DevOps (a portmanteau of development and operations) is a range of tools and unique cultural philosophies that focuses on helping organizations streamline software or application release cycles to further improve their quality, security, and scalability. The concept of DevOps was introduced in 2008 by Patrick Debois. For Debois, who was then a system administrator, DevOps reflected the need to straddle the outputs of the application development team and the infrastructures — such as servers, databases, and networks — managed by the operations team.
Information technology (IT) teams involved in developing, testing, deploying, and monitoring applications are historically siloed. This means that their roles and functions are clearly delineated and fragmented. DevOps seeks to break the barriers between these various IT teams and streamline their practices into cohesive initiatives.
Figure 1. Integration of people, process, and technology as embodied by DevOps
What makes DevOps different from other approaches?
A concrete example of DevOps at work is how it’s adopted in the financial services industry. A bank’s stakeholders and developers, for instance, will first plan and design a web application that the bank’s customers will use. Developers will then write the code needed for the application’s functions to operate, such as the login form and account management interface. Quality assurance engineers will test the application’s security. It is then released to customers. Operations professionals will then monitor for feedback, to further improve customer experience by adding more functions to the application or patching vulnerabilities. The application will go back to planning until the updates are deployed.
In traditionally siloed environments, the application that developers create is passed to an administrator, who, after testing and deploying the application, dispatches it to the operations team. This raises barriers, as the team would tend to focus only on its demarcated roles. A developer, for instance, may overlook security as he focuses on ensuring that the application’s functions work. An operations professional who wants to release and deploy the application as fast as possible may also neglect to check the security or integrity of the application’s underlying mechanisms and infrastructures that system administrators are tasked to protect.
The separation between the teams involved can create friction and, ultimately, bottlenecks in the application’s development life cycle. DevOps seeks to get rid of these complications by bringing all these teams together under an optimized and iterative process, focusing on the ability to deliver applications faster through automation.
Figure 2. Key elements in building a successful DevOps strategy
What is driving organizations to adopt DevOps?
In 2017, 50 percent of organizations were already implementing DevOps, according to a report by Forrester. DevOps, as both toolset and mindset, embodies the following concepts that organizations adopt to address pain points in their workflows.
Agility. Reduce time to market by unblocking bottlenecks in the development pipeline, enabling companies to respond to an ever-changing and competitive market. DevOps helps avoid wasted time and resources on reworking application builds by integrating security and compliance teams in the development pipeline.
Continuity. Prevent business disruptions by sustaining the speed at which applications are deployed while also ensuring their quality.
Collaboration. Underscore accountability, reduce costs, and further secure applications by bringing tools and teams together, regardless if their workflows are under traditional, virtual, or cloud environments.
Automation. Standardize the processes behind applications and their underlying infrastructures. This minimizes errors and ensures consistency across each stage in the development pipeline. DevOps’ emphasis on automation helps businesses avoid failures in meeting time-to-market deadlines due to roadblocks in the development processes.
Adaptability. Ensure that there are no incompatibilities in tools and practices, and minimize the complexity in building and deploying applications across data centers and virtual and cloud environments. DevOps provides adaptability needed for applications to run on different platforms.
Figure 3. Incorporating security in DevOps
How does security figure into DevOps?
DevOps isn’t just about ensuring agile, flexible, and scalable software delivery cycles. Securing applications pre-runtime and safeguarding their underlying infrastructures are imperative in the mitigation of risks brought about by ever-evolving and disruptive threats.
For businesses, adopting DevOps entails the “shared responsibility” of creating secure and compliant applications throughout their life cycles. Beyond regulations, enterprises must also consider the risks posed by unsecure applications, such as to stored data and to the users who access them. To this end, 59 percent of organizations reported increased collaboration between information security professionals and DevOps teams, according to a 2017 survey by Gartner.
That baking security in slows down the development process of an application is a myth. Here’s why security matters in DevOps:
DevOps helps the development and operations teams gain further visibility into the application’s life cycle to better monitor, track, and configure the application at every stage of its development and deployment.
DevOps empowers the teams to identify security gaps and misconfigurations early in the development stage to avoid unnecessary work and prevent releasing vulnerable software. Eliminating superfluous work further speeds up releases and ultimately reduces costs.
DevOps encourages the teams to improve responsiveness to breaches or vulnerabilities through actionable threat intelligence — and to ultimately protect the business’ reputation and bottom line.
Is DevOps any different from DevSecOps?
DevSecOps (a combination of development, security, and operations) can be considered a tangible form of DevOps where security is also at the forefront.
Gartner projects that 70 percent of DevSecOps-related initiatives in 2019 will integrate automated security for open-source and commercial applications. Indeed, agility and security should not be mutually exclusive. Incorporating code analysis tools and automated testing, for instance, empowers businesses to eliminate risks by proactively identifying and eliminating security issues at each stage of an application’s life cycle. Ensuring the security of, say, the containers hosting the application early on mitigates the risks of a data breach. Having automated vulnerability assessments and threat benchmarks enables developers and administrators to promptly respond to threats or breaches.
Security solutions can further elevate DevOps processes by mitigating the potential impact of vulnerabilities in and threats to applications. The Trend Micro Hybrid Cloud Security solution, for instance, provides threat defense for safeguarding runtime physical, virtual, and cloud workloads, and containers as well as scanning of container images during development phases.
Figure 4. Some of the Trend Micro Hybrid Cloud Security solution’s protection capabilities at work