Myth 3: Application Platforms Are Enough
An application platform abstracts the complexities of containers and Kubernetes away from the development and operations folks, letting them focus on what they do best — building applications and running infrastructure.
Let's face it, containers are hard to manage at scale, and raw Kubernetes can be even more difficult. Whether it be net-new application development or application modernization efforts, moving to a more scalable and highly available service-focused architecture will necessitate additional management and integration of applications with infrastructure. If your development, security and operations folks are focusing their time on managing containers and Kubernetes, then they aren’t adding the business value for which you hired them.
Application platforms integrate with your continuous integration/continuous delivery (CI/CD) pipeline to bridge the worlds of development and operations, while also managing the day-to-day care and feeding of your production applications. By enabling developers to do their best work in their code — and enabling operators to horizontally scale those applications in well-defined and isolated containers — application platforms bridge the worlds of Dev, Sec and Ops.
What an application platform won’t do is modernize your application development practices or solve your other IT challenges. Many organizations view application platforms as a field of dreams, thinking “if you build it, they will come.” The stark reality is that without a prescriptive approach and a well-defined plan to bring apps to your application platform, that field of dreams will stay empty.
Feds Need Modern App Development and Delivery
With all that being said, there are two key concepts that will define the ability to find success. They are the practices of modern application development and modern application delivery. I’ll focus on each of these quickly.
Modern app development combines domain-driven design, trusted design patterns and architectures, as well as modern development languages and frameworks with test-driven development, static code analysis, and strict pipeline enforcement. These concepts work in concert to deliver reliable, scalable, high-quality code. When we talk about continuous integration, this is what we’re talking about. This is what helps development and operations teams build the trust that is so critical for implementing DevSecOps.
Modern application delivery, on the other hand, makes use of containerized packaging, centralized configuration management and automated provenance, along with modern deployment strategy enforcement, runtime analysis and automated/self-healing operations to bring forth a reliable and scalable infrastructure upon which to deliver modern applications.
This is the continuous deployment upon which CI/CD implementations are built. Without these two core methods, there is no process for taking great software from build to deploy in the time required to meet the demands of modern business requirements. This automated integration testing, functional testing and security scanning are the keys to fast deployment of those services and applications to fulfill your mission needs.
In the end, DevSecOps is bigger than any singular technology, whether that be containers, Kubernetes or even the application platforms workloads run on. The reality is that DevSecOps focuses on delivering results quickly and embracing cross-team communication. A big part of that equation is building trust through the organization by using tools in the CI/CD pipeline to validate the suitability of code for production environments.
It’s a change of behaviors and culture — a change that many in the government are undertaking and welcoming — delivering real results to some of the most critical missions.