Parasoft announces the opening of its new office in Northeast Ohio.
When infrastructure-as-code (IaC) burst onto the scene in 2006, it was a game-changer. Not only did it redefine the way software engineers and operations thought about the provisioning and maintenance of infrastructure, but it also allowed teams to treat infrastructure like product code — meaning changes were now easy to track, repeatable, iterative, and recoverable. By combining the same tools as any other software project with IaC, developers were able to rapidly deploy applications. Today, IaC is regularly used by DevOps teams.
However, the increasing complexity of things like data center configurations, security requirements, and rapidly changing guidelines means IaC is poised for an overhaul. New technologies and techniques can help solve many of the challenges IaC presents.
IaC Workflow
Today, most enterprises are moving towards cloud-based infrastructure where deployments are 100% software-driven and underlying resources are standardized. The myriad of today's off-the-shelf components and services allow developers to create complex applications that can work at scale either on-prem or in the cloud. While this provides flexibility and agility in terms of application development, the proliferation of these components and services has created a drastic uptick in fragmentation throughout the infrastructure. In other words, they are deploying IaC.
Infrastructure-as-code is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. To create a successful IaC workflow, first, you must create the base infrastructure, then build out the platform/application services, conduct application provisioning or CI/CD, and run application monitoring.
Fundamentally, IaC requires DevOps engineers to have a lot of subject matter expertise, in-depth knowledge of security configurations and compliance standards, and the ability to code well. Simply put, IaC has created a unicorn skillset. Developers are not operators and operators are not developers.
While IaC shines at creating the base infrastructure and building out the platform/application services, it is strongly lacking in provisioning, application monitoring, and CI/CD. In other words, DevOps teams' needs have outgrown what IaC can provide.
IaC Needs to Operate at a Higher Level of Abstraction
To meet today's DevOps teams' needs, IaC needs to operate at a higher level of abstraction. To do that, you need the following:
1. Application-centric automation: Application-centric infrastructure configures and displays the entire application ecosystem — allowing administrators to manage a single system for application delivery instead of managing individual servers. It encompasses the virtualization of the data center and incorporates automated load-balancing, on-demand provisioning, and the ability to scale network resources as needed.
2. A rules-based engine: Application-centric automation by itself isn't enough. We need a rules-based engine that can take app-centric information and automatically run the rules to make sure that the software is compliant with the relevant security standards.
3. Self-service with guardrails for developers: Developers want to focus on building applications — not infrastructure. With code automation, developers can ask for secured resources without having to know tons of lower-level details to meet operations or accidentally violating the needed compliance and security requirements.
As you can see, IaC will need to evolve dramatically to meet the needs of today. Already, new technologies such as no-code/low code are addressing many of the shortcomings of IaC. It's only a matter of time before more companies adopt them.
Industry News
Postman released v11, a significant update that speeds up development by reducing collaboration friction on APIs.
Sysdig announced the launch of the company’s Runtime Insights Partner Ecosystem, recognizing the leading security solutions that combine with Sysdig to help customers prioritize and respond to critical security risks.
Nokod Security announced the general availability of the Nokod Security Platform.
Drata has acquired oak9, a cloud native security platform, and released a new capability in beta to seamlessly bring continuous compliance into the software development lifecycle.
Amazon Web Services (AWS) announced the general availability of Amazon Q, a generative artificial intelligence (AI)-powered assistant for accelerating software development and leveraging companies’ internal data.
Red Hat announced the general availability of Red Hat Enterprise Linux 9.4, the latest version of the enterprise Linux platform.
ActiveState unveiled Get Current, Stay Current (GCSC) – a continuous code refactoring service that deals with breaking changes so enterprises can stay current with the pace of open source.
Lineaje released Open-Source Manager (OSM), a solution to bring transparency to open-source software components in applications and proactively manage and mitigate associated risks.
Synopsys announced the availability of Polaris Assist, an AI-powered application security assistant on the Synopsys Polaris Software Integrity Platform®.
Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.
Azul announced that Azul Intelligence Cloud, Azul’s cloud analytics solution -- which provides actionable intelligence from production Java runtime data to dramatically boost developer productivity -- now supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.
F5 announced new security offerings: F5 Distributed Cloud Services Web Application Scanning, BIG-IP Next Web Application Firewall (WAF), and NGINX App Protect for open source deployments.
Code Intelligence announced a new feature to CI Sense, a scalable fuzzing platform for continuous testing.
WSO2 is adding new capabilities for WSO2 API Manager, WSO2 API Platform for Kubernetes (WSO2 APK), and WSO2 Micro Integrator.