SmartBear announced its acquisition of QMetry, provider of an AI-enabled digital quality platform designed to scale software quality.
Open-source libraries have transformed how developers work. These resources allow DevOps teams to significantly shorten their coding timelines while contributing to a growing body of libraries and containers. And, overwhelmingly, developers are capitalizing on these benefits: Today, nearly every application on the market relies on open-source code (97%), according to industry research. Additionally, nine out of 10 companies have adopted open-source code in one form or another, further cementing the dominance of open-source contributions in software development.
However, just as it invites opportunity, open-source software inherently introduces risk. Because developers don't have complete visibility into the provenance of open-source libraries, these software are more likely to contain vulnerabilities. For example, the famous Log4Shell vulnerability — borne of the ubiquitous open-source Log4j software — has been exploited by bad actors countless times since its emergence. Additionally, because the source code is publicly available, bad actors can inspect it to identify exploitable vulnerability. Upon discovery, Log4Shell was active in several leading applications, including Apple's iCloud, Amazon Web Services (AWS) and the video game Minecraft.
Companies relying on open-source libraries introduce risks to their end-users, so they're on the hook for thoroughly auditing all software. The internal security principles guiding the auditing process are often called open-source governance.
However critical, open-source governance principles can hinder vital development metrics like deployment time. Navigating the balance between organizational imperatives and risk management is thus an ever-more essential — and challenging — aspect of a developer's daily life.
The Need for a New Approach: Why Automation?
Traditional governance structures have many merits, yet they introduce bureaucracy, delays and inflexibilities to a developer's workflow, making it difficult to meet deadlines. Meticulous oversight, especially manual oversight, delays delivery and burdens developers with administrative overhead. As a result, deployed software is secure, but companies fail to meet consumer expectations or demand.
Or, in some organizations, delayed deployments pose too high of a risk, and certain security procedures are foregone in favor of speed. The manual checks-and-balances approach to governance, wherein supervisors must approve state changes, often encourages corner-cutting. Of course, these compromises wouldn't happen in a perfect world — but we've yet to reach that ideal reality. As such, an alternative approach to governance is imperative.
Automated governance provides an ideal reality by solving the issue of insecure code without delaying deployment. Automation-based governance eliminates the need for manual approvals, freeing up developer time to focus on high-impact initiatives. Because these technologies are devoted to ensuring compliance, automated governance tools alleviate concerns about neglected security checklists. Automated systems swiftly identify and address vulnerabilities, bolstering the security framework.
Last but certainly not least, automation significantly improves the developer experience (DevEx). How? By alleviating many developers' worst enemy: administrative load. When developers can focus on innovation and actual development, they're more intellectually stimulated and fulfilled. That's good news for developers and their organizations. According to Forrester, positive DevEx translates to higher productivity, profitability and satisfaction.
The Do's and Don'ts of Automated Governance
Automation offers considerable advantages, but only if implemented thoughtfully. To that end, do:
■ Adopt a phased approach to automation, ensuring technical and human factors are considered. For example, it's wise to ascertain your organization's level of digital transformation before implementing automated tools. Relatedly, are your developers aware of automation's benefits? Organizational buy-in is important to gauge before adoption. Otherwise, leaders may not be prepared for the level of after-the-fact training required.
■ Foster clear communication and collaboration between developers and governance teams to align automation initiatives with organizational objectives and developer needs. Organizations with a DevSecOps mindset will be particularly primed to take this step.
Do not:
■ Make wholesale, abrupt transitions to automated systems, as doing so can cause a bumpy rollout and incur developer resistance.
■ Employ excessive automation, particularly at the outset, because doing so can inadvertently create opacity and disconnect within governance processes.
Striking the right balance between a steady but calculated approach to automation adoption is crucial. Remember, the idea is to ease DevEx — leaders who neglect this piece of the puzzle may inadvertently impose new burdens, further slowing down the software development lifecycle (SDLC) and decreasing developer satisfaction.
Now Is the Time to Automate Governance
The modern software development industry is rife with new technologies. In this environment, it may be challenging to ascertain which technologies are here to stay and which are stuck in a never-ending hype cycle.
Leaders looking for guidance in this respect should consider their tech stack's staying power, particularly in relation to developer trends. Automation, for example, aligns perfectly with existing developer frameworks like continuous integration and deployment (CI/CD), which expedites the deployment process and increases the end-user experience significantly. Automated governance achieves the same results, and in the years to come, it will prove equally valuable to organizations of all sizes.
Industry News
Red Hat signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to scale availability of Red Hat open source solutions in AWS Marketplace, building upon the two companies’ long-standing relationship.
CloudZero announced the launch of CloudZero Intelligence — an AI system powering CloudZero Advisor, a free, publicly available tool that uses conversational AI to help businesses accurately predict and optimize the cost of cloud infrastructure.
Opsera has been accepted into the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program, a co-sell program for AWS Partners that provides software solutions that run on or integrate with AWS.
Spectro Cloud is a launch partner for the new Amazon EKS Hybrid Nodes feature debuting at AWS re:Invent 2024.
Couchbase unveiled Capella AI Services to help enterprises address the growing data challenges of AI development and deployment and streamline how they build secure agentic AI applications at scale.
Veracode announced innovations to help developers build secure-by-design software, and security teams reduce risk across their code-to-cloud ecosystem.
Traefik Labs unveiled the Traefik AI Gateway, a centralized cloud-native egress gateway for managing and securing internal applications with external AI services like Large Language Models (LLMs).
Generally available to all customers today, Sumo Logic Mo Copilot, an AI Copilot for DevSecOps, will empower the entire team and drastically reduce response times for critical applications.
iTMethods announced a strategic partnership with CircleCI, a continuous integration and delivery (CI/CD) platform. Together, they will deliver a seamless, end-to-end solution for optimizing software development and delivery processes.
Progress announced the Q4 2024 release of its award-winning Progress® Telerik® and Progress® Kendo UI® component libraries.
Check Point® Software Technologies Ltd. has been recognized as a Leader and Fast Mover in the latest GigaOm Radar Report for Cloud-Native Application Protection Platforms (CNAPPs).
Spectro Cloud, provider of the award-winning Palette Edge™ Kubernetes management platform, announced a new integrated edge in a box solution featuring the Hewlett Packard Enterprise (HPE) ProLiant DL145 Gen11 server to help organizations deploy, secure, and manage demanding applications for diverse edge locations.
Red Hat announced the availability of Red Hat JBoss Enterprise Application Platform (JBoss EAP) 8 on Microsoft Azure.
Launchable by CloudBees is now available on AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).