"Doing DevSecOps"

How We Bring Streamlined Development to All Our Customers

Overview

DevSecOps services are just one way that partnerships with Calavista can create long-term success for our clients.

Calavista was founded during a time when it was largely accepted that “software is just buggy sometimes.” Developers took this as unavoidable fact, but our founder had just finished a stint as a Navy pilot where he relied on the software in his planes to always function, as a matter of survival. He knew that software doesn’t have to be buggy and recognized that most bugs came from an inefficient development process. As a result, Calavista was a pioneer in Agile Development and Continuous Integration / Continuous Delivery. In our early days, Calavista developed and produced technology for managing Agile workflows, coordinating Continuous Integration, and introducing the concept of Continuous Delivery. We received multiple patents for the concept in the early 2000s – years before the term was popularized by Thoughtworks. Now, rather than sell our own software and tools, we use our experience to build Hyper-Agile® teams to deliver complex software projects for our customers. But Continuous Integration – along with concepts such as Collaboration, Automation, Security, Continuous Testing, Continuous Delivery, and Continuous Monitoring – is still core to everything we do. These key concepts of DevSecOps are brought to every project that we work on, because they are part of Calavista’s DNA. Whether building out better DevSecOps pipelines for our customers is an explicit part of the engagement or not, there is always some element of DevSecOps in everything we do. Implementing DevSecOps principles or methodologies is not always the main goal of the projects that we work on. In fact, it is usually more complementary; the principles of DevSecOps are tenets of how Calavista functions, it is inevitable that we bring them to all projects. However, we often specifically assign a DevSecOps specialist to projects where we know additional focus will be necessary. Our DevSecOps services are one way that partnerships with Calavista create long-term success for our customers. Read on to see some examples of the benefits of DevSecOps and how we brought them to our clients.

Our Process

DevSecOps is not a single technology or practice that you can simply “adopt” or “do.” Rather, it is a culture, a set of principles that affects the development process of the whole company and team. Nonetheless, we can help integrate these principles into practice by writing infrastructure as code, outlining collaborative work environments, automating code deployment, automating security checks, providing insightful metrics, and more. Ultimately, this helps us and our customers complete projects faster and better, while providing them with new best practices to move forward with after the project is over.

DevSecOps Reduces Friction in the Dev Process

At the beginning of each partnership, a Solutions Director and Senior Architect from Calavista identify and onboard a custom development team to support the needs of the project. The team and resources provided by Calavista became part of Encino Energy’s team, providing them access to talented developers when resources were otherwise difficult to find across the industry.  Once the teams were integrated, we started discussions about the UX/UI goals of their new EOS to get to the root of the true needs of the end users. This custom-tailored UI allowed other departments to easily fill in manual data, when necessary, while the automated workflow could handle the rest. These discussions were part of a detailed requirement gathering process led by Calavista’s industry veterans, who know what it takes to run a project successfully, including setting a strong foundation for expectations of the project.

“Working with Calavista increased engineer morale and created enthusiasm for working in the new best practice ecosystem, which allowed us to hit all our goals.”

Parker Holcomb

VP of Engineering at Remedy

Automation Prevents Bugs

Not only does automation speed things up by automatically pushing things through, but it prevents bugs from entering the code in the first place by running tests before code is merged with the main codebase. This can also be done through automated dynamic environments. For another client, Remedy, we used AWS Fargate for serverless container implementation in both development and production environments. The dynamic environment allowed for new environments to be spawned on each code check-in, meaning multiple environments could run simultaneously, switching rapidly from one to another if a bug appeared or one went down. The system could automatically switch between servers, since automation allowed for minimum manual oversight or management. This allowed the developers to focus on the important thing, developing, rather than being distracted by environment maintenance or fixing bugs.

Automation For More Secure Code

Automation can also be used to deliver more secure code – testing for security vulnerabilities with every build. Including vulnerability scanning in our build process and as a regular periodic routine allows us to identify security issues automatically and continuously as the code is written, and on an ongoing basis for production systems. This means new security issues can be identified soon after they are introduced in both the code that is under development and the code that is running in production.

For another client, we incorporated Brakeman into our build process as a Static Analysis Security Tool (SAST) to scan for vulnerabilities with each build – as code is updated and checked into the code repository it is automatically scanned and issues identified. This same customer has also incorporated Intruder.io as a monthly vulnerability scan on their production systems. Any time a new security issue is identified, they receive a report from their SAST for their production platform.

Metrics Refine Development Process

Metrics are a critical element of DevSecOps allowing you to not only understand app performance, but overall development efficiency. We can help our clients identify which metrics would be meaningful to their processes and build a dashboard that visualizes progress in a user-friendly manner.

Our client Encino Energy wanted to create a brand-new piece of software that they would eventually manage in-house. As part of this process, we created a metrics dashboard that could provide alerts through Slack about important development milestones. This not only helped in our production of the new platform but provided them with a framework with which to efficiently manage it and their future development projects.

Example DevSecOps Metrics

  • Deployment Frequency
  • Change Volume
  • Deployment Time
  • Failed Deployment Rate
  • Change Failure Rate
  • Time to Detection
  • Mean Time to Recovery
  • Lead Time
  • Defect Escape Rate
  • Defect Volume
  • Code Coverage

The Results

DevSecOps, along with our outstanding management and deep bench of talented partners helps us maintain our 95% on-time and on-budget delivery rate. 

The true goal of DevSecOps is to keep developers developing, streamlining the process as much as possible and removing headaches. It is part of everything we do, because we believe strong DevSecOps processes generally underpin software engineering best practices. There simply is no better way to effectively produce high-quality software. It is a large part of how we are able to maintain our 95% On-Time On-Budget delivery rate, along with our outstanding management and deep bench of talented partners. We like to bring these practices to our clients when we can, evangelizing an efficient development process.

When we bring DevSecOps methodologies and practices to our clients, we help them save time and money and leave them with better development operations on top of the product that we built together. If you would like to learn more about how Calavista can help streamline your development or about other projects that we can tackle, email info@calavista.com or check out our other blogs and case studies.

 

Download the full "Doing DevSecOps"
Case Study

Want a PDF of the “Doing DevSecOps” Case Study? Fill out the form below and an email with your download will be sent to the email address provided.