Software Engineering Best Practices from Agile, DevSecOps, and Human Centric Design
By Mark Wells, VP of DevSecOps Center of Excellence and Software Solutions
Throughout this series, we’ve talked about how methodologies used in the information technology marketplace are based on people, processes, and technology. In Part I, we pointed to Agile organization principles as an example of a successful methodology and discussed best practices involving people. In Part II, we considered best practices that utilize processes to unlock maximum business value for customers. In the final part of this series, we’ll look at the underlying technologies that help teams meet mission objectives more efficiently.
Supporting best practices and building business value through technology
People often talk about the past when we relied on massive mainframes to support distributed applications compared to the cloud world we live in today. “Look how far we’ve come,” I hear. To me, we have come full circle. Both physical mainframes and cloud architecture rely on central processing units (CPUs), memory, and storage volumes to support applications through remote network connections. While they may physically occupy different spaces, their components are the same. What has changed, however, is how we develop software.
Current market threats constrain agencies’ abilities to use previous architectures to support their missions because the architectures don’t have integrated controls to deliver continuous and secure business value. As developers, we must design, build, and deliver sustainable, resilient, and scalable software products. We must manage the use of technology within three areas of interest to the software products we deliver: the development environment, the software architecture itself, and the production environment hosting the software product. Let’s look more closely at technologies that address each of these areas: DevSecOps as a Service, cloud native design, messaging based architecture, Infrastructure as Code (IaC), and containerization.
The development environment: DevSecOps as a Service
Building software that delivers business functionality with total security of the flow of information within the system is highly complex. This complexity must be accounted for during design and coding. For this reason, we must move beyond basic continuous integration/delivery/deployment (CI/CD) techniques and incorporate new Digital Software Development Supply Chain tools like Gitlab and their automated runners into our development approach. These runners use DevSecOps as a Service tooling to turn CI/CD into Continuous Everything (CE) which means that we can employ scanning, testing, and deployment features that constantly evolve.
We must also incorporate resource management of frameworks, utilities, and libraries from known reliable sources that have been inspected and hardened (secured) prior to their use in the DevSecOps pipeline and coding. The DoD Enterprise DevSecOps Reference Design and the Platform One Iron Bank service are based on this concept.
Continuous security that plans for the future is the new mantra, as opposed to Authority to Operate (ATO) assessments that only care about the “now.” The entire pipeline life cycle process from design to deployment must have continuous security inspections. Twistlock, Anchore, Synk, and Stackrox are just some of the static and dynamic scanning utility tools built into the DevSecOps as a Service platform that delivers continuous security. Even when the software is in production, the tools perform regular automated security inspections and synchronization.
DevSecOps as a Service also guides the Agile development process. For example, the workflow capabilities built into GitOps processes and tools like Gitlab Flow create pipeline automations necessary for proper Agile development administration. This is where we are experiencing major advances in the industry. New tools and emerging technologies have a high degree of concentration on how to make DevSecOps easy. All this translates into smoother, more efficient business operations while maintaining security.
Software architecture: cloud native, messaging based architecture
Over time, messaging software architecture has migrated from enterprise information architecture (EIA) to service-oriented architecture (SOA), to micro-services, to software meshes. The key to developing software architecture in today’s world is to integrate cloud-native and services based capabilities from the onset.
Today’s major cloud providers have service mesh capabilities within their catalogs, and newer open source tools (Istio, Kuma, Consul, Linkerd, etc.) offer development teams more control over their cloud-native approach to software engineering. Meshes provide ways for developers to design software code in components that are easily placed into user stories, reducing the need to write code from scratch in every scenario. This cloud-native technique is essential to rapid and successful delivery of business value using Agile principles.
Production environment and hosting: infrastructure as Code (IaC) and containerization
It’s almost impossible to find someone in the IT world who has not heard of Kubernetes and containerization. Tools like Docker, Rancher, and OpenShift provide containerized infrastructure controls that automatically adapt to address failures, recovery, and performance issues. Writing code to take advantage of this approach while building a mechanism to support the clusters of containers to support your applications requires a level of skilled talent not readily available in the industry. To fill this void, companies are working on IaC engines (VMWare Tanzu, D2iQ, etc.) to simplify the deployment of container infrastructure while allowing the development of modern cloud-native software on top of new distributed environments.
The business value of using IaC techniques is that developers are now to a large extent, abstracted from how software operates on the infrastructure. Developers can minimize their concern for how business logic communicates with data within meshed services in a secure way. Perhaps the most exciting benefit of IaC is the abstraction of security, scalability, resiliency, and reliability from the developer. The IaC systems are self-healing and recoverable. This means less downtime, improved business operations, and increased business value, all within a secure environment.
The Octo ShiftUp™ software supply chain platform
Octo specializes in all of the technologies discussed above to deliver the modern, productive, and secure software solutions to our customers. We developed the ShiftUp digital software supply chain platform to allow agencies to implement fully automated DevSecOps capabilities with continuous security across automatically deployed containerized infrastructure from a user-friendly, web-based interface. We transferred our engineering architects’ knowledge into the control panel of Shift-Up® to give clients the ability to deliver high quality code in minutes. (Yes, minutes).
Our ShiftUp digital software supply chain platform combines the best practices related to people, processes, and technology that we’ve discussed in this series to help organizations start, manage, and optimize their Agile and DevSecOps solutions in a fully automated and integrated manner. And that brings greater business value to our customers and the public they serve.
For more information on how ShiftUp can bring increased efficiencies, best practices, and modern approaches to your federal agency, reach out to a member of Team Octo.