Doing Agile Right

Doing Agile Right

DevSecOps

DevSecOps

Traditional software life cycles separate development and operations, requiring several manual processes and a handoff between teams that inhibits delivery speed.

DevSecOps speeds up the development cycle for new features and enhancements by broadening the role of the Agile team to the full software life cycle and using automation to speed processes. DevSecOps brings operations and security concerns to bear earlier in the life cycle, and gives teams more responsibility for and ownership of the software’s successful operation (see Figure 1).

Figure 1

A common depiction of a DevSecOps cycle illustrates the concept of continuous delivery

In planning, engineers determine the design of the thing being built and create a picture of the end-to-end development process, including how it will be tested, secured and deployed. Tools are employed to organize each team member’s activities and backlog in real time.

While the coding process doesn’t change much, it is tightly linked with a tool chain, which is a series of selected tools that provide automation throughout the life cycle. The tool chain manages continuous integration and continuous deployment processes. DevSecOps fosters a different coding mindset, asking engineers to think about how code will perform in production—for example, by including performance, security and maintainability considerations during the development phase.

In the traditional life cycle, build is usually semiautomated; in DevSecOps, build is fully automated and kicks off many other steps through the tool chain. Integrating the software and running key integration tests are done early and frequently, which allows teams to detect problems early, greatly reducing their cost and improving delivery speed.

Testing is automated to the greatest extent possible, and it occurs in many places throughout the life cycle, rather than at the end of the development cycle. The automated tests are then reusable for future pieces of code. The testing mindset differs from the traditional life cycle because developers are thinking about test criteria they need to pass before they start work, often employing methodologies such as test-driven development.

In DevSecOps, security is embedded in the life cycle. Security goals are identified during planning; during coding, secure coding practices are employed; during build/test, teams scan for potential vulnerabilities. After deployment, security continues to monitor for potential incidents. Established security guardrails and automated testing ensure the ability to deploy secure code at speed.

One of the key advantages of DevSecOps is that it allows for much quicker and more automated deployment of code to various environments, taking into account differences in configuration. This speed advantage is even more pronounced in a modern microservices architecture, as opposed to a more monolithic one. Of course, you need someplace to deploy to, so DevSecOps generally requires the ability to configure environments on demand.

After deployment, monitoring is a shared responsibility between developers and the DevSecOps team, unlike the traditional life cycle, which has a greater separation between development and operations. Because developers have a shared stake in the stability and performance of their application, the quality of the resulting product is usually higher.