The previous chapter in this WhiteHat Security series discussed Codebase as the first step of the Twelve-Factor App and defined a security best practice approach for ensuring a secure source control system. Considering the importance of applying security in a modern DevOps world, this next chapter examines the security component of step two of the Twelve-Factor methodology. Here follows some actionable advice from the WhiteHat Security Addendum Checklist, which developers and ops engineers can follow during the SaaS build and operations stages ...
Although DevOps emphasizes people (and culture) over tools and processes, implementation utilizes technology. As a result, Gartner, Inc. expects strong growth opportunities for DevOps toolsets, with the total for DevOps tools reaching $2.3 billion in 2015, up 21.1 percent from $1.9 billion in 2014. By 2016, DevOps will evolve from a niche strategy employed by large cloud providers to a mainstream strategy employed by 25 percent of Global 2000 organizations.
Gartner believes that rather than being a market per se, DevOps is a philosophy, a cultural shift that merges operations with development and demands a linked toolchain of technologies to facilitate collaborative change. Gartner views DevOps as a virtual (and likely temporal) market and has focused the scope of the definition on tools that support DevOps and practices associated with it in the context of continuous delivery, continuous improvement, infrastructure and configuration as code, and so on. Gartner categorizes these tools as DevOps-ready, -enabled and -capable tools.
"In response to the rapid change in business today, DevOps can help organizations that are pushing to implement a bimodal strategy to support their digitalization efforts," said Laurie Wurster, Research Director at Gartner. "Digital business is essentially software, which means that organizations that expect to thrive in a digital environment must have an improved competence in software delivery."
Predictably, DevOps-ready tools have seen and will continue to see the largest growth potential. These tools are specifically designed and built with out-of-the-box functionality to support the described DevOps characteristics and traits. Most DevOps-enabled and -capable tools currently exist as part of the larger IT operation and development toolbox; however, with time to value as a critical demand factor from clients, emphasis in support of DevOps has transformed how these tools are positioned and perceived in the marketplace.
The DevOps trend goes way beyond implementation and technology management and instead necessitates a deeper focus on how to effect positive organizational change. The DevOps philosophy therefore centers on people, process, technology and information.
"With respect to culture, DevOps seeks to change the dynamics in which operations and development teams interact," said Wurster. "Key to this change are the issues of trust, honesty and responsibility. In essence, the goal is to enable each organization to see the perspective of the other and to modify behavior accordingly, while motivating autonomy."
Although people are at the very core of the DevOps philosophy, they are only a portion of the wider equation; continual improvement of the right processes and accurate information at the right time are also necessary to optimize value.
"The overall DevOps message is compelling, because many enterprise IT organizations want to achieve the scale-out and economies of scale achieved by world-class cloud providers. Nevertheless, there are still several gaps that prevent implementation of DevOps as a comprehensive methodology," said Wurster. "Enterprises have acknowledged these gaps and have begun assessing how the DevOps mindset might apply to their own environments. However, culture is not easily or quickly changed. And key to the culture within DevOps is the notion of becoming more agile and changing behavior to support it — a perspective that has not been widely pursued within classical IT operations."
Organizations with agile development will be slower to embrace DevOps across the entire application life cycle. Cultural resistance and low levels of process discipline will create significant failure rates for DevOps initiatives, particularly when waterfall processes are still a dominant portion of the development portfolio. Nevertheless, a majority of enterprises attempting to scale agile over the next five years will recognize the need for DevOps initiatives.