Infinity is difficult to comprehend. It may be that imagining that anything can last forever is difficult because of our initial indoctrination to the “everything has a beginning and an ending” perspective.
However, we must eventually either accept the notion of infinity—or at least pretend to—or else we would never pass calculus.
But infinity is not just a mathematical concept. When going through a digital transformation – especially when looking to secure future business as the business moves to the cloud, companies must embrace the concept of infinity.
The alternative is to conclude – wrongly - that a static development is sufficient for avoiding security breaches and ever-evolving cloud security threats. The key here is ‘ever-evolving’ – simply put there is an infinite threat to digital business – endless and likely to increase in size and scope.
Consequently, security considerations should be inherent throughout your all development and deployment that drives digital business.
This first mandates an assessment of the DevOps lifecycle.
Why DevOps?
Today, most people are aware of the tremendous impact software programs have on our lives.
In the early days of computing, program development was typically a linear process of coding and debugging, followed by testing and then deployment, performed by a single programmer. It was discrete and controllable.
This structure, known as the software development life cycle (SDLC) has extended to accommodate more complex programs, integrated software architectures, and teams of developers, testers, and operators.
This growth has been profound as software has become the backbone of effective business. In as much that modern business IS digital, it is software driven and as a result, development today requires integration with IT resources to:
- Meet rollout demands most effectively
- Provide a stable environment for operation
- Promote and facilitate collaboration
- Allow for innovation and improvements to be made
This combined development and operations process is defined by seven stages known as the DevOps lifecycle.
What is the DevOps Lifecycle?
The DevOps Lifecycle is a series of phases or stages that define the DevOps software development process.
The lifecycle is robust – and indeed geared towards the idea of infinity - in that it is based upon the concept of continuity. Optimal development only occurs when the process is continually refining and improving the software and the processes. This continuation is reflected throughout seven stages of development, each of which is continuous in its own right.
The continuous DevOps lifecycle stages are:
- Development: The initial stage where the program intent is defined and redefined. It is also where coding is done.
- Planning: This is where a business aligns goals to what will be built with user stories and work items as the containers of value that then move through the cycle.
- Integration: This is the most important phase of DevOps. During this stage, the code is constantly being updated with new code and/or newly tested code.
- Testing: As new bugs are found, they are corrected, and the code is sent back through integration. Automation is used here for speed and several sections of code can be tested simultaneously by quality assessors (QAs).
- Deployment: Continuous deployment is maintained through a configuration management tool. This allows the software to remain available to users even while undergoing updates and changes.
- Monitoring: This stage is where IT becomes more involved as the program is monitored for errors and threats that need to be handled immediately or addressed by long-term changes to the code.
- Operations: This phase consists of releasing the program and updates. The automated process is the shortest of the lifecycle.
- Feedback: Once new code is created and tested, the program is analysed and evaluated both internally by the team and probably, more importantly, by end-users. This feedback may be used to make further improvements that require integration and testing.
This formalized software development structure is based on the collaboration of programmers, application developers, test engineers, and IT professionals. A major hallmark of a successful strategy based on this structure is the maximal use of automation to quickly deliver highly functional software with minimal errors.
Over time, this continual process should deliver a bug-free application that meets its performance objectives.
However, it is at this point that we must introduce the issue of security and the ever-evolving, infinite threat that we discussed earlier.
Frankly, whilst DevOps is an effective paradigm for developing software applications that incorporates the concept of continuity, the lifecycle model falls short in recognizing the importance of considering security at all stages.
The answer to this is to transform the process from DevOps to DevSecOps to deliver optimal software development that is functionally capable, intuitive to use, scalable but also secure.
Summary
As most enterprises are currently - or plan to soon be - operating in the cloud, security concerns require a greater level of consideration when developing software.
This immediately begs the question how to build security into the DevOps lifecycle to create a DevSecOps counterpart.
At the top level, the first requirement is accurate, up-to-date cyber threat intelligence coupled with a DevSecOps roadmap to enhance the DevOps lifecycle process.
Armed with this knowledge – and usually an experienced consulting partner - businesses can implement a lean security intelligence (LS/IQ) platform to safely develop, deploy and operate software. We will cover this in greater detail in Part 2.