DevOps can be described as the tools and practices employed to drive the high-velocity deployment of applications. These tools and practices combine software development and IT in order to provide continuous delivery of software products without compromising quality. Continuous Delivery is the process of packaging, testing, and storing an application unit in a continuous fashion to be always ready to deliver into production.
Crucial to successful DevOps is the achievement of continuous integration. Continuous integration is the process of combining source code from different developers or teams, into a single application and then typically running some automated suite of tests on the resulting application. This integration process runs “continuously,” either polling source control on a regular interval or triggered by code check-in.
If continuous integration and continuous delivery is achieved, you will arrive at an application unit that has enough testing, compliance and validation, thereby making it production-ready.
The DevSecOps challenge
At the heart of DevSecOps, lies the desire for speed. There is an increasing need to accelerate the time-to-market from a software development point of view. Clients want innovative, scalable solutions that address their business needs – and they want it fast. This means that many software development frameworks, focus on the speed of delivering a product of value to the market and in doing so, neglect to mitigate security risks involved. This leads to half-baked security controls in software products, which exposes companies to major security risks. These risks, if not mitigated, attract penalties involved in regulatory non-compliance.
DevSecOps means that security and compliance are built in as an integral part of the development framework, thereby prioritising security on equal footing with speed and agility. Imagine baking a cake with cocoa powder representing security controls. If a DevSecOps approach is followed, the cocoa powder will be mixed into the batter before placing the cake in the oven as opposed to merely sprinkling cocoa powder over the top just before delivering the cake to the client. The difference? A chocolate cake or a cake with a hint of chocolate. Similarly, a software product where DevSecOps was used, is a secure product as opposed to a software product with security features added after the fact.
What we deliver
Our DevSecOps provides leadership and delivers team training, supports continuous DevOps process improvement, and a repository for shared best practices, blueprints, and code. Since I&O resources are not dedicated full-time to a software delivery team, this model is most efficient alongside our standardized set of tools used across all automated delivery pipelines. The DevSecOps team is also responsible for actively marketing the benefits of DevSecOps to the broader IT and development community.
While the integration of tools tied to automation has been the driver for achieving DevSecOps, there are concerns over secure design, governance structures, developer responsibilities, and lack of skills in light of increased exposure of applications to security breaches. Our Development centric approach to DevSecOps addresses these with an overlap on Engineering, Operations, and Security Compliance.
Our DevSecOps implements Agile software development principles while embodying several Lean principles. Requirements and solutions are developed through collaboration between self-organizing, multi-functional teams. In doing so, we ensure the implementation of adaptive design, evolutionary development, early implementation, and continuous improvement. As a result, processes are developed that facilitate the rapid and flexible deployment of changes to software products.