Through the lens of data presented by the 2019 State of DevOps report, this article analyzes the relationship between speed, security, and DevOps.
The adoption of DevOps by global enterprises has spiked in the last three years. While many companies have shown success by delivering software at break-neck speed, maintaining new security as per industry standards has been a pressing concern for all of them.
But why is this the case?
Traditionally in the waterfall model, security activities of a new software were started just before/after the day of deployment. There was no problem in this process because the delivery cycle itself was a quarter-long activity. But with DevOps, when the lead time is reduced to days, and delivery throughput has increased (at least 10-100 deployment per day), security and compliance teams find it hard to keep up with the pace.
There are two outcomes:
Security is essential but not a priority: Software features are seen as a competitive differentiator among enterprises. Security is seen just as a guardrail or as a practice, and usually takes a long time to accomplish, hence is not prioritized.
Time to market is a priority: With increasing pressure to deploy new features to unlock new business opportunities, it is natural to incur risks and implement the feature with non-crippling bugs.
Everyone forgets: (this is my favorite) During my development days, there were few instances when I wrote a code that fulfilled just an immediate requirement but with a fair chance to mushroom new functional issues. Those codes were shipped to production with a thought that defects will be fixed later. Unfortunately, everyone forgot and resulted in technical debt.
Less guidance: There are a few vendors in the market who offer expertise and solutions on secured and continuous delivery.
The DevOps process runs like a high-speed engine, and stopping it again and again for security checks is ineffective. Thus it is sensible to embed security into DevOps processes and ensure the software is safe and secure in real-time. This idea is called DevSecOps.
DevSecOps can assure organizations that the shipment of their software and services to production are trusted. The practice can ensure the security of applications and infrastructure from the beginning and avoid DevOps workflow from slowing down by using automation.
Let us understand the security types and how they can be integrated into DevOps.
There are three types of security concerns (as defined in State of DevOps report 2019): Vulnerability Risks Avoidance, Policy Controls& Countermeasures, and Audit and Traceability. They play a significant role in zeroing down the business risks during the software delivery runtime.
DevOps automation tools help increase your application development agility and speed up delivery for software changes.
So lets chat DevOps, CI/CD and software lifecycles. In this tutorial I attempt to explain DevOps and CI/CD, Continuous Integration and Continuous Delivery / Continuous Deployment. I touch on the many definitions of DevOps, I try and differentiate between DevOps and CI/CD and give you an insight into the idea of a pipeline for develop and deployment automation.
The ultimate showdown between Travis CI vs Jenkins. Check out this guide to know who wins the race! Travis CI and Jenkins are both popular CI/CD tools and were launched in the same year i.e. 2011. As of July 2020, Jenkins has been the more obvious choice as CI/CD tool with 15.9k stars & 6.3k forks, in comparison to TravisCI which has 8k stars & 756 forks. However, these numbers alone don’t imply which CI/CD tool is more suitable for your upcoming or existing project. Jenkins is an open-source & Travis CI is free for open-source projects.
Over the past decade, continuous integration (CI) and continuous delivery (CD) have become staples of the software development lifecycle. CI automates the process of merging code and checking for basic regressions and code quality issues, relieving some of the code review burdens on your dev team.
DevOps can bring a lot of benefits for your team. To be able to understand and properly embrace it, it's important to correct some myths. This will help!