I once transitioned from a SaaS CTO role to become a business unit CIO at a Fortune 100 enterprise that aimed to bring startup development processes, technology, and culture into the organization. The executives recognized the importance of developing customer-facing applications, game-changing analytics capabilities, and more automated workflows. Let’s just say my team and I did a lot of teaching on agile development and nimble architectures. But we also had a lot to learn about deploying highly reliable, performant, and secure applications to our data centers. This was all before the days of cloud computing and devsecops.
Today, while many enterprises and businesses have robust software development and devops capabilities, SaaS companies have developed greater expertise in scaling applications, handling highly disparate customer use cases, and identifying performance and security incidents before they become customer issues. “CTOs understand the value of a product that is not only functionally robust but also consistently available, lightning-fast, and impregnable to security threats,” says Raghav Gurumani, CTO of SaaS company Zuper. “CTOs can teach enterprise teams to achieve this iron triangle of reliability, performance, and security by emphasizing the importance of striking a balance between the three and leveraging iterative approaches.”
In this article, I share 12 principles recommended by SaaS technology leaders that business IT leaders can apply to devsecops. I’ve grouped these principles into three areas: Shift-left operational practices into requirements and development, starting by adopting a customer-first mindset. Recognize that devsecops teams must do more test automation beyond unit testing to ensure application reliability and performance, especially with high usage and many user types. Achieve higher performance and reliability by defining service level objectives (SLOs) and leveraging tools for observability, monitoring, and cloud automation.
1. Adopt a customer-first mindset
Developing a customer-centric mindset and sensitivity to client needs is a must to retain customers and support growth. While many businesses develop customer-facing applications, devsecops teams also must learn to treat fellow employees as customers when developing internal applications. A customer-first mindset includes a “non-negotiable focus on quick identification and remediation of customer issues,” says Claire Vo, chief product officer of LaunchDarkly. “Engineers must be as customer-centric as product, design, sales, and support, which means they spend time talking directly to customers, use the product as customers do, and hold a high-quality bar on behalf of customers. In my experience, having close customer relationships is highly correlated with high-quality, resilient cultures.” Recommendation: Devsecops teams should schedule regular meetings with end-users to observe how they use applications and listen for ways to improve application performance.
2. Connect version control to agile user stories
While most enterprises have adopted version control, David Brooks, SVP of evangelism at Copado, says developers tend to focus too much on the branch management in their repository. “Modern development is based on agile, and many devops tools manage changes directly based on user stories.” Brooks says that tracking changes by starting with the user stories makes it easier for agile development teams to focus on delivering value, support test-driven development, and enable automated merge conflict resolution. Recommendation: Besides connecting workflows between agile tools and version control, devsecops teams should consider standardizing CI/CD pipelines, developing with feature flags, and leveraging canary release strategies.
3. Release new features to alpha groups
Investing in devsecops automation provides flexibility in releasing features to small user groups and performing A/B testing on feature implementations. The automation can support continuous deployment, but an even more important benefit is the ability to validate features before overinvesting and capture end-user feedback during development. “New feature alphas are being tested out in the open and at a rapid-fire pace to gather customer feedback,” says Elliot Wood, CTO and co-founder of CallRail. “Teams are empowered to move fast because they’re able to ship small changes to limited sets of customers and minimize the risk of each individual experiment.” Recommendation: Alpha and beta testing, where alpha testing happens internally within the organization and beta testing focuses on the user’s environment, is a long-standing software development practice. Devsecops brings automation and scalability practices to operationalize the technology operations. However, the key to successful alpha and beta programs is recruiting participants, communicating goals, capturing actionable feedback, and rewarding collaboration.
4. Require security by design
While many enterprises have robust information security programs, implementing security by design in the software development process remains challenging. Security best practices include automating penetration testing, triggering code scanning in CI/CD pipelines, and protecting APIs from injections, authentication flaws, cross-site issues, API leaks, and broken access controls. Steve Touw, CTO at Immuta, says, “By implementing security by design and applying security as early as possible in our own product development, we found that our back-end maintenance and management were noticeably reduced from a vulnerability management standpoint.” Recommendation: CIOs, CISOs, and delivery managers should clearly define non-negotiable requirements regarding what security practices, tests, and metrics are required when automating paths to production.
5. Recognize unit testing is insufficient
You can check the tire pressure, look at the oil level, and perform dozens of other tests on your car engine. But does the car meet your expectations in handling curves, bumps, and other road conditions? The same can be said for software applications, and while unit tests help validate components and interfaces, they are insufficient for validating end-to-end functionality or user experience. “Embracing a shift-left approach, developers often prioritize unit testing to ensure features and functionality work correctly,” says Peter McKee, head of developer relations and community at Sonar. “However, relying solely on unit testing may leave gaps in quality assurance, allowing bugs to slip through unnoticed. This compromises both the quality and security of software upon deployment.” Recommendation: Many tools can automate front-end user experience testing, and a key requirement for agile development teams is to assign the responsibility, develop the skills, and invest the time to ensure robust functional testing.
6. Automate tests from subject matter experts
A commitment to more functional testing is only as good as the developed test cases. Quality assurance engineers have the talent to identify boundary conditions and the skill to test for error conditions, but they need guidance from end-users to better understand their goals, workflow, and journeys. Brooks of Copado says, “Developers are concerned with delivering code that works as requested, but to ensure robust software that works with all variations of customer configuration, subject matter experts (SMEs) must generate tests illustrating how users use features in the real world. The best way is for the SMEs to perform exploratory testing using a tool to capture the steps and then create automated tests.” Recommendation: Leverage the same alpha and beta groups to be part of the apps testing community, but don’t expect testers to perform repetitive user acceptance testing. Use tools to capture their testing patterns, automate the most important tests, develop a continuous testing strategy, and leverage synthetic data to scale test patterns.
7. Validate code for security and quality
Using copilots and other genAI code generators has increased the importance of reviewing code for vulnerabilities and flagging issues that may become tomorrow’s technical debt. Other code quality issues that should be flagged before code makes its way to production include checking for proper documentation, error conditions, logging, and naming conventions. “To bolster QA efforts, developers should integrate static code analysis into their workflow,” says McKee of Sonar. “Automated static analysis examines the internal structure of an application, complementing unit testing by uncovering additional issues. Combining both, developers can proactively manage code quality throughout the development lifecycle, swiftly identify and address bugs, and enhance overall software reliability and security.” Recommendation: Reducing technical debt is a major issue for enterprises, so finding tools that scan for security and code quality issues and integrating the steps in CI/CD should be a non-negotiable requirement.
8. Establish nonfunctional operational requirements
When considering the iron triangle of performance, reliability, and security, it’s important to identify requirements specifying acceptable operating conditions. Development teams often express these as nonfunctional requirements that can be expressed inside agile user stories as acceptance criteria. Nonfunctional requirements can also guide how infrastructure components are selected and managed. “Nonfunctional operational requirements are equally important as the functional requirements,” says David Coffey, VP of product management in software networking and NS1 chief product officer at IBM. “Everything matters in a tech stack for a cloud service, and overlooking details like which DNS service or network connectivity can adversely impact the availability and scale of a cloud service.” Recommendation: Architects, operations, and security experts should draft standards on nonfunctional requirements and acceptance criteria that agile development teams reference from…
Source link