Implementing DevSecOps: It's Time to Relook at Your Software Development Toolchain


By CJ Capizzi, Principal Technical Director

“I want to move toward continuous delivery, but I don’t want to get rid of certain institutionalized software development tools.” This is an all too familiar statement for many DevSecOps practitioners — and it’s like nails on a chalkboard to DevSecOps evangelists. The shift to a DevSecOps operating model is a major cultural shift to organizations, one that requires mindset, process, and technology changes for all parties contributing to the delivery process. While this is a rather complex and opinionated topic to tackle, I want to focus on why no software development tools should be considered “safe” in the journey toward achieving continuous delivery.

There are many common excuses used to justify why certain software development tools are off the table when evaluating the DevSecOps continuous integration/continuous delivery (CI/CD) pipeline. These excuses can include, “We have used this tool for the last 15 years;” “It is an enterprise tool, and our staff is familiar with it;” “We already have a licensing agreement in place or licenses available.” However, I can break it down to three reasons that no tool should ever be exempt from replacement.

  1. Flexibility — Many legacy software development tools have rigid processes or hierarchies that are enforced and have limited configurability to align with organizational processes. A great example is the Rational Suite which is built around the waterfall-aligned Rational Unified Process, or RUP, which can force rigid hierarchies, processes, and structures on teams that have adopted flexible lean-agile processes. Sorry, IBM, but this is completely backwards. Enablement of organizational delivery processes must drive the selection of tools not tools that dictate the process organizations must follow when using a specific tool.
  2. Integrations — In a world of open APIs, many software development tools are optimized to work within a vendor’s proprietary product suite instead of enabling organizations to build a modular, best-of-breed tool ecosystem. Many of these tools have suboptimal designs and/or do not allow any or limited integration with other vendor’s tools to encourage using tools within the same product suite. Organizations should be working toward increasing integration and communications across the toolchain, not stovepipes where automation cannot exist and quality issues manifest.
  3. Cost — If you venture back 20 years ago, the landscape of software development tools was quite limited and required significant investments around license procurements, consulting, installation, and training. Fast forward to today. There is an expansive array of free and open source software tools that can deliver teams the same or better capabilities to support software delivery activities. Additionally, the growing number of software development community platforms, such as GitHub and Stack Overflow, support adoption, promote best practices and configurations, and help to resolve technical issues at no cost.

Where to start DevSecOps: Make the toolchain switch the smart way

When transitioning toward a DevSecOps operating model, organizations should apply the following tactics towards tooling:

  • Harness best-of-breed — Adopt a best-of-breed approach that promotes modularity and selection of tools based on organizational processes and desired capabilities
  • Use incremental evolution — Promote an incremental approach to evaluation and replacement of tools to reduce change management impacts and help to fine tune tool configurations over time. New and better tools are constantly entering the market, so ensure your organization is constantly evaluating industry trends and market leaders to level up your toolchain.
  • Adopt inclusiveness — Software development teams must be included in the research, evaluation, and selection of new tools to promote fit-for-use and reduce barriers to adoption.
  • Minimize change churn — While new tools boasting next generation capabilities are constantly being released, be cognizant to minimize organizational change impacts, associated implementation and operations costs, and impacts to delivery operations.

Looking for help starting your DevSecOps journey or maturing your CI/CD toolchain? Check out how Octo is revolutionizing software delivery through our ShiftUp™ platform, and let our team help your organization jump the technology curve.