Software Engineering Institute | Carnegie Mellon University

SEI Insights

DevOps Blog

Technical Guidelines and Practical Advice for DevOps

In academia, government, and industry, DevOps has become a standard, straightforward option for streamlining efforts and increasing comprehensive participation by all stakeholders in the software development lifecycle (SDLC). In highly regulated environments (HREs) within these three sectors, however, applying DevOps can prove challenging. HREs are mandated by policies for various reasons, the most often being general security and protection of intellectual property thus making the sharing and open access principles of DevOps that much harder to apply. In this blog post series DevOps and HREs, which is based on a published paper, we will discuss the process, challenges, approaches, and lessons learned in implementing DevOps in the software development lifecycle in HREs. In this first post, we will explore challenges (and goals) to implementing DevOps in HREs. The majority of what you will read in the series stems from our experiences in performing these tasks. In addition to presenting challenges, this post gives an overview of what an HRE is, what you should expect to find in these environments, and what DevOps implementation obstacles may be present.

According to DevSecOps: Early, Everywhere, at Scale, a survey published by Sonatype, "Mature DevOps organizations are able to perform automated security analysis on each phase (design, develop, test) more often than non-DevOps organizations." Since DevOps enables strong collaboration and automation of the process and enforces traceability, mature DevOps organizations are more likely to perform automated security analysis than non DevOps organizations. My previous blog post, Microcosm: A Secure DevOps Pipeline as Code, helped address the problem that most organizations do not have a complete deployment pipeline in place (and are therefore not considered to be DevOps mature) by automating penetration tests of software applications and generating HTML reports as part of the build process through the Jenkins CI service. In this follow-up blog post, I explore the use of a service evolution of Microcosm as a simple one-stop shop for anyone interested in learning how to implement a DevSecOps pipeline.

Data analysis is complex and, at times, overwhelming. Automation increases an analysis team's ability to continuously improve their process. Specifically, the automation of software is the best way to manage all of the iteration and repetition that proper data analysis requires. DevOps is the perfect fit when planning a project that requires software, automation, and collaboration. In particular, DevOps improves all aspects of the data analysis process and allows teams to automate all software-based aspects of the data analysis process and effectively collaborate with all project stakeholders. In this blog post, I explore the ways in which DevOps improves data analysis.

When it comes to information technology services that are customer facing, traditional enterprise organizations tend to favor stability over change. According to a Netcraft survey from March of last year, there were 185 million web sites hosted by Windows 2003, an operating system that has been out of support since July 2015 . Many of these servers are still running because of the "if it isn't broken, don't fix it" motto. While reducing software and system churn would seem like the best way to promote stability, it can eventually harm application security and stability. This blog post explores some basic DevOps practices that will improve application security while helping to maintain a stable operating environment.

Data collection and storage are a large component of almost all software projects. Even though most software projects include a data component, this topic is rarely discussed in the DevOps community. The adoption rate of database continuous delivery (CD) is about half the rate of application CD. There are several reasons for this, but the primary one is that databases rarely change as often as applications do. There may be a few model changes, but generally there are no major architectural changes that occur in relation to the database level of your software. Many DevOps practitioners thus do not spend the time to provide continuous delivery of their data storage solutions, which became very apparent when our team was recently tasked to solve a complex problem. In this blog post, I will explore the application of DevOps principles to a data science project.

The art of security hardening is growing in demand. Modern system architectures and orchestration techniques that leverage virtualization, cloud providers, containers, and microservices enable an explosion of the number of hosts that comprise a system and in turn yield an increase of the attack surface area. This post provides insights on how to execute a security hardening strategy with a DevOps mindset.