Will 2013 be remembered as the year that DevOps accelerated into the IT mainstream or became just another trend that died in the “hype cycle”? Our bet, along with millions of IT pros around the world, is that DevOps will continue to aggressively enter the IT consciousness – and in a big way.
As a quick overview, DevOps is an extension of lean methodologies and Agile, and it is accelerating product release cycle times by creating short iterations, automation, and deep cross-functional integration of software. DevOps also integrates the following (among others): development, operations, security, and QA to ultimately drive greater innovation today. When all of these areas work together from the start, they are able to place the needs of the customer first. And with that, sales and marketing can then test new functionality with customers more quickly and subsequently increase revenue.
As this radical new paradigm sinks its roots deeper into the tech industry, it has many security practitioners wondering how it will affect information security. But let's take a step back and look at how far DevOps has come over the past year alone.
Expectations around DevOps have been extremely high in 2013. The pace of innovation and level of competition are both continuing to increase. With startups and enterprises going head to head in big markets every day, every company is looking for that edge – leveraging anything to beat the competition and move faster. DevOps is stepping into a zone where expectations are quickly outstripping the reality of what can be done with DevOps in a given time period. While expectations are through the roof, the hype cycle is also high. With the movement really in its infancy, hard data is in short supply on the benefits of DevOps, however, there is no shortage of organizations jumping on the trend. With the promise of quicker code deployment, fewer outages, better quality and more tightly aligned features to customer needs, it is no surprise that adoption is skyrocketing.
As we have seen many times before, companies jump on the latest fad. You can already start to see this trend where companies are changing their positioning or adding DevOps as a key target market. Big companies now have DevOps sections to their website. With growing adoption comes growing funding, and like any great gold rush, there are investors and companies lining up to take advantage of the trend towards DevOps. New companies handsomely funded by their venture capital backers are starting to tackle problem areas and big companies are rushing into the space as well.
Along with high expectations, hype and loosening purse strings, there is also a significant amount of misinformation. DevOps is a job function, right? Or, is it something that we can buy? Or if I use the cloud and implement automated code deployment, I'm a DevOps organization, right? Even DevOps practitioners can't seem to agree on the definition of what DevOps is, where it came from and how you implement it.
Despite the cynics, there is real progress being made in the DevOps community to advance the methodology. Practitioners should use an abundance of caution not to view this as a fad. DevOps is a significant cultural shift for any existing company and a large undertaking for a startup that is just getting going. Many organizations are reaping significant benefits with many pointing to keystone organizations like Facebook, Twitter, and Tumblr as examples of early DevOps adopters / innovators.
While many are still debating the legitimacy, staying power and even definition of DevOps, the most forward thinking pros are questioning how security fits into the movement. DevOps can and should incorporate a whole myriad of functional areas, including security, into the final work product. The major difference in the evolving DevOps-oriented world of 2014 and beyond is that everyone's functional input is brought in earlier and then automated to ensure short, predictable release times and quality. While DevOps is a powerful paradigm shift, companies must also begin to determine how to fit the security component of the DevOps puzzle.
Just as professionals in operations, quality assurance and developers have had to evolve new work models and develop new skill sets, where automation of work is simply expected, security practitioners will also need to embrace this new paradigm. Ultimately they will realize similar benefits. Mechanized security will rule the roost, as automated attacks against pre-production code, which prove successful, will prevent that code from ever even reaching production. Perpetual automated testing of production environments will uncover weaknesses. Automated security tools will also allow different practices areas to secure their perspective enclave.
In addition to introducing security at every specialty area, security will also get introduced early in development. Any security pro worth their salt, knows that the earlier security is introduced, the more hardened the resulting product. DevOps provides a critical opportunity to realize this dream and not only streamline development, but improve security and thwart the ever increasing vectors of attack.
Like early introduction other security focused best practices will emerge. Embracing DevOps will translate into a significant impact and improvement to security across the board. DevOps will allow security pros to inject code analysis tools into the development process and enforce fixes prior to deployment.
Our ‘magic 8 ball' says that 2014 will see increased volatility and debate around DevOps with the net effect being a better understanding of the paradigm shift and how security fits in. Clearly the trend towards DevOps is becoming a freight train, and it will pick up some significant steam next year. Unfortunately, there still won't be a tremendous amount of data – cultural changes and fundamental shifts in methodology take time to analyze – but anecdotal stories will continue to build momentum in the space. Detractors of the movement will point to any number of failures that will become more public as well as well the fact that large enterprises still won't implement or move to DevOps quite yet.On the positive side, DevOps as a core operating methodology will continue to evolve and improve. More case studies will provide evidence of what is working and not working. New tools and technology will help to address gaps and failures in the methodology. And, perhaps most importantly, there will be some breakout successes that will give inspiration and support to the DevOps movement.