The previous chapter in this WhiteHat Security series discussed Codebase as the first step of the Twelve-Factor App and defined a security best practice approach for ensuring a secure source control system. Considering the importance of applying security in a modern DevOps world, this next chapter examines the security component of step two of the Twelve-Factor methodology. Here follows some actionable advice from the WhiteHat Security Addendum Checklist, which developers and ops engineers can follow during the SaaS build and operations stages ...
Hardly a day passes without more discussion on the need to accelerate the injection of apps into our business, while at the same time using feedback from production to continuously drive improvements. And, whether we call it DevOps or just high-performance IT, one thing is clear – rapid delivery and a high quality customer experience are forever locked in a deadly embrace – fail in one and any digital transformation initiative will quite literally have the life sucked out of it.
With agile and lean influencing our thinking, it’s perhaps no surprise that the impetus behind DevOps has come from development. That’s great for the speed side of the equation, but success requires that IT operations also modify their practices. This means ensuring that Application Performance Management (APM) tools and processes are not only supporting the resilience and service goals of production systems, but that they exhibit the functionality needed to help improve customer experience – even as applications are developed, tested, released and deployed.
The move towards application-centric monitoring means that IT operations teams can align more closely with development. Comprehensive tools now yield valuable metrics that developers can immediately use to improve the code base. Additionally, these toolsets are capable of monitoring application components running in various test environments, meaning IT operations becomes proactive in helping development prevent technical debt – pinpointing code defects before they reach production.
APM can accelerate the benefits of DevOps, but where do you start and what tools do you use? The tech landscape is littered with many products and services all claiming to be the secret sauce that’s going to support a DevOps-like culture.
But don’t be fooled, modern APM can only accelerate DevOps when it exhibits four fundamental characteristics. Quite simply it has to be “EPIC”:
Out-of-the-box is every vendor’s catchphrase, right? But beyond they hype, it’s obvious that the complexity associated with APM has to be addressed. Too often APM tools are difficult to install, configure and use; often mirroring the complexity of the composite application environments they purport to manage and being more skewed towards production usage.
To address this, modern APM solutions must at a minimum also support the application development role, but in a way that’s relevant and useful. For example, serving one-click notifications that are simple to understand together with actionable context to guide corrective action.
In an operational context too, the thorny challenge of APM configuration can’t be ignored. Whatever the claims about out-of-the-box management, the acid test of simplification is the ability to centrally manage, configure and inventory what can easily become thousands of monitoring artifacts and log files.
Too often the effective triage of transactional issues requires an in-depth knowledge of an application or the need to modify instrumentation and then restart the system – all fine if you have development experts with time on their hands. These reactive “spot fires” can only be extinguished using smarter instrumentation techniques that, yes, can be modified (without exacting a big time and resource penalty), but can also be initiated automatically to collect transaction traces when an actual problem occurs. To me this is the very essence of proactive APM detective work – finding the culprit as they’re committing the crime!
These types of solutions also extend the notion of proactive into mobile app management, for example by providing developers with detailed insight into how apps are behaving in the real world. This is especially critical since clearer visibility into app behavior and usage together with the impacts of external factors (e.g. network latency) can be a huge factor in the success of an app.
The rapid delivery of code is the lifeblood of an economy increasingly driven by software, yet these critical updates can easily create performance anomalies. Traditionally, the aim has been to (hopefully) detect these during non-functional testing, but that can slow down releases. More modern APM approaches aim to resolve this dilemma by instantiating behavioral analytics as a key monitoring technique across the software lifecycle. Not only does this reduce the need for application expertise in problem triage, its ability to quickly correlate code changes with performance problems helps further accelerate DevOps benefits.
From our earliest years we’re taught to share, yet based on our role in IT we default to our discrete function-specific tools. That’s quite natural, because if a production-based monitoring tool has no relevance to developers (testers, network engineers ... insert your role here) then it’s about as useful as a solar powered flashlight. Dev and Ops teams must work together to select those APM solutions that can provide value across the software lifecycle – especially those that continuously deliver actionable feedback. This starts by providing a unified view of the entire application stack and the business services they support, together with the intelligence and proactive methods I’ve described. Additionally, and to really qualify as "modern", these tools must support the cloud stacks we operate within and the development platforms we build upon – like Node.js and MongoDB.
DevOps is fundamental to digital transformation, but don’t fan the fire with products and services that are ineffective and lack cohesion. Seek out a modern solution that accelerates APM fluency across Dev and Ops. This will not only make your journey easier, it’ll make it EPIC.