Three ways intelligent automation can advance release validation and break down DevSecOps silos

Intelligent automation can help accelerate release validation and break down DevSecOps silos. Here's how.

Many organizations are adopting a DevSecOps approach to software delivery with the goal of accelerating release validation and ensuring frictionless, secure software delivery. But without intelligent automation, they’re running into siloed processes and reduced efficiency.

Since the Log4Shell vulnerability of 2021, modern multicloud complexity and data proliferation have steadily increased, providing more opportunities for security vulnerabilities to stealthily enter the software delivery lifecycle (SDLC). Moreover, the demand for rapid software delivery is putting additional stress on DevOps teams. According to the Dynatrace 2023 CIO Report, 34% of CIOs reported that they must sacrifice security to meet the demand for faster innovation.

In response to these industry shifts, more organizations are integrating security earlier in the software development lifecycle. DevSecOps enables teams to release software quickly without compromising security. Integrating security into development and operations frameworks also improves testing, validation, and distribution practices with a continual feedback loop.

However, silos have become a problem for many DevSecOps frameworks. Broken feedback loops that fail to connect teams with critical information can hamper the release validation process and introduce security risks. Intelligent automation can help break down these silos. During a Perform 2023 conference session, Christian Schwarzbauer, fellow product architect at Dynatrace, and Gerhard Byrne, senior product manager at Dynatrace, explored the role of intelligent automation in DevSecOps and three ways teams can converge automation and security and avoid DevSecOps silos.

Accelerated release, accelerated risk

As the Log4Shell incident demonstrated for many organizations, vulnerabilities can crop up at any time. Leveraging open source code and traditional monitoring tools can also increase the risk for vulnerabilities to enter the SDLC. Organizations and IT security teams realized that without a full, comprehensive view of their multicloud environments, they’re less able to detect vulnerabilities like Log4Shell until it’s too late.

The Dynatrace 2022 CISO Report found that only 25% of security teams can access fully accurate and continuously updated reports of applications and code in real time. Additionally, 41% reported that they’re equipped to handle all instances of challenges, such as Log4Shell or similar attacks in their environment.

Siloed processes compound the risk of vulnerabilities significantly impacting applications and organizations. Non-collaborative operations reduce communication and create friction between development, security, and operations teams, particularly when these teams use different tools. As release cycles accelerate and cloud complexity rises, the risk of vulnerabilities entering the SDLC and remaining undetected also increases.

Ultimately, though many organizations are adopting self-serve, shift-left security practices, the accelerated release schedules introduce accelerated risk when there are siloed teams. Security teams are stretched thin, and development and operations teams aren’t far behind.

Eliminating silos with intelligent automation

Silos often occur naturally. Despite best efforts, organizational departments tend to separate themselves and slowly build up a silo of tools, processes, and policies. The 2023 CIO Report found that 55% of security teams don’t trust developers, and 49% of developers perceive security teams as innovation blockers. Overall, 36% of respondents agreed that the silos among DevOps and security teams leads to a resistance to collaboration. Two factors play a role in this challenge: specificity and speed.

Specificity refers to security, operations, and development teams relying on different sets of data to accomplish key goals. Priorities for a security team may include tracking logs, reviewing events, and identifying code-level vulnerabilities. For development teams, code building and review are critical. Operations teams must ensure new releases don’t hinder current processes.

Speed, meanwhile, is a shared problem that paradoxically leads to silos. All three branches of DevSecOps aim to reduce the time between releases while ensuring they deliver key business outcomes. This focus on speed, however, means teams may lack the time to collectively scan and fix critical vulnerabilities at scale. Instead, they focus inward on role-specific functions and create silos in the process.

Intelligent automation can help break down DevSecOps silos. Using AI-driven automation, it’s possible for organizations to automatically detect potential problems, effectively manage release validation, and ensure IT tickets are assigned to the right people at the right time to solve the issue at hand.

Three use cases for intelligent automation in DevSecOps

What does intelligent automation implementation look like in practice? Three potential use cases include release validation, intelligent ticket assignment, and code-level vulnerability detection.

1. Release validation

Validation testing of software components helps ensure they’re ready for release to the next development phase or are ready for production. While every organization has its own set of validation processes, common tasks include the following:

• Verifying code
• Reporting results
• Reporting issues
• Cleaning up data
• Monitoring software post-release

Historically, these tasks were handled manually, often to accommodate manager approval in the process. But as in-use applications increase and because these apps are hosted in complex cloud-native environments, manual methods are no longer enough. A manual approach to release validation is not scalable for the demands of modern digital transformation. Automating release validation processes can reduce time spent analyzing new software without compromising security or quality.

2. Automated ticket assignment

Automation can also ensure tickets are assigned to the right teams at the right time. Consider a release candidate issue related to operational integration that’s rooted in an existing security vulnerability. Under a manual ticket assignment process, both operations and security teams might be assigned this ticket. Even more worrisome? It might fall through the cracks and remain unaddressed for days or weeks.

Causal AI-driven root cause analysis provides a foundation of certainty so teams can generate and assign tickets automatically. When teams have confidence in the root cause of an issue, they can ensure that the ticket goes to the most appropriate team, or even engage auto-remediation procedures.

3. Code-level vulnerability detection

Intelligent automation sets the stage for code-level vulnerability detection. By targeting the code-level root causes of potential issues rather than the operational symptoms, organizations can streamline the release validation process and software production. Code-level detection also makes it possible to find custom code vulnerabilities in both pre-production and production environments. Finally, it can help detect zero-day vulnerabilities and turn every request into a security test that helps strengthen overall defense.