The DevOps Toolchain per Mark Miller, Sonatype
The DevOps Toolchain per Mark Miller, Sonatype
Mark Miller says you must make sure your tools are able to integrate with the other tools in the platform in our DevOps toolchain podcast.
Join the DZone community and get the full member experience.Join For Free
Easily enforce open source policies in real time and reduce MTTRs from six weeks to six seconds with the Sonatype Nexus Platform. See for yourself - Free Vulnerability Scanner.
Thanks to Anders Wallgren, CTO and Sam Fell, V.P. of Marketing at Electric Cloud for hosting, and moderating, our roundtable discussion on the necessary elements of a healthy DevOps toolchain with Mark Miller, Senior Storyteller and DevOps Evangelist at Sonatype, Lee Atchison, Senior Director for Cloud Architecture at New Relic, Ian Buchanan, Principal Solutions Engineer for DevOps at Atlassian, Ravi Gadhia, Solutions Engineer at GitHub, Prashant Mohan, Product Manager at SmartBear, and yours truly.
You can see the full podcast here.
Following are Mark’s thoughts on the four topics we covered:
The DevOps Toolchain as a Value Stream
We've found that people are actually searching for reference architectures and value stream diagrams to find out a few things. The first is, “Is what I am doing in alignment with what other companies are doing?” That's a big use for these types of diagrams. It’s a type of implicit community validation that you’re headed in the right direction.
The second reason people like diagrams is that they are easily consumable and can act as a trigger for where to start their company’s DevSecOps journey. Diagrams help people visualize the potential future value of a process without getting tangled in the minuscule details. It’s a chance to get the entire team in agreement and headed in the same direction.
Using Tools to Align People and Teams
It's not just that we need tools that are going to secure at specific places within the development lifecycle. Security has to be in every one of these items within this Mobius diagram. Security has to encompass every single step of the process.
We need tools that are going to be able to track what's happening. In the case of the Nexus Platform, it's open source. We want you to know what open source components you are using, what's the licensing and governance aspect of it. Once you get a handle on that, you can get it out of an Excel spreadsheet. Nexus Firewall and Nexus Lifecycle are tools that can help you automate that process. As you move forward through the rest of this infinity loop, you're going to have to monitor the components once they are in place.
That's a big thing that's missing in most implementations. A lot of people don't realize that just because you put something secure into the application doesn't mean it's going remain secure for the duration of that application. What open source are you using, where is it located, and is it secure in-time, right now? There’s absolutely no way you can do that manually. It’s impossible. The only way to handle that is through automated monitoring.
Is There One Right Tool?
What I want to do is make it a broader statement; is there one right toolchain, is there one right pipeline? And that opens up new possibilities. I like the way Ann Winblad says, "It's an API economy.” We need to be able to decouple the tools so you can dynamically build your pipeline, you can customize the build of your toolchain, you can plug in different tools as needed.
There's not one pipeline, there's a process that needs to happen. Then you build a pipeline around the process
Adapting to the Changing Environment
If you’re going to ask developers to become part of the security stream, give them tools that integrate within their existing toolset without interrupting their workflow. Add value to the work environment as opposed to creating bottlenecks and roadblocks.
That’s how we envision the use of the Nexus Platform. First is at the point of consumption. That’s what Nexus Firewall is for. Let’s shift far left, to the point at which the developer downloads open source frameworks and evaluate those frameworks for licensing and governance issues, as well as notify the developer of any known vulnerabilities within those components.
Once those frameworks and components are deployed, they need to be monitored and tracked. Nexus Lifecycle gives you the ability to track every single open source component within your applications. Automated notification is essential when a component is announced as vulnerable.
Tools within the environment need to be flexible enough to adapt to the complexity and scale of modern software.
Opinions expressed by DZone contributors are their own.