DevOps and DevSecOps: What are they and could either play a part in your business?
Authors: Allen Fairchild, Greater Manchester Cyber Foundry Analyst Developer Team Leader, University of Salford, Ruth Macarthy, PhD Researcher, University of Salford, Julian M. Bass, Head, Computer Science and Software Engineering at University of Salford,
Let’s begin with the acronyms: DevOps stands for Development and Operations whereas the newer DevSecOps stands for Development, Security and Operations – notice the subtle difference.
Both are methodologies or practices borne out of software development and DevSecOps is actually an evolution of DevOps.
Accelerating application delivery and increasing agility are major goals in modern software development. The demand for technology products continues to rise, and IT-affiliated businesses must adopt faster to newer ways of working. Companies are under pressure to remain relevant in a competitive business environment and meet dynamic market demands. Organisations aim at reduction of errors and downtime, while delivering high quality products to their customers in record time.
This is what DevOps can offer to your business. DevOps is the harmonisation of people and technology in a manner that provides a seamless flow of value from the development of ideas to useful software applications in the hands of consumers. This is made possible by embracing automation along the delivery value chain, increasing visibility of processes and products, and better collaboration among the various stakeholders.
DevOps is fast becoming an integral part of enterprise IT. It is both a cultural and technological shift, demanding changes and modification in both organisational mindset, IT infrastructure, and operational model. Essentially, DevOps bridges the gaps between organisational silos (developers, IT operations, testers, quality assurance etc) and encourages unrestricted communication flow between them.
DevOps is built on the principle of waste reduction and continuous feedback. This creates the right environment for improved agility and reflects positively on cost and profit. Organisations that embrace DevOps see significantly higher performance in delivery time, restoration to an error-free state, and experience lower failure rates.
There is no single way of implementing DevOps in an organisation. Some organisations focus on fostering better collaboration between various software development teams. Others rely heavily on technology and automation to create continuous pipelines for collaborative software development and deployment.
From a technical perspective, common DevOps approaches include three main technology sets:
- Version controlled repositories and tools / version control tools and repositories,
- Continuous integration and continuous deployment pipeline tools, and
- Containerisation tools for encapsulating deployment run-time environments along with operating system and other dependencies.
Version control tools keep records of chances made to software source code and support code sharing and integration within the team. In a DevOps context, version control tools are used for triggering a continuous integration and continuous deployment pipeline. When code is committed, a sequence of automated tests can be launched to provide quality assurance of the source code. Git is an almost ubiquitous version control tool using a distributed file storage implementation technology.
Continuous integration and continuous deployment pipeline tools
Popular Continuous integration and continuous deployment pipeline include tools such as Jenkins, Puppet Enterprise and Azure Pipeline from Microsoft. The pipeline tools are used to manage the suite of automated tests run on the source code. The pipeline tools make it easy to add new tests and adjust the sequence of tests performed.
Containerisation tools are used for encapsulating deployment run-time environments. Popular software tools include Docker, for encapsulating a run-time environment and all its dependencies. While Kubernetes is emerging as a platform for orchestrating services deployed using multiple Docker containers. In considering DevOps adoption, organisations have to rethink their way of operation and relate the principles of DevOps to their context.
You may have noticed that DevOps makes no mention of the word security. This doesn’t necessarily mean that organisations using a DevOps methodology wouldn’t be considering security, however, it would likely be considered towards the end of a development cycle and often actioned by a different team. Contrary to this, in a DevSecOps approach security is considered throughout the process, right from the design phase, and before a single line of code is even written. DevSecOps (referred to by some as rugged DevOps) is a practice which engrains security from the very outset, continues to integrate it throughout the development cycle, and drives a mindset in which all stakeholders are responsible for it. This is where the difference lies.
A DevSecOps workflow would be tailored to the requirements of a business and utilise the same three technology sets from DevOps. However, it would also likely employ secure-by-design techniques and integrate additional stages into the development cycle including:
- automated vulnerability scanning and patching (inclusive of all dependencies),
- code audits and security testing,
- penetration testing.
To summarise: within DevSecOps as opposed to DevOps, security is no longer a bolt-on or an afterthought but engrained in the organisations ethos and practised throughout the development cycle.
Useful for your business?
If your business develops software and doesn’t use DevSecOps then it’s likely to benefit from adopting it. However, expect some pushback to the adoption and the cultural changes that are required.