"Doing DevSecOps"
Overview
DevSecOps services are just one way that partnerships with Calavista can create long-term success for our clients.
Calavista was founded during a time when it was largely accepted that “software is just buggy sometimes.” Developers took this as unavoidable fact, but our founder had just finished a stint as a Navy pilot where he relied on the software in his planes to always function, as a matter of survival. He knew that software doesn’t have to be buggy and recognized that most bugs came from an inefficient development process.
As a result, Calavista was a pioneer in Agile Development and Continuous Integration / Continuous Delivery. In our early days, Calavista developed and produced technology for managing Agile workflows, coordinating Continuous Integration, and introducing the concept of Continuous Delivery. We received multiple patents for the concept in the early 2000s – years before the term was popularized by Thoughtworks. Now, rather than sell our own software and tools, we use our experience to build Hyper-Agile® teams to deliver complex software projects for our customers. But Continuous Integration – along with concepts such as Collaboration, Automation, Security, Continuous Testing, Continuous Delivery, and Continuous Monitoring – is still core to everything we do. These key concepts of DevSecOps are brought to every project that we work on, because they are part of Calavista’s DNA. Whether building out better DevSecOps pipelines for our customers is an explicit part of the engagement or not, there is always some element of DevSecOps in everything we do.
Implementing DevSecOps principles or methodologies is not always the main goal of the projects that we work on. In fact, it is usually more complementary; the principles of DevSecOps are tenets of how Calavista functions, it is inevitable that we bring them to all projects. However, we often specifically assign a DevSecOps specialist to projects where we know additional focus will be necessary. Our DevSecOps services are one way that partnerships with Calavista create long-term success for our customers. Read on to see some examples of the benefits of DevSecOps and how we brought them to our clients.
Our Process
DevSecOps is not a single technology or practice that you can simply “adopt” or “do.” Rather, it is a culture, a set of principles that affects the development process of the whole company and team. Nonetheless, we can help integrate these principles into practice by writing infrastructure as code, outlining collaborative work environments, automating code deployment, automating security checks, providing insightful metrics, and more. Ultimately, this helps us and our customers complete projects faster and better, while providing them with new best practices to move forward with after the project is over.
DevSecOps Reduces Friction in the Dev Process
DevSecOps can help create dynamic environments as well as make integrating code simpler. Pushing code through an environment can be difficult, especially on an outdated platform. For example, one of our clients, a telecommunications provider, needed to migrate from an on-premises infrastructure to a new, cloud-based platform. We wrote infrastructure as code, creating environments that were highly available with horizontal scalability that increased productivity uptime. Before, it could take days for them to fix bugs in the environment, resulting in significant downtime. Now, because environment setup and maintenance are no longer issues, it is possible to create new environments, implement code changes, deploy fixes – and generally operate more quickly and easily. This allowed them to develop their technology much faster, which got them to market earlier, generating revenue and saving them money.
“Working with Calavista increased engineer morale and created enthusiasm for working in the new best practice ecosystem, which allowed us to hit all our goals.”
Parker Holcomb
VP of Engineering at Remedy
Automation Prevents Bugs
Not only does automation speed things up by automatically pushing things through, but it prevents bugs from entering the code in the first place by running tests before code is merged with the main codebase. This can also be done through automated dynamic environments. For another client, Remedy, we used AWS Fargate for serverless container implementation in both development and production environments. The dynamic environment allowed for new environments to be spawned on each code check-in, meaning multiple environments could run simultaneously, switching rapidly from one to another if a bug appeared or one went down. The system could automatically switch between servers, since automation allowed for minimum manual oversight or management. This allowed the developers to focus on the important thing, developing, rather than being distracted by environment maintenance or fixing bugs.
Automation For More Secure Code
Automation can also be used to deliver more secure code – testing for security vulnerabilities with every build. Including vulnerability scanning in our build process and as a regular periodic routine allows us to identify security issues automatically and continuously as the code is written, and on an ongoing basis for production systems. This means new security issues can be identified soon after they are introduced in both the code that is under development and the code that is running in production.
For another client, we incorporated Brakeman into our build process as a Static Analysis Security Tool (SAST) to scan for vulnerabilities with each build – as code is updated and checked into the code repository it is automatically scanned and issues identified. This same customer has also incorporated Intruder.io as a monthly vulnerability scan on their production systems. Any time a new security issue is identified, they receive a report from their SAST for their production platform.
Metrics Refine Development Process
Metrics are a critical element of DevSecOps allowing you to not only understand app performance, but overall development efficiency. We can help our clients identify which metrics would be meaningful to their processes and build a dashboard that visualizes progress in a user-friendly manner.
Our client Encino Energy wanted to create a brand-new piece of software that they would eventually manage in-house. As part of this process, we created a metrics dashboard that could provide alerts through Slack about important development milestones. This not only helped in our production of the new platform but provided them with a framework with which to efficiently manage it and their future development projects.
Example DevSecOps Metrics
- Deployment Frequency
- Change Volume
- Deployment Time
- Failed Deployment Rate
- Change Failure Rate
- Time to Detection
- Mean Time to Recovery
- Lead Time
- Defect Escape Rate
- Defect Volume
- Code Coverage
The Results
DevSecOps, along with our outstanding management and deep bench of talented partners helps us maintain our 95% on-time and on-budget delivery rate.
The true goal of DevSecOps is to keep developers developing, streamlining the process as much as possible and removing headaches. It is part of everything we do, because we believe strong DevSecOps processes generally underpin software engineering best practices. There simply is no better way to effectively produce high-quality software. It is a large part of how we are able to maintain our 95% On-Time On-Budget delivery rate, along with our outstanding management and deep bench of talented partners. We like to bring these practices to our clients when we can, evangelizing an efficient development process.
When we bring DevSecOps methodologies and practices to our clients, we help them save time and money and leave them with better development operations on top of the product that we built together. If you would like to learn more about how Calavista can help streamline your development or about other projects that we can tackle, email info@calavista.com or check out our other blogs and case studies.
Download the full Doing DevSecOps Case Study
Want a PDF of the Doing DevSecOps Case Study? Fill out the form below and an email with your download will be sent to the email address provided.