Have you integrated DevSecOps into your projects?
Agile method + DevOps
Many organizations have abandoned waterfall management to adopt Agile methods. Their teams have begun delivering minimum viable products (MVP), which are parts or functionalities of a project that are delivered more frequently, resulting in faster value delivery for the customer. Getting real-time feedback throughout a project to align with customer expectations and making continuous adjustments has suddenly become possible. Customers don’t always have the full view of what they want in the end. An Agile approach gives them room to question themselves (which is healthy) and change their product definition, and even to adapt to a changing market. Agility is not just a method; it’s a culture with different flavours: Scrum, Kanban, Lean, SAFe, DAD, etc.
The new Agile practices involve Agile methods being used in development projects to manage both development activities and operational activities, as the latter are now part of team tasks. The idea is to give teams full autonomy with the goal of achieving a healthy balance between accelerating the delivery of value for the organization and producing stable and quality software, which usually slows the pace of delivery.
Is Agility really for you?
Before adopting Agile DevOps, ask yourself if your organization is sufficiently structured. DevOps, at its core, requires a lot of automation: essentially an automated software assembly line. You need code management governance and distinct production and non-production environments. Using the branching model for your code to know what is deployed in which environment and in what version is also key. Once all these are established, you can start automating Agile DevOps practices within your development teams.
Add QA to your Agility
When working in Agile, the work is necessarily done in a series of iterations in Scrum teams. However, quality assurance should be an integral part of sprints. Settling for a hardening sprint (QA sprint) at the end of the project won’t do.
To succeed, the person performing QA tests must be fully integrated into the project development team, and the tests performed must be included in the definition of done (DOD) to deliver the user stories at the end of the sprint. Therefore, automated tests must be part of the continuous integration process, not just done on the code. Automated tests, in addition to being programmed, need to be included in programming guides to know what they will be called and how they will be integrated into the Test Case Manager (TCM). Add security to the mix, and you now have a complete Agile iteration.
Automated QA testing is also part of best practices, although for each project, tests will need to be categorized by type. Logically, regression tests should be the first to be automated, at the very beginning. Doing so boosts organizational intelligence, because it results in a centralized test library to test application codes that can be reused for other projects.
This new trend is commonly known as “shifting left.” Code is tested simultaneously with development activities rather than being delivered to a QA team at the end of development to start testing. The role can then be said to be integrated into development iterations. If something breaks down, it can be fixed immediately, and the product is increasingly stable the closer it gets to production.
Security as Code (SaC)
Cybersecurity is now a top priority for many companies, and not just in the banking industry. To go even further, DevSecOps means integrating a project’s entire security strategy and its various compliance protocols. Penetration tests are integrated to protect sensitive data and protect against application, network and infrastructure vulnerabilities to minimize the risks associated with identity and information theft.
Most companies haven’t yet reached this level of Agility with both DevOps and security. This trend is only just starting, and, unfortunately, security teams are still very isolated and using relatively traditional methods. They don’t yet know how to participate in development iterations. Regrettably, it is often quite difficult to go into production very quickly after a sprint, because QA and security validation activities create bottlenecks and hinder the rapid delivery of projects.
DevSecOps and its advantages
If DevSecOps is right for your organization, it will reap a multitude of benefits:
- Higher quality software delivered
- Improved unit tests
- Better integration
- Problems during a project discovered earlier, and pitfalls avoided at the project’s end
- Security regarding delivery dates
- Traditionally boring jobs transformed into creative jobs
- Increased organizational intelligence and reduced manual steps
The shift towards Agility is a human challenge
Take the time to determine where your company stands in terms of Agility. This isn’t a technological challenge; it’s a human one. It involves literally changing the way work is done. Expect the process to be long, painful and risky. Don’t undertake this shift just to be trendy. Do it for the right reasons: to create stability and security by accelerating the delivery of value for your organization to the benefit of your customers. Determination on the part of managers will be key. The change will require new roles within your organization as well as training and financial investments. A temporary loss of velocity is to be expected. Understand the magnitude of the endeavour before you start, and make things clear within your organization first. Set up indicators to measure and monitor progress. These could include maturity indicators such as increased quality, reduced incidents, improved system availability, etc. This will serve as an antidote to those who oppose change. In fact, it takes continuous effort to legitimize the transformation.
By Van Kim Nguyen, Senior Advisor DevSecOps