DevSecOps demands focus on developer experience, IT pros say
It's not enough to set up an approved path to production to establish DevSecOps, experienced platform engineers say; developer experience and collaboration are equally important.
AUSTIN, Texas -- DevSecOps platforms operated by internal service providers are increasingly common, but just provisioning infrastructure for developers isn't enough, experienced platform engineers have learned.
Operating a DevOps platform tends to create a shift to a product mindset, with platform teams acting as service providers that deliver a curated set of pipeline tools and infrastructure to internal developer customers. As their products mature, platform teams must also focus on improving their developer customers' experience -- or risk losing those customers to shadow IT and other risky practices, according to IT experts at this week's cdCon.
Focusing on developer experience is especially important given recent volatility in the job market, also known as the Great Resignation, said KellyAnn Fitzpatrick, an analyst at RedMonk, in a keynote presentation.
"Along with a Great Resignation, we're also seeing a Great Onboarding -- people who are trying out new careers in tech," she said. "Developer experience can be essential in onboarding and training and getting new developers up to speed."
Developer onboarding was the driving factor behind the creation of a "golden path" to production for engineers at Spotify, according to a 2020 blog post by Gary Niemen, product manager at the streaming music service headquartered in Stockholm. That post used the term to describe an approach that places as much emphasis on detailed training tutorials for developers as it does on packaged platform tools.
The golden path concept influenced the development of the DevOps platform at U.K. IT consulting firm Kainos, which began building a centralized CI/CD pipeline linked to a cloud provider's PaaS infrastructure in 2018. That platform, which now runs on Azure Kubernetes Service, replaced a set of ad hoc pipelines and became the company's only supported production deployment method. But the transition came as the result of developer education and outreach, rather than by fiat.
"We've recently adopted the golden path methodology, getting [developers] on board from the beginning to know how [continuous delivery] works, running training sessions, [providing] documentation and [support] services," said Tim Jacomb, lead software engineer at Kainos, in an interview at cdCon. "Rather than just giving them documentation on different things they can do, this is like, 'Beginning to end, this will get your service up and running.'"
True IT ops maturity includes a focus on staff training, education and developer experience in addition to IT automation.
Fidelity Investments underwent a similar consolidation of bespoke pipelines onto a centralized DevSecOps platform beginning in 2019. The financial services company could have relied on the "stick" rather than the "carrot" approach as it made this change, given its compliance and security requirements, and simply mandated that developers use its sanctioned toolchain.
But instead, the platform engineering team made developer customers its collaborators in building the platform from the beginning, emphasizing education and discussion over enforcement.
"Everyone had a voice; it was a democratic situation," said Jamie Plower, director of cloud platform architecture at Fidelity, in a cdCon presentation. "Developer experience is key to ensuring that everyone -- whether you're a hardcore programmer or a systems engineer, or even want a light touch [with the system] -- can get involved in how we design it."
Balancing DevSecOps guardrails with developer flexibility
While centralized DevOps platforms give organizations control over application deployment processes that maintain app security, they also offer self-service controls that support customization by developers.
The selling point around it was, all teams must have these mandatory checks and steps, but then they can add on top of it -- it's extendable.
Tim JacombLead software engineer, Kainos
"There's a very minimal couple of lines of code which loads the pipeline, and then there's a [domain-specific language] which allows you to add your own stages," Jacomb said. "The selling point around it was, all teams must have these mandatory checks and steps, but then they can add on top of it -- it's extendable."
Fidelity's platform team also had flexibility in mind when it developed an event-driven architecture to orchestrate its pipelines, according to Plower's presentation. This is a lighter and less labor-intensive approach to interoperability than direct integration, so developers can add and remove pipeline stages easily while compliance data is reliably captured in Fidelity's Pipeline Intelligence repository.
In addition to automatically enforcing security and compliance policies in real time as pipelines run without developer intervention, the Pipeline Intelligence repository has also helped Fidelity's platform engineers improve developer experience by giving them access to data that shows how deployments are performing.
"We get engineering metrics that we can provide back to our wider teams, and that gives them the ability to do analytics [specific] to the run that's happening, which was something we couldn't do before," Plower said.
Fidelity benefited from building its DevSecOps platform the same way it built apps using Agile workflows -- collaboratively and iteratively.
"By coming together, we have more richness and robustness and reliability -- we haven't had a breaking change since this project was initiated," Plower said in a Q&A session after his presentation. "A lot of the problems that we found [before] were [from], essentially, teams that were throwing [platform designs] over the wire, and then the developers would test them."
However, developers' appetite for "shifting left" can vary, depending on the team or organization, which can make it difficult to improve DevSecOps platforms. Kainos' platform team surveys hundreds of its organization's developers every few months, but gets between 20 and 50 responses, Jacomb said.
"[The platform] is in their control now, and they can do anything, but do they want to? Some want to and some don't," he said. "Should they need to know all that? Has it gone too far? And how can we make it easier for them?"
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
