolution from DevOps

The unprecedented need for business flexibility and agility amidst the pandemic market environment comes with unique and growing security challenges.  The new requirements of computing and data anywhere and everywhere will create new contentious relationships between developers and operations, as well as with an organization’s security function (e.g., the Chief Information Security Officer or Security department).  Developers can view security requirements as restrictive or as a disruption to their innovation, while Security can view developers as potentially reckless and a liability to the organization’s assets.

Collaboration between these two previously separate functions, however, is crucial to success today, especially in light of current market adaptability and time-to-market pressures.  The goal of any organization’s new DevSecOps engineers (evolved from DevOps roles) should be to guide and optimize, not to block.  Security should not stifle innovation but rather provide built-in security structure to help developers meet changing and growing business protection challenges.

Security must be a focus built into the solution pipeline from the beginning.  Verizon, for example, has created developer dashboards that integrate vulnerability management with accountability to help drive home the importance of including Security in everyday decisions.[5]  This approach is becoming an industry best practice for DevSecOps processes, no matter the industry.

Tools to Help Establish and Manage DevSecOps

Photo by Scott Webb on Unsplash

There are increasingly more and better tools to assist in integrating Security into the software build cycle.  Adding a policy engine that grants role-based permissions can provide a distributed means of guaranteeing who sees what and when.  A policy engine can also detect malware and other nefarious players on developer, testing, and deployment machines.  Many companies, like Mulesoft, IBM, and Scalr provide commercial policy engines that incorporate and enforce enterprise business rules.  Other software development tools like Krugle[6] can help with code security analysis.  Incorporating Krugle into a build gives it the ability to examine not only your internal code but also the open-source code your organization uses.

Conclusion

A deep, trusted collaboration between developers, Security, and operations can have an enormously positive impact on the overall quality and Security of a fast-growing or fast-changing organization.  Integrating DevSecOps into the culture and processes of your company can have long-lasting benefits with little impact on the pace of innovation if done right.  Incorporating security tools for building, testing, and deploying solutions as part of expected daily practices will embed these ideas into the organization’s culture, rather than have personnel view them as an add-on that could break and cause contention.  Done well, the solution innovation pipeline will be as agile as ever while proactively addressing security concerns with your DevSecOps strategy.

Photo by Dave Lowe on Unsplash

[1] “Why the coronavirus lockdown is making the internet stronger ….” 7 Apr. 2020, https://www.technologyreview.com/2020/04/07/998552/why-the-coronavirus-lockdown-is-making-the-internet-better-than-ever/.

[2] “Time to Move from DevOps to DevSecOps, Finds Latest CIO ….” 12 Oct. 2019, https://aithority.com/ait-featured-posts/time-to-move-from-devops-to-devsecops-finds-latest-cio-survey/.

[3] “Zoom CEO admits ‘missteps,’ wants company to … – CIO Dive.” 6 Apr. 2020, https://www.ciodive.com/news/zoom-ceo-security-privacy-concerns/575505/.

[4] “moment – npm.” 18 Jun. 2020, https://www.npmjs.com/package/moment.

[5] “3 DevSecOps success stories | CSO Online.” 26 Sep. 2019, https://www.csoonline.com/article/3439737/3-devsecops-success-stories.html.

[6] “Home | krugle – software development productivity.” https://www.krugle.com/.

+ posts

Dave has been building and scaling companies for 20+ years—driving performance through business-aligned technology strategy, product innovation, and data integration. As a CEO, CTO, and entrepreneur, he is skilled in solving real-world problems for startups through Fortune 500 organizations. He empowers teams to deliver robust, scalable infrastructures, and powerful solutions that automate processes, improve performance outcomes, and set the stage for exponential growth.

You can reach Dave at his website: https://seamless.partners.

+ posts

Keith Worfolk is an experienced CTO and innovation expert with strong technical vision, international success, and a record of delivering transformational enterprise solutions, software products, information systems, cloud platforms, big data pipelines, and BI / analytics architectures. Keith has 25 years of IT experience and is expert in cloud and software engineering, enterprise architecture, and cybersecurity. He led technology organizations at IBM, KPMG, BearingPoint, Hitachi, and IHS Global; and served in CTO roles at Interlink Group / EMC, DTI, HomeSphere, PeopleCare, and Zephyr Boating.

Keith has a Computer Science degree from the University of Colorado, a Masters degree in CIS from the University of Denver, and an Executive MBA from Duke University. He also has industry certifications as a CISSP and CEH cybersecurity professional; and as a Certified Healthcare CIO. He has been published in multiple IT and cloud computing journals as well as an enterprise architecure book.

+ posts

Anjan has been part of technology services for over 17 years and has been instrumental in delivering large scale enterprise applications. As a thought leader, he has been operating in the cross-section of technology and business and has been successful in bringing innovation within technology for solving business problems. Currently leading the digital transformation and intelligent automation initiatives at V2solutions, his focus is to deliver business value with the smart choice of technologies building scale, automation, and efficiency.

Reach out to Anjan at https://v2solutions.com.