October 5, 2020

ActioNet Uses Software Factory DevSecOps approaches to projects

By Kate R.

A DevSecOps Software Factory approach is defined as a “structured collection of related software assets that aids in producing computer software applications or software components according to specific, externally defined end-user requirements through an assembly process.”

Often DevSecOps implementation focuses on advanced capabilities without solidifying fundamentals or modifying established processes. This tends to result in a significantly inefficient or ineffective DevSecOps implementation. Some of the typical impacts of this type of DevSecOps implementation include a CI/CD pipeline that cannot be automated effectively and a loss of quality control. These issues inevitably lead to an increase in the pace at which chaos occurs.

For successful DevSecOps implementation it is important to consider balancing controls vs flexibility (i.e. Governance). Effective automation requires established process to automate. The “Crawl, Walk, Run” implementation model is recommended to ensure an effective DevSecOps framework and a reliable Software Factory.

To achieve this, consider altering your governance, policies, and processes to be DevSecOps friendly prior to implementation. Establish the Software Factory concept and processes up front – then have technology iteratively enable it. Finally, follow an evolutionary maturity model to lay the ‘building blocks’ of capabilities in a deliberate manner.

Breaking down the approach into the following categories will further help to define your Software Factory implementation:

ActioNet DevSecOps projects are planned using Software Factory essentials

Adding Software Factory elements prior to implementation can make for a more successful deployment

Portfolio and Release Management

A lack of effective portfolio and release management governance, controls, and planning may lead to a model which produces a lot of work but delivers little value. To improve your management, consider having smaller strategic planning sessions with continuous planning at every level. Weekly adjustments should be made to accommodate engineering teams as well as feedback from stakeholders.

Change and Configuration Management

Lackluster CCM often results in negative impacts from little enterprise changes. Conversely, CCM controls can also be too restrictive and inappropriately applied, resulting in throttling of DevSecOps capabilities.

To improve results without being too lax or controlling, try using the guardrail approach. In this approach major and minor changes are clearly delineated, approval conditions are automated, and environment and software baseline changes are integrated. Effective knowledge management should also be integrated into a comprehensive knowledge base of documentation, artifacts, and inventories for products and environments to assure timely Change Impact Analyses. Finally, Scratch builds should be integrated into the CI/CD Pipeline and version controls of all artifacts (including 3rd party) should be used to build products.

Deployment Management

Developments tend to produce a myriad of issues if there is ineffective integration of quality, CCM, and security during development. Without matured implementation of these functions with extensive automation as part of the enterprise CI/CD, the result is a significant bottleneck for the delivery of value and releases.

To ensure great deployments, first aim for automated deployments before switching to continuous delivery. Before beginning work, institute Guardrail controls in your dev/test environments and assure quality assurance is in all your frameworks. Taking advantage of infrastructure-as-code technology can assist with effective environment orchestration before deployment. End-to end Automated Testing Frameworks should also be used to guarantee smooth deployments.

Cybersecurity and Accreditation

For the full benefits of DevSecOps to be realized, cybersecurity and accreditation activities should be factored into the factory concept in a way that transforms security into a feature vs. a challenge.

Effective cyber compliance in a DevSecOps Software Factory environment requires extensively automated and integrated CCM controls. Cybersecurity and accreditation activities should also be integrated as part of normal features during planning and development. The secret is having the “security as a feature” mindset.

Environment Orchestration

Overly restrictive environments constrain the ability of the technology to enable efficient development, testing, and deployment. Without consistent reference architecture, cohesive technology management, and disciplined integration of Software Factory functions, the environment will tend to produce negative outcomes more quickly.

To follow the Software Factory approach, make sure to appropriately allocate static vs. dynamic environments. Leverage infrastructure-as-code to provision your environments and make fixes in automation. Finally, take control of all configurations and deploy versioned artifacts only.

Development and Testing Framework

Automation of testing is essential to the creation of a Software Factory implementation. Critical functional tests, smoke tests, and regression testing should always be automated. Unit testing frameworks should also be automated for developer compilation verification. Develop continuous integration builds and report processes. Additionally, security and performance should be integrated through development before deployment is considered.

A computer screen with code

Automation in testing is critical throughout development

Enabling Technologies

Inability to leverage the appropriate technologies to provide the most effective DevSecOps pipeline and Software Factory environment results in an overly complex environment. Additional costs and administrative overhead requirements are likely to follow.

Avoiding additional costs will require pre-planning. Processes and tools should be identified appropriately, and they should stay in sync with your people. Teams should be properly trained in the essential skills and tools. It is also critical that the best integrated tools and assets should be chosen based on project requirements.

Group Integration and Collaboration

Knowledge and awareness are key. Ensure all three functions (DEV+SEC+OPS) are aware of key activities of other groups. Having appropriate collaboration on all aspects of the DevSecOps pipeline is essential, as it impacts effectiveness and predictability. How can you foster collaboration vs. forcing it?

First, ensure all teams have representation in SCRUMS, meetings, and other boards. Each team should have representation during deployments, and processes should be engineered with input from all groups. Finally, create targeted enterprise engagements, but enable team-level opportunities for collaboration.

Organizational Alignment

The organization needs to be aligned to drive Software Factory success rather than individual group success. Successful organizations need to foster collaboration and communication, define meaningful purposes and goals, and determine the metrics that define success. Every team member should have clear roles and responsibilities, and functions should be integrated when applicable.

ActioNet and Software Factory

ActioNet knows DevSecOps. By implementing DevSecOps via a Software Factory approach we take into consideration the implementation of DevSecOps from the governance, processes, and policies perspective to ensure successful implementation of DevSecOps for our customers.