The DevOps Imperative: Keep Up Or Get Lost
When I started in the software industry more than 30 years ago, we were still writing code in low-level programming languages and handing projects off to other teams without even knowing if they worked. The process was time-consuming and prone to errors — a lot like moving at the speed of a horse and cart compared to a car. We were doing well if we released major updates every 12-18 months.
That now sounds like the Dark Ages. Today, traditional B2B (business-to-business) software vendors deliver code every quarter, with more frequent incremental updates for minor enhancements. B2B software as a service (SaaS) vendors move even faster, releasing updates multiple times a week.
And even that doesn’t compare with the speeds seen in the direct-to-consumer world. At a recent conference, I spoke with one retailer who told me their back-end systems are all application programming interface (API) driven, with more than 3,000 apps and tools running against more than 50,000 APIs. She said they execute more than 2,000 releases per day on average, with some releases deploying to more than 100 servers.
This is orders of magnitude faster than what just recently was business as usual.
How is security testing supposed to keep up with that? The only way to do it is with a high degree of automation for both the development and testing of software, with careful standardization wherever possible.
Automation and standardization, of course, cost money. And getting the budget requires justifying the right investment in people and tools to the C-suite. It is easier to do that in the direct-to-consumer world because web apps used for customer interactions and purchases have easy-to-measure activities. They typically flow toward a goal such as completing a product purchase.
Winning in the arena of customer experience requires a focus on continued innovation. The speed at which an organization can innovate makes a significant difference in customer conversion and shopping cart value.
One way for software development teams to innovate is to avoid rework (i.e., having to fix a process that was implemented incorrectly or has to be done over because a client demanded a change).
Rework is a killer for team productivity. The only way to sustain a high release cadence is to progress through the software development life cycle (SDLC) the right way the first time. Fixing and retesting a solution wastes time and stresses out the development team.
There are a number of steps we can take to avoid frequent rework:
• Code reviews: Leverage the knowledge of more experienced developers to read and check code before it’s committed to the code base.
• Equip developers with testing tools: Teach developers to test for and fix common security errors to reduce downstream impact.
• Automated testing: Implement a repeatable set of tests that can verify each change and never make a mistake while taking a fraction of the time to run manually.
• Educate developers on secure coding practices: Identify risk before it’s even written.
Another major factor that speeds up the development of web apps is the use of open source software (OSS). Open source code found on platforms like GitHub can be used within the terms of their license to accelerate application development. Based on data from our company’s 2020 Open Source Security and Risk Analysis report, 99% of applications contain at least some open source, and on average, the amount of open source in a given application has nearly doubled since 2015. Teams now spend much more time assembling the components for apps instead of writing the code for them. And according to Gartner (registration required), developers may write less than 10% of the code in a new application.
Other results from DORA’s Accelerate: State of DevOps 2019 report (registration required) illustrate how automation, correctly applied to both development and testing, can help teams boost their speed and performance:
• Change failure rates are in the low single digits.
• OSS vulnerabilities are fixed in days, not weeks.
• Deployment is 200 times faster.
• The time from code commit to deploy is 100 times faster.
• The time to recover from incidents is 2,000 times faster.
• New features are delivered in weeks from inception.
We’re in the Industrial Revolution for both IT and business. I feel like Henry Ford when he claimed, “If I had asked people what they wanted, they would have said faster horses.” He gave them what they really wanted: more horsepower without the horses. As the late Apple co-founder Steve Jobs explained, “Our job is to figure out what they’re going to want before they do.”
That is what is happening in this, the new normal: an exponential change in software delivery from releasing a couple of times per year in large monolithic apps to daily updates as small independent changes.
All of this is both a blessing and a curse. The speed of innovative development offers great benefits, but with all change comes new risks. With business processes exposed directly to everyone on the internet, the security implications are plain to see. Testing and security teams need significant changes in tools and processes to have any chance of keeping up.
In my next post, I’ll be writing in more detail about those risks and how application security can keep pace with the speed of development to mitigate those risks.aa