Bedding in DevSecOps at funiture retailer Dunelm
DevOps leads explain how they got their teams comfortable with integrating security into their code
Paul Kerrison, director of engineering and architecture at home furnishings retailer Dunelm, is not a fan of jargon. In his blog on Medium, he regularly rails against the inanities of corporate-speak and tech-babble.
"Over the last decade or so, there are few words used more regularly and more vaguely to mean more things across the business world as Digital," he says in one post. "It means everything and nothing,"
Clarity matters because vagaries and misunderstandings inevitably lead to waste and frustration. This is true with "digital" and also in the field of DevOps which, as we all know by now, is about culture not technology, and needs to be part of a business-wide transformation.
But even the name DevOps can be alienating for those unfamiliar with Agile. DevSecOps and "shifting left" even more so; there are plenty of developers who still don't have the faintest idea what that means.
Changing culture and mindsets around security has been one of the biggest challenges as Dunelm looks to develop more of its own software, said Kerrison. It means getting security staff to speak the same language as developers.
"Speaking dev to devs" is the job of principal DevSecOps engineer Jan Claeyssens, who had a crack at deciphering the buzzphrase.
"It's cultivating a way of working that establishes that good software is secure software, that security is a shared responsibility, and it should be integrated throughout the software development lifecycle," Claeyssens said. "That's a nice way of getting around shift left. If you just say it needs to be everywhere, there is no shifting left."
The journey into Agile
The retailer's journey into Agile began five years ago, when an executive decision was made to make software a competitive differentiator. This meant bolstering Dunelm's internal development capability, and reducing reliance on off-the-shelf enterprise packages deployed by third parties, although those are still used for commodity use cases.
The company migrated its internal stack from IBM WebSphere in OpenStack on Rackspace servers to an in-house-built ecommerce platform on AWS - the largest serverless Lambda estate in Europe, according to Kerrison. The new architecture was chosen mainly for its ability to rapidly scale up and down in response to the irregular, peaky traffic typical of the retail sector.
The IT team also adopted DevOps, upping the release to several updates a week, with features added or improved incrementally. The first fruit of their labour was an upgraded transactional website designed to attractively showcase the company's wares and greatly improve the customer journey. The timing could not have been more fortuitous: shortly afterwards, Covid struck, stores closed, and the site found itself supporting 75% of the company's revenue.
Initially, Jenkins was selected as the CI/CD pipeline; however, according to Claeyssens, it proved to be cumbersome, and the developers did not have adequate insight into the functionality of the libraries.
After testing both CircleCI and GitLab as a Jenkins replacement, the team plumped for the latter.
GitLab is an end-to-end DevOps platform with version control, pipelines, security scanning and other tools built in. Having key tools in one place makes it easer to understand. It also helps with compliance, as libraries can be integrated into the GitLab repository to ensure that this is built in automatically. Security scanning is also an integral part of the process. Importantly, though, these features are flexible and can be tweaked to meet requirements.
Centralising core functionality improves developer experience, Claeyssens said. The company employees 25 cross-functional product teams, 140 engineers (some outsourced), and 50 quality advocates. With a large and diverse setup, some degree of standardisation is a must.
Getting to the point where security and compliance are built into the pipeline has been quite a learning curve, and the process is ongoing, said Claeyssens. However, these automations have already helped him move closer to a key goal: ensuring that security is not a blocker.
"I want to get to a place where when the business comes to us and says I want to develop X, Y or Z, security should be in a position to say 'yes, we'll just implement these controls'," he explained. "At the moment we're in a middle phase where we say, 'tell us what you want to achieve and we'll work together with GitLab to see how we can do it."
A cultural nudge
To track the effectiveness of its development process, the company monitors the usual DORA metrics at the department level, and sometimes at the team level too. This visual evidence allow the developers to see that integrating security into the pipeline at all stages is faster and less frustrating than leaving it until the end, which is a positive feedback loop.
"The quicker we pick up on those issues the quicker we can make them front-of-mind for the engineers, and therefore we start to move much faster overall," said Kerrison. "I want to deploy safer and I want to shorten lead times for getting ideas into production. Embedding the security practices throughout and making it a first class citizen and having people like Jan, who can speak dev to devs means we can do that."
But many devs like to do things their own way, with their tools of choice. Don't they feel hemmed in?
The aim is "achieving a balance between autonomy and control," said Kerrison.
"It would make no sense to have each team using their own source control system and pipeline strategy, and we insist they use similar programming languages as well. Where it makes sense we standardise, where it makes less sense we can allow the teams to have more control over their area."
"There's always a new shiny tool", added Claeyssens. "But you need to realise if we move to a new platform every two or three years there are costs involved. Like how much time do we take off every dev team, like how much time is not spent delivering value to the business?"
Which brings us back to the culture, and the tricky task of making sure everyone is speaking the same language and moving—more or less—in the same direction.
"As with any change, the people part is the hardest. You can't just dictate what the culture is," Kerrison said.
"DevSecOps is a mindset. It's a sort of cultural nudge. It's nudging the teams in the right direction by highlighting good behaviour and pointing out when things aren't quite right."
The Computing DevOps Excellence Awards celebrate the remarkable achievements of organisations, individuals, products and solutions that have successfully embraced DevOps principles.
Click here to learn more and submit an entry for the DevOps Excellence Awards 2024.