DevOps (a portmanteau of development and operations) is a range of tools and unique cultural philosophies that focuses on helping organizations streamline software or application release cycles to further improve their quality, security, and scalability. The concept of DevOps was introduced in 2008 by Patrick Debois. For Debois, who was then a system administrator, DevOps reflected the need to straddle the outputs of the application development team and the infrastructures — such as servers, databases, and networks — managed by the operations team.
Information technology (IT) teams involved in developing, testing, deploying, and monitoring applications are historically siloed. This means that their roles and functions are clearly delineated and fragmented. DevOps seeks to break the barriers between these various IT teams and streamline their practices into cohesive initiatives.
Figure 1. Integration of people, process, and technology as embodied by DevOps
A concrete example of DevOps at work is how it’s adopted in the financial services industry. A bank’s stakeholders and developers, for instance, will first plan and design a web application that the bank’s customers will use. Developers will then write the code needed for the application’s functions to operate, such as the login form and account management interface. Quality assurance engineers will test the application’s security. It is then released to customers. Operations professionals will then monitor for feedback, to further improve customer experience by adding more functions to the application or patching vulnerabilities. The application will go back to planning until the updates are deployed.
In traditionally siloed environments, the application that developers create is passed to an administrator, who, after testing and deploying the application, dispatches it to the operations team. This raises barriers, as the team would tend to focus only on its demarcated roles. A developer, for instance, may overlook security as he focuses on ensuring that the application’s functions work. An operations professional who wants to release and deploy the application as fast as possible may also neglect to check the security or integrity of the application’s underlying mechanisms and infrastructures that system administrators are tasked to protect.
The separation between the teams involved can create friction and, ultimately, bottlenecks in the application’s development life cycle. DevOps seeks to get rid of these complications by bringing all these teams together under an optimized and iterative process, focusing on the ability to deliver applications faster through automation.
Figure 2. Key elements in building a successful DevOps strategy
In 2017, 50 percent of organizations were already implementing DevOps, according to a report by Forrester. DevOps, as both toolset and mindset, embodies the following concepts that organizations adopt to address pain points in their workflows.
For businesses, adopting DevOps entails the “shared responsibility” of creating secure and compliant applications throughout their life cycles. Beyond regulations, enterprises must also consider the risks posed by unsecure applications, such as to stored data and to the users who access them. To this end, 59 percent of organizations reported increased collaboration between information security professionals and DevOps teams, according to a 2017 survey by Gartner.
That baking security in slows down the development process of an application is a myth. Here’s why security matters in DevOps:
Gartner projects that 70 percent of DevSecOps-related initiatives in 2019 will integrate automated security for open-source and commercial applications. Indeed, agility and security should not be mutually exclusive. Incorporating code analysis tools and automated testing, for instance, empowers businesses to eliminate risks by proactively identifying and eliminating security issues at each stage of an application’s life cycle. Ensuring the security of, say, the containers hosting the application early on mitigates the risks of a data breach. Having automated vulnerability assessments and threat benchmarks enables developers and administrators to promptly respond to threats or breaches.
Security solutions can further elevate DevOps processes by mitigating the potential impact of vulnerabilities in and threats to applications. The Trend Micro Hybrid Cloud Security solution, for instance, provides threat defense for safeguarding runtime physical, virtual, and cloud workloads, and containers as well as scanning of container images during development phases.
Figure 4. Some of the Trend Micro Hybrid Cloud Security solution’s protection capabilities at work