By Luca Ravazzolo, Product Manager, InterSystems
The last year has seen a gradual evolution of DevOps as the approach has matured and continued to be adopted more widely. Since its introduction, DevOps has changed mindsets, encouraging organisations to be more agile and making concepts like continuous integration and continuous delivery more commonplace. A major reason for the popularity of DevOps is that it allows organisations to capture all processes in an auditable and replicable way. Further to this, it adapts quickly, resulting in a low cost of change, and allows businesses to add cross-functionality collaborations and results in working at a much higher speed.
Thanks to a similar evolution in the cloud world, more intelligent tools are becoming available, allowing developers to follow up DevOps processes with more discipline and efficiency. This has led to the next iteration of DevOps: DevSecOps.
What is DevSecOps?
The issue of security is one aspect of DevOps that, until recently, has been largely overlooked, often due to the underlying pressure for the rapid creation of solutions and for these to be deployed quickly. Consequently, this has meant that security hasn’t always been a priority as including this at development stage hinders speed. Instead, security tended to be retrofitted after a build – an approach that makes the process more difficult. As developers and organisations have begun to realise that this isn’t the most security-conscious or optimal way of going about it, we are now seeing some integrate security into DevOps from the outset. This approach means developers can alleviate any security issues at the time of development.
Implementing DevSecOps
Currently, DevOps breaks down any barriers between developers and operations teams, but adding security into the picture requires there to be greater collaboration and knowledge-sharing across the organisation. For DevSecOps to be successful, developers and organisations must embrace a collaborative culture and recognise that they require input from other individuals within the business with different expertise. This requires organisations to adopt the right mindset in which they realise the transformative power of security in the development of solutions and collaborate with other departments. Traditionally, developers have been focused purely on logic and algorithms, for example, and security is an afterthought. So, if they are to embrace a DevSecOps approach, it is crucial to involve security experts from the beginning and for the different parties to collaborate on the development of solutions. By doing so it will be possible for enterprises to create secure, stable and resilient solutions which will be hugely beneficial for both the organisation and end-users.
Further to this, DevSecOps requires continual security reviews covering everything from compliance monitoring for PCI and GDPR to determining what the process is if security senses a threat. Therefore, organisations should establish a review process from the moment they think about architecting a new solution. Then they should also determine processes for the ongoing monitoring and management of security as the code progresses through every stage, from the developer desk to the building of the solution and the testing of it. It’s also critical that developers receive adequate training to ensure they are aware of security throughout the development journey.
What’s next for DevOps?
While what the future may hold for DevOps isn’t clear at this time, there are two prominent schools of thought:
Firstly, it is thought there could one day be NoOps. This is the idea that solutions will feature everything they are required to from the outset, such as code standards, security, libraries and legislation protocols, and that things will be completely automated, therefore requiring people to just monitor and raise questions as they verify the software. Technically, as everything would be automated within the software provisioning pipeline, there would be no need for manual, human-based operations. This could potentially guarantee a higher level of security and resilience as everything would meet a particular standard.
The second prediction is that instead of DevOps disappearing altogether, different types of Ops may be developed. This could lead to the emergence of MLOps to form a machine learning-driven operation that would be able to certify the standards that organisations want software to be written with and even flag issues with it.
As demonstrated by the introduction of DevSecOps, the evolution of DevOps is underway. In time, this is likely to mean that DevOps will begin to encompass new technologies and multiple aspects of building a new solution. Eventually, this will lead to all of the requirements of development being brought together and an increase in collaboration across departments. Ultimately, the end result will be new solutions that meet the required standards and security from the outset.