Although DevSecOps has the potential to unify work across teams while reducing the time to develop and deploy applications, that’s not a guarantee, as many agencies have discovered.
The challenge is that the automation and orchestration capabilities that agencies initially adopt might not be robust enough as DevSecOps efforts scale up. The result? Teams abandon the tools and resort to manual processes, reducing their gains in speed and agility – which, of course, defeats the whole point.
To learn more about how agencies can avoid these pitfalls, GovLoop spoke with Gee Chow, Senior DevOps Solution Engineer at F5. Chow suggested three ways that agencies can develop an automation and orchestration strategy that will serve their needs over the long haul.
Build a Platform That Works for Everyone
Individual teams tend to pick tools that meet their particular needs. As they transition to a DevSecOps environment, however, they should build a platform that addresses common requirements across all teams involved. That includes role-based security, a strong user interface and a monitoring and analytics module.
One key consideration is the application data plane, which plays an especially important role in managing communications in a container environment. Teams often select a lightweight data plane component, because it is quick to configure and deploy. But that ease of use “is only half the picture,” Chow said. “The other half is the ability to configure or orchestrate it centrally.”
Take an API-Centric Approach
Application programming interfaces (APIs) are essential to automating a DevSecOps pipeline, providing a quick and easy way to draw on reusable assets when developing new applications.
But as applications grow increasingly complex with the use of microservices and containers, API management grows increasingly complex as well. The DevSecOps platform needs to be robust enough to adapt to a wide variety of requirements – and to make it all manageable for developers, Chow said.
Make Collaboration the First Priority
DevSecOps, by definition, is intended to promote collaboration among the development, security and operations team. But Chow emphasized that such collaboration needs to begin at the outset of a project, when defining the goals and strategy for a project.
The idea is to define the overarching goal or mission of the project, then have each team prioritize their own needs and goals as it relates to that mission, said Chow. Those secondary goals become the building blocks for the strategy and shapes the development and orchestration of the application pipeline, he said.
F5’s NGINX Application Platform is a suite of products designed to meet these needs. It includes NGINX Plus for load balancing and application delivery; WAF for security; and NGINX Unit for running applications. The platform is monitored and managed by NGINX Controller.
“NGINX gives our customers a self-service, API-driven platform that integrates easily with their continuous integration/continuous delivery workflows,” he said. “And it’s all for the purpose of making app lifecycles both faster and more secure.”
This article is an excerpt from GovLoop’s recent guide, “Agencies Build Foundation for DevSecOps Success.” Download the full guide here.