Sonatype who continues their journey in challenging DevOps domain called an event on 05/04/2021 to talk about developer’s perspective on Digital transformation. Below are the topics suggested for the discussion and my take on it.
- We have been talking about the changing role of the developer in a DevSecOps digital transformation – from taking ownership of source code quality and open source security, to containers and cloud infrastructure. How have you seen the role of developers change at your own organizations?
- What has been the biggest change in DevOps practices and tooling in the last couple of years and how do you effectively roll out these new solutions?
- What is the one thing that developers need the most when it comes to innovating more quickly to meet digital transformation goals?
- How has the relationship between development and security teams changed?
- What has been the biggest benefit to moving to a DevSecOps approach?
- For the people attending this event, what is the one lesson learned you would want them to walk away with?
Changes in Developer’s Role
Focus is shifting indeed to containers, to their operational environments such as Kubernetes, to different deployment models and tools. While simplicity of operational tools, e.g. Ansible Playbooks vs native Kubernetes OpenShift becomes a focus for platform developers, for developers creating and deploying business apps it’s all about learning new stuff at a warp speed.
For security engineers it becomes even more challenging, because they need to learn everything in DevOps domain plus threats associated with new tools and all possible mitigating controls.
Cloud and especially multi-cloud path adds to that complexity, because in many cases it’s simply impossible to use existing on-prem security and security automation tools that worked well on-prem for decades, so security have options:
- Look around for native cloud controls
- Search for multi-cloud solutions
- Develop their own security tools that work well in cloud environment
Once again – everything needs to be done at warp speed. Conclusion: a role of a developer becomes more a researcher than a coder.
The Biggest Change
The biggest changes occur when a company decides to move to a different operational model, e.g. from on-prem to cloud, or from working mostly on-site to a completely remote model. Covid-19 was a real Disaster Recovery and Business Continuity check for systems design mostly for on-site work where VPN was considered as an exception.
Suddenly companies realized that nobody has passed that check and new approaches to accessing systems that have been previously considered as internal. That was a big and natural transformational push to get rid of VPN and make internal applications available from Internet.
It affected DevSecOps tooling as well and the way how they are accessed: code repos, cloud deployments tools, monitoring tools, everything is available from Internet.
The good thing about this change is that companies started thinking seriously and embarking on contemporary access model, such as Zero Trust systems with continues access validation, which are not solely rely on network controls, but on many factors such as user, device and locations trustworthiness along with other factors such as target application and data sensitivity.
One thing that developers need the most
More time to learn new things and management understanding and support in this domain. To managers: trim your tactical deliverables timeline, start thinking strategically:
- Stop that per-project/app approach where foundational capabilities are built as needed in a non-consistent and ad-hoc manner
- Analyze new tools and knowledge will be required 3-5 years from now to enable hundreds of applications moving to cloud and to a new access model
- Set priorities around those new tools and knowledge
- Give people time to acquire the knowledge and tools necessary for the strategic approach and foundational services, e.g. access from anywhere, auto-scalable systems running in a multi-cloud environment, etc. (goals and strategy may very for different companies, but it’s important to have them)
Benefits of DevSecOps
For me this is all about uniting various engineering teams around a common business goal and breaking silos that could impact the goal significantly. In big organizations DevSecOps principles must be extended even more to include non-engineering groups such as risk and compliance, because engineering alone is never sufficient to solve a more or complex business goal in a highly regulated environment.
Going through a digital transformation is always difficult for a big organization, and you might think that things like Covid-19 and a pressure to move more systems to cloud are just additional difficulties, but what I’ve learned is that those additional challenges are also great opportunities for doing things right like:
- Zero Trust access models
- Access from everywhere with the same or better security controls
- Software defined perimeter and infrastructure
- Greater level of automation for all of the above
As some folks have already stated, their biggest sponsor in digital transformation in the last year was not their company, but Covid-19.
“Nothing moves progress, technology and cience faster than people needs”