Making the Transition from DevOps to DevSecOps

Making the Transition from DevOps to DevSecOps-01

Across all sectors, organisations have rapidly accelerated their application development over the past three years to respond to the constantly evolving needs of customers and employees and to deliver ever more personalised and intuitive digital experiences. Technologists have taken advantage of cloud-native technologies and low-code and no-code platforms to accelerate release velocity and build more dynamic applications across more platforms.

But for DevOps teams, the accelerated shift to modern application environments is creating tremendous challenges. Managing availability and performance across cloud-native applications, landscapes, and architectures is incredibly complex. IT teams are being bombarded by huge volumes of data coming at them from these highly dynamic environments, and they simply don’t have the right tools, insights and processes to get to grips with this challenge.

It is important for DevOps teams to act decisively to ensure they are able to operate effectively and continue to progress their organisations’ cloud migration strategies. And this will require cultural change—encompassing new processes, structures, approaches, tools, and technologies—to optimise application performance in multi-cloud and hybrid environments and prioritise their actions based on business impact.

The need for unified visibility

For about three years now, DevOps teams have had to adapt ad-hoc as organisations have accelerated digital transformation and, in particular, increased their adoption of cloud-native technologies. And most DevOps teams have managed to strike a balance between supporting and facilitating rapid release velocity and managing and optimising application availability and performance. This has been central to the ability of organisations to react quickly to changing market conditions and to meet heightened customer expectations for brilliant, seamless digital experiences at all times.

DevOps teams have been instrumental in combining code, application maintenance and application management to enable organisations to deliver innovative, robust, and resilient applications quickly.

But as anybody who has worked within or alongside DevOps engineers in recent times can attest, the last few years have seen DevOps teams operating under intense and unrelenting pressure. And much of this pressure has been caused by the shift to cloud-native technologies, with DevOps teams having limited visibility and insights into multi-cloud and hybrid environments. 

In many organisations, IT teams are still relying on multiple disparate monitoring tools to manage performance across their IT estate. But traditional monitoring solutions are unable to cope with the dynamic and volatile nature of cloud-native environments. These highly distributed systems rely on thousands of containers, producing a massive volume of metrics, events, logs, and traces (MELT) every second. IT teams don’t have a way to cut through this data noise when troubleshooting application performance problems caused by infrastructure-related issues that span across multi-cloud or hybrid environments. And they don’t have unified visibility across what is increasingly a sprawling and fragmented IT estate. 

In response to this spiralling complexity, technologists need visibility across the application level, into the supporting digital services (such as Kubernetes), and into the underlying infrastructure-as-code (IaC) services (such as compute, server, database, network) that they’re leveraging from their cloud providers. This is essential for DevOps engineers to understand how their applications are truly performing.

DevOps teams, therefore, require a platform that allows them to observe distributed and dynamic cloud-native applications at scale; a solution that embraces open standards, particularly Open Telemetry; and that leverages AIOps and business intelligence to speed up identification and resolution of issues. Crucially, DevOps engineers need to be able to correlate IT performance data with business metrics to prioritise actions based on business outcomes and validate their organisations’ investments in cloud-native technologies. 

Achieving success in cloud-native environments hinges on a DevSecOps approach to applications development

The shift to cloud-native technologies has laid bare the need for greater collaboration within the various factions in the IT department. Despite the progress delivered by DevOps methodologies over recent years, many IT departments continue to be held back by siloed teams, processes and data. 

Significantly, the move to cloud-native technologies highlights that security teams can no longer operate in a silo within the IT department; security needs to be integrated into the application lifecycle from the beginning. 

This is because organisations have shifted to modern application stacks and seen a sudden expansion in attack surfaces. Widespread adoption of multi-cloud and hybrid environments means that application components are now running on a mix of platforms and on-premise databases, and this is exposing visibility gaps and heightening the risk of a security event. The potential consequences are catastrophic for both the customer experience and the bottom line.

According to recent research from Cisco AppDynamics, regarding The shift to a security approach for the full application stack, only 24% of technologists claimed that collaboration between ITOps and security teams currently takes place on an ongoing basis. Many DevOps and security teams operate entirely in siloes. Developers often don’t seek out input from security colleagues because they fear it will slow release velocity. They only collaborate when a potential issue is identified — which is often too late to prevent it from impacting end users. 

It is incumbent on DevOps teams to use their skills in team empowerment, communication and collaboration to tackle this challenge and bring about closer alignment between development, operations and security teams. 

DevSecOps brings together ITOps and SecOps teams to incorporate application security and compliance testing into every stage of the application lifecycle, from planning to shipping. By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management before, during and after release.

IT departments can avoid the current situation where security vulnerabilities are only addressed at the last minute before launch or identified after the application has already been released. By incorporating security testing from the outset of the development process, security teams can analyse and assess security risks and priorities during planning phases to lay the foundation for smooth development. 

What is interesting is that rather than being resistant to this change, most DevOps engineers — 76% according to the Cisco AppDynamics research I quoted earlier — acknowledge that a DevSecOps approach is now essential for organisations to effectively protect against a multistage security attack on the full application stack. 

Furthermore, on a personal level, DevOps engineers recognise that the move to DevSecOps provides them with the opportunity to expand their skills and knowledge and to become more well-rounded IT professionals. For DevOps, the pivot to DevSecOps is the natural progression from the incredible work that they have been doing over the past few years. It is critical that organisations now provide IT teams with the right tools, insights, and skills to make the transition seamless.