Tired of Governance Holding Your Team Back? Enter: Automation
October 26, 2023

Stephen Atwell

Open-source libraries have transformed how developers work. These resources allow DevOps teams to significantly shorten their coding timelines while contributing to a growing body of libraries and containers. And, overwhelmingly, developers are capitalizing on these benefits: Today, nearly every application on the market relies on open-source code (97%), according to industry research. Additionally, nine out of 10 companies have adopted open-source code in one form or another, further cementing the dominance of open-source contributions in software development.

However, just as it invites opportunity, open-source software inherently introduces risk. Because developers don't have complete visibility into the provenance of open-source libraries, these software are more likely to contain vulnerabilities. For example, the famous Log4Shell vulnerability — borne of the ubiquitous open-source Log4j software — has been exploited by bad actors countless times since its emergence. Additionally, because the source code is publicly available, bad actors can inspect it to identify exploitable vulnerability. Upon discovery, Log4Shell was active in several leading applications, including Apple's iCloud, Amazon Web Services (AWS) and the video game Minecraft.

Companies relying on open-source libraries introduce risks to their end-users, so they're on the hook for thoroughly auditing all software. The internal security principles guiding the auditing process are often called open-source governance.

However critical, open-source governance principles can hinder vital development metrics like deployment time. Navigating the balance between organizational imperatives and risk management is thus an ever-more essential — and challenging — aspect of a developer's daily life.

The Need for a New Approach: Why Automation?

Traditional governance structures have many merits, yet they introduce bureaucracy, delays and inflexibilities to a developer's workflow, making it difficult to meet deadlines. Meticulous oversight, especially manual oversight, delays delivery and burdens developers with administrative overhead. As a result, deployed software is secure, but companies fail to meet consumer expectations or demand.

Or, in some organizations, delayed deployments pose too high of a risk, and certain security procedures are foregone in favor of speed. The manual checks-and-balances approach to governance, wherein supervisors must approve state changes, often encourages corner-cutting. Of course, these compromises wouldn't happen in a perfect world — but we've yet to reach that ideal reality. As such, an alternative approach to governance is imperative.

Automated governance provides an ideal reality by solving the issue of insecure code without delaying deployment. Automation-based governance eliminates the need for manual approvals, freeing up developer time to focus on high-impact initiatives. Because these technologies are devoted to ensuring compliance, automated governance tools alleviate concerns about neglected security checklists. Automated systems swiftly identify and address vulnerabilities, bolstering the security framework.

Last but certainly not least, automation significantly improves the developer experience (DevEx). How? By alleviating many developers' worst enemy: administrative load. When developers can focus on innovation and actual development, they're more intellectually stimulated and fulfilled. That's good news for developers and their organizations. According to Forrester, positive DevEx translates to higher productivity, profitability and satisfaction.

The Do's and Don'ts of Automated Governance

Automation offers considerable advantages, but only if implemented thoughtfully. To that end, do:

Adopt a phased approach to automation, ensuring technical and human factors are considered. For example, it's wise to ascertain your organization's level of digital transformation before implementing automated tools. Relatedly, are your developers aware of automation's benefits? Organizational buy-in is important to gauge before adoption. Otherwise, leaders may not be prepared for the level of after-the-fact training required.

Foster clear communication and collaboration between developers and governance teams to align automation initiatives with organizational objectives and developer needs. Organizations with a DevSecOps mindset will be particularly primed to take this step.

Do not:

Make wholesale, abrupt transitions to automated systems, as doing so can cause a bumpy rollout and incur developer resistance.

Employ excessive automation, particularly at the outset, because doing so can inadvertently create opacity and disconnect within governance processes.

Striking the right balance between a steady but calculated approach to automation adoption is crucial. Remember, the idea is to ease DevEx — leaders who neglect this piece of the puzzle may inadvertently impose new burdens, further slowing down the software development lifecycle (SDLC) and decreasing developer satisfaction.

Now Is the Time to Automate Governance

The modern software development industry is rife with new technologies. In this environment, it may be challenging to ascertain which technologies are here to stay and which are stuck in a never-ending hype cycle.

Leaders looking for guidance in this respect should consider their tech stack's staying power, particularly in relation to developer trends. Automation, for example, aligns perfectly with existing developer frameworks like continuous integration and deployment (CI/CD), which expedites the deployment process and increases the end-user experience significantly. Automated governance achieves the same results, and in the years to come, it will prove equally valuable to organizations of all sizes.

Stephen Atwell is Principal Product Manager at Armory.io
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023

Solo.io achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.