This infographic depicts the rise of DevSecOps. Secrets management is a topical and challenging issue for application development. That’s why security is increasingly being embedded in Dev and Ops practices. And, of course, there are plenty of examples in the media for the reasons enterprises need to readdress standardization, governance and control within the application estate. Not least because there is a trend towards cloud migration.
The birth of DevSecOps
To start with, we have seen a a huge shift to cloud native architectures and micro services among our customers. This has accelerated teams’ ability to focus on multiple, smaller components and offers scalability with unparalleled elasticity. This is particularly appealing to organizations as they modify their mindsets from ‘lift-and-shift’ to migration to cloud-native applications. As explained by The Register in their recent article charting VMwares’s acquisition of Pivotal, there are clear financial and operation benefits of using micro services running in containers, rather than directly on virtual machines.
Additionally, our cusotmers are growing their multi-team structures. In turn, the business demand for more features is increasing the number of batch changes going into production.
As a result, DevOps teams are more co-dependent. Sometimes, without even realising the impact their changes have on another team, release or component. So it’s no wonder that enterprises are concerned about vulnerabilities and exposing themselves to risk.
Pros and Cons(iderations) of DevSecOps
In addition to a laser focus on security, there are other business drivers pulling enterprises towards a hybrid cloud infrastructure. Firstly, the commercial pull of cheaper operational costs is highly enticing. Why keep services running on-prem when you can switch to the cloud and save money, free up space and adapt to change more quickly? Yet, the decision is never that easy.
Second of all, you have multi-layer teams operating in different work streams on a myriad features, applications and environments at any one time. The chaos that ensues is hardly surprising. Understandably, cloud teams hanker after standardization in order to control this knotted mix of interwoven dependencies. On the other hand, the teams on the ground relish autonomy, empowerment and ownership.
In other words, the considerations for a DevSecOps workflow is how to tighten up existing processes and procedures. With traditional handovers being swapped in favour of agility, enterprises have to consider new methods to maintain a controlled pipeline.
The 3 stacks of DevSecOps
In a recent white paper, DevSecOps | More than a buzzword, Benny Van de Sompele illustrated the 3 stacks of modern governance of the application estate.
1. Evidence repository
First of all, the evidence repository stack relates to the automation of audit trails. Unlike a simple log or change request tracking, modern DevSecOps calls for intelligent (and automated) gathering of audit trails. In a nutshell, the evidence repository is a full, unalterable log of all config data changes throughout the application estate.
Secondly, once the single pane view is available in an evidence repository, the next step is to deep-dive into those configuration changes. This calls for smart, root-cause analysis of every single config data change through automated reporting. The learnings from these analytics provides robust use-cases for a DevSecOps. What’s more, the findings can be used to inform machine learning algorithms which can reduce repeated mistakes.
As above, the knowledge gathered from stack 1 + 2 puts enterprises on the front foot. A DevSecOps mindset takes proactive steps to ensure encryption, security and validation of config data. That is to say, the intelligence to know what change lies at the root of a problem, must be available on-tap and with zero effort:
- What changed?
- Who made the change?
- In which environment was the change made?
- To which application, component and feature was it applied?
- What was the reason for the change?
Just a buzzword?
The DevSecOps infographic was created from the the white paper, DevSecOps | More than a buzzword.