Gina Smith, a research manager for DevOps in Asia/Pacific with IDC explains that with the COVID-19 pandemic going into its third year, Asia/Pacific organizations are looking to DevOps processes and practices now more than ever.
"The need to deliver evocative and secure applications and services is unrelenting. Mature DevOps efforts will combine IT, development, and business resources to help organizations stay competitive and resilient moving forward," she adds.
Gartner predicts that through 2022, 75% of DevOps initiatives will fail to meet expectations due to organisational learning and change issues.
For Dirk de Vos, channels director for Asia Pacific at GitLab, DevOps comes down to three things:
“Most importantly, it’s a philosophy - for how organisations approach developing applications and introducing fast iterations and agility. It’s a change in how they bring together their developers, operations teams, platforms teams, and now security teams.”
Dirk de Vos
“This is supported by an agile methodology where you can iterate and take your software to production fast. And it also involves looking at the tools you use within a DevOps organisation,” he continued.
DevOps in Asia in 2022
The best way to look at which countries have embraced DevOps, noted de Vos, is to follow the bouncing ball of the hyperscalers.
“Looking at adoption in APAC, you get a sense of how quickly companies are embracing a modern application approach. In some markets, there is huge adoption, and companies have changed their people and processes to adopt a DevOps methodology – a hard but necessary task if you want to be agile.
Others are slower to adopt a cloud-native approach, and despite being an appetite amongst businesses for new technology and software, some legacy systems remain.
DevOps by region
Huge adoption in Australia, New Zealand, and Singapore in both public and private businesses. These organisations have changed their people and processes to adopt a DevOps methodology – a hard but necessary task if you want to be agile.
Japan and South Korea have strong demand for consumer technology and deliver huge amounts of technology globally. While there remain some legacy systems, with some businesses yet to fully adopt a cloud-native approach, the organisations in these countries in both the public and private spaces are very open to adopting new software and technology.
Companies in Southeast Asia and India are adopting DevOps quickly. India has a lot of cloud-native companies coming through the ranks. And in Southeast Asia, there are lots of large organisations that have pivoted fast to adopt DevOps.
Developers struggling to incorporate security
Asked whether software developers in Asia are struggling to incorporate security aspects/processes into the development cycles, irrespective of whether this is waterfall or agile, long-form or low-code/no-code, de Vos comments that the struggle is not unique to Asia.
Citing data from GitlLab’s annual Global DevSecOps Survey, de Vos commented that budgets, misalignment between teams, and a lack of collaboration and transparency as notable discoveries of the study.
Budget. Only 10% of respondents felt they were getting an adequate budget to invest in security. That shows the disconnect between management and business, and what’s happening on the ground with developers and the SecOps teams.
Ongoing misalignment between security and DevOps teams. What I’m seeing in the market is an overlay of responsibility between the developers and security teams. To align performance metrics with reality, developers must be incentivised to practice security protocols from the outset, which will give them full visibility into the toolchain and all the potential risks associated with that.
Collaboration and transparency. You need your teams to be collaborating on all application projects. And there is still a lot that needs on an organisational level here.
What is DevSecOps?
“We discussed that DevOps is the combination of bringing developers and operations and platform teams together. Now there is the third silo – security,” said de Vos.
“DevSecOps is fast becoming one of the most important criteria for organisations to ensure they are adopting a proper security posture when they are bringing applications to market, by introducing security earlier in the development cycle,” he added.
Maturity of DevSecOps practice in Asia
Johnathan Hunt, VP of InfoSec and Cyber Security at GitLab says DevSecOps is a proven strategy within the DevOps Platform that reduces risk and security incidents while allowing faster and more secure code deployments — and organisations know this to be true.
He predicts that in 2022, DevSecOps will be the preferred strategy across all industries to combat today's evolving threat landscape.
“Although we see an increase in the implementation of certain security protocols, overall, the industry has been slow to respond. Much of this is due to the understanding, complexity, and difficulty in implementation of full DevSecOps within the tech stack."
Johnathan Hunt
For his part, de Vos says in APAC, there are already pockets of ingenuity in APAC, mainly driven by companies that are new, cloud-first, and without legacy.
They build their organisation from scratch with DevSecOps in mind. Interestingly, a lot of change is also coming from within government, with some organisations having an aggressive posture to tech consumption and development,” he continued.
He concedes the need for more education in the market. Companies are getting their head around DevOps, and security adds new complexity.
Companies live and die by their ability to create and deliver software. To be competitive – companies need to be 10 x faster. They need to adopt a DevSecOps philosophy and drive new technology with great speed while making it secure.
For DevOps teams, do you see the use of testing tools as able to minimise risks associated with poor coding practice, etc?
De Vos says DevOps adoption as a practice should be driving better code quality, productivity and operational efficiency across the business. “Having the right process to support quick sprints in iteration leads to code that is cleaner, more efficient and less error-prone. Ultimately, the output for testing should gain better and quicker results,” he explained.
He concluded that the priority for testing is to automate.
“DevOps teams want automation because this drives speed to market. They are looking at ways to incorporate AI and ML into those testing processes. Streamlining the approach will foster collaboration with the operations and security teams and accelerate with fewer errors when you hit the testing phase,” he added.
AI will not displace DevOps teams
Despite the continuing advances in artificial intelligence and machine learning, de Vos does not believe that AI will replace DevOps teams inside an organisation.
“AI and ML will reduce some of the overheads in the testing, like monitoring and root cause analysis. They can help with that day-to-day grind for DevOps teams by increasing efficiencies, allowing them to focus on the bigger picture,” he pointed out.
What is the way forward for CIOs and DevOps teams in the practice of DevSecOps?
For de Vos, CIOs need to have a holistic view of the organisation, and security is as important as speed to innovation. Departments must become less complex and less siloed, and toolchains need to be simplified.
“A single pane of glass for developers, ops and security teams should improve efficiency, and provide visibility to ensure security is incorporated into every stage of the application cycle,” he concluded.
Click on the PodChat player to listen to de Vos describe the challenges and opportunities CIOs, DevOps and SecOps can achieve to improve the security of applications.
- Briefly define DevOps and describe the DevOps landscape in Asia today.
- Compared to DevOps as practised in the US, how would you rate Asian developers?
- Is it fair to say that developers (in Asia) – whether in-house or those working for a software house – are struggling to incorporate security aspects/processes into the development cycles, irrespective of whether this is waterfall or agile, long-form or low-code/no-code? What are the top three reasons why this is so?
- Define DevSecOps and how mature is DevSecOps as a practice in Asia-Pacific. What needs to happen to accelerate this (training, certification, practice, etc)?
- For DevOps teams, do you see the use of testing tools as able to minimise risks associated with poor coding practice, etc?
- Do you see AI as supporting DevOps teams? To what extent should DevOps teams trust AI tools with application development, including testing, failure forecasting, resource management, and root cause analysis?
- What is the way forward for CIOs and DevOps teams in the practice of DevSecOps?