All about DevOps and DevSecOps

Introduction

What is DevOps?

DevOps is the application of Agile principles to the entire delivery service, in a collaborative way, impacting culture and technology, and it helps to break down the traditional barriers that exist between development, testing and operations. DevOps does have integral components at its core, like delivery pipeline automation, configuration management, regular code integration, automated monitoring/health checks, and Infrastructure as Code.

The three buzz words in DevOps are Automate, Secure and Govern! It’s more about how we are delivering software products rather than what we are going to deliver and with what resource and tools. DevOps needs to be applied and realized cumulatively through the use of tools, principles, practice and methodology. With the emergence of cloud comes the ability to get things to the target environment faster and thereby to the customer faster by leveraging the cloud’s power.

What is DevSecOps?

DevSecOps is nothing but an extension of DevOps - which stands for Development, Security, AND Operations. Including Security as an integral part of the entire App Life Cycle is DevSecOps. It is about built-in security and not security that functions around apps, data and infrastructure. DevSecOps integrates security through automation of every phase of the SDLC, from initial design through Integration, Testing, Deployment, and Delivery.

The Current Industry

As we know, DevOps adoption is growing at an immense speed. IDC predicts the global DevOps software market to reach $6.6 billion in 2022. The forces driving DevOps adoption include business investments in innovation, adoption of collaborative and automated application development and operational processes integrated with security. As Maurice Kherlakian says “A phased approach to Continuous Delivery is not only preferable, its infinitely more manageable”

Skilled people are the heart of the DevOps initiative, not tools. In an organization, DevOps evangelist or a technology practice leader plays a critical role in ensuring business benefits in terms of positive impact on ROI.

Here are some of the best practices in DevOps adoption:

1. Communicating Organizational goals to initiate DevOps Practice to all internal stakeholders
2. Uplifting and motivating collaborative working
3. Encouraging customer-centric development practices
4. Starting with baby steps to change the culture/mindset, and not boiling the ocean
5. Hyper Automating wherever possible
6. Identifying well-connected/compatible DevOps tools based on current customer needs and progressive evolution
7. Defining performance reviews for teams/and individuals
8. Ensuring real-time visibility into projects
9. Enabling Continuous Integration and Continuous Delivery
10. Achieving better results with monitoring & feedback

Identification of well-connected/compatible DevOps Toolset is like realizing 50% success in DevOps adoption. There are some very good tools available in the market, which help organizations to embrace DevOps. Some of the curated tools are:

1. Git: Is a free and open-source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.
2. Gradle: Is a build automation tool for multi-language software development. It controls the development process in the tasks of compilation and packaging to testing, deployment, and publishing.
3. Selenium: Is an open-source tool aimed at supporting web browser automation. It provides a playback tool for authoring functional tests without the need to learn a test scripting language (Selenium IDE).
4. Jenkins: Jenkins is an open-source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.
5. Puppet: Is a configuration management tool that helps to automate infrastructure management and configuration. It is a very powerful tool which helps in the concept of Infrastructure as code.
6. Chef: Is an automation and Configuration Management (CM) tool that lets you automate processes and tasks across numerous servers and other devices of an organization in simple steps. It helps accelerate application delivery and DevOps Collaboration.
7. Docker: Is a container management service. Docker is for developers to easily develop applications, ship them into containers which can then be deployed anywhere.
8. Kubernetes: is a container orchestration platform for scheduling and automating the deployment, management, and scaling of containerized applications.
9. Ansible: Is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code.
10. eG Enterprise: Is a continuous monitoring tool allows tracking application performance in the context of code changes to understand how they impact performance.
11. Datadog: Provides a complete monitoring solution so that you have full visibility as you transform or adopt your DevOps culture
12. Vagrant: Is one of the best DevOps tools that allows building and managing virtual machine environments in a single workflow
13. Snort: Is a very powerful open-source DevOps tool that helps in the detection of intruders
14. New Relic APM: Is a one of the leading Application Monitoring tools. With it, you have real-time and trending data about performance for your web apps and processes (non-web apps).

Birds-eye view of current Best Practices of DevSecOps:

1. Highlighting the importance of security needs across all teams – It’s not the sole responsibility of Security Team
2. Harmonizing the security mindset across teams
3. Enlighten the team that building security along with development activities is no extra work
4. Entitle the team to make collective decisions on how to implement the security controls
5. Collaboration of AppSec and InfraSec teams
6. Help in sharing security controls with QA and Testing teams to write more effective security test cases
7. Integrate with development of CI and CD environments.

The current DevSecOps tools easily integrate into DevOps Cycle to execute quickly and provide intelligence on how to fix the vulnerabilities that were uncovered.

Comprehensive security strategy can also be established with static (SAST), dynamic (DAST), interactive (IAST), or post-deployment (RASP) security testing tools.

Some of the available DevSecOps Tools:

1. IriusRisk is a tool that allows the creation of threat models using a questionnaire-based system. Based on the information provided, it generates a model along with a list of potential security risks and recommended fixes.
2. Immun.io is a RASP solution that is deployed within an application. The tool focuses on possible exploitations with real-time monitoring and protection.
3. Aqua specializes in the security of applications in containers and their infrastructures and focuses on vulnerabilities related to application images and network access.
4. Checkmarx’s Software Exposure Platform is a five-piece system designed to cover the entire development lifecycle.
5. ThreatModeler is a tool for automating threat models that is available for use in public or private clouds.
6. Veracode solutions were built specifically for DevSecOps purposes and include four main tools SAST, Greenlight, SCA and DAST.

Future Trends

DevOps and IT operations at large are constantly evolving as there is always a need to keep up with trends and leverage the benefits. DevOps is evolving and specific parts of DevOps are merging with various technological innovations like machine learning and AI . Keeping check on these trends is key to evolving an organization’s DevOps practices..

As global organizations are moving towards Kubernetes, Serverless and Docker along with niche cloud technologies, security will remain of paramount importance. It’s going to be an implied part of DevOps. DevSecOps is going to change the landscape of the business. As per IDC analysis, more than 60% of the new solutions/Apps will have DevSecOps as an integral part of that.

Some of the welcoming trends are:

1. AgileOps to be used extensively for Agile Application Delivery
2. Companies will go for multiple approaches from design to deployment
3. Migrating to microservices will become inevitable
4. Infrastructure as Code (IaC) will bloom
5. Serverless Architecture will be next buzz phrase
6. Hyper automation of DevOps processes
7. DevSecOps will be the new norm in DevOps
8. Increase in implementation of AIOps
9. GitOps will be initiated
10. Infrastructure Automation (IA) will gradually rule
11. Chaos Engineering will become a regular testing technique
12. DataOps will see an exponential growth
13. Kubernetes-enables DevOps pipelines will be implemented

About Encora