Step Up Your DevOps Game - Webinar Questions Answered (DevSecOps and Observability)

On October 21st, we hosted a webinar titled, Step Up You DevOps Game with 4 Key Integrations for Jira and Bitbucket. I covered 4 key DevOps practices - agile testing, DevSecOps, feature flagging, and observability - and examples of integrations in each area. If you haven’t see it, you can view an on-demand version of the presentation here.

We received far too many, albeit good, questions during the Q&A portion, so I’d like to answer some of them here. Read Q&As for the other two DevOps practices, as well:

• Webinar Questions Answered (agile testing)

• Webinar Questions Answered (feature flagging)

Clarifying questions about DevSecOps and observability

I don't get the difference between DevSecOps and monitoring and observability. Like the egg I am ;)

These are very similar ideas. Traditional approaches to security and monitoring often leave these as responsibilities “handed off” to another team so they can feel unfamiliar to team new to DevOps. In a DevOps world, security and monitoring become part of every feature or bug fix. The “big idea” of DevSecOps is just making sure that code changes are used as opportunities to make sure the application is secure, not just waiting for a report from an external team. I think observability can be considered “intentional monitoring”. In other words, making sure there are good log statements in the code and there are good ways to check what is happening inside the application, without relying on a debugger.

Logging is for post-incident analysis, Observability is for analysis DURING the incident to minimize impact, in my understanding. That sound right?

This question gets at the heart of how we're using old tools in new ways. I think one aspect of logging that may change in some teams is being more intentional. Like making sure you are logging the right things in order to do better post-incident analysis, or to reveal problems when they are happening. It's a bit like agile testing or DevSecOps in that you want to plan for what can go wrong, and make logging useful. Sometimes this takes practice. Like asking during post-incident analysis, “What do we wish we knew from logs?”

I am a Release Manager and I need a tool that will provide transparency into the activities of the Scrum Teams and how this relates back to what I am responsible for releasing into Production.

Putting DevOps aside, there’s already a blog post on 6 steps to better release management in Jira Software. In a DevOps world, I hope your teams can separate deployment from release. Even in a DevOps world, I think release managers can play an important role making sure that all release expectations are understood early. For example, when I was a Product Manager, it really helped me to know about export controls and licensing restrictions for my packaged software from the start. That’s because I could influence development decisions to keep the deployment and release processes easy. When it’s just a surprise at the end, that can lead to a lot of stressful efforts or blowing the release schedule altogether.

Does Snyk work with Bamboo? Data Center Edition of BitBucket does not have pipeline feature.

While there isn’t a Bamboo-specific App in the Marketplace for Snyk, you can call Snyk directly using a Node.js library using a Bamboo script task. I prefer that I can call all the tools in my continuous delivery pipelines locally using a build script. It really helps with debugging. That means most of my pipeline is expressed with Bamboo script tasks, rather than with specialized Bamboo tasks.

I just looked at Snyk pricing and it's out of my company's budget. I see that the Bitbucket integration is free; does the Snyk Bitbucket integration require a Snyk account?

Yes. But you might be able to get by with a free Snyk plan with 200 tests per month for open source vulnerabilities on private projects. Rather than testing with every commit, you might just run a daily scan to keep under the limit. In addition, you should check out OWASP’s lists for SAST and DAST which both include some free and open-source options. The free options may not offer the same kind of security checks and might not help as much with prioritization; however, most teams could really use all the help they can get.

What’s next?

Reference Architectures

Now that you know how to step up your DevOps game with key DevOps practices to consider, you may find our new DevOps guides helpful. Whether you’re a beginner, intermediate, or advanced in your DevOps, find recommendations and inspiration for how to combine your tools and DevOps practices.

In-depth Demos

To see more in-depth demos or explainer videos of the integrations highlighted in the webinar by visiting our curated DevOps marketplace page of integrations in the four categories covered. Not only do partner pages have additional content available in the Marketplace, but most of our Marketplace is full of additional videos, screenshots, and documentation so you can discover these integrations as you see fit. Let us know in the comments what additional demos you’re interested in watching!

More on Observability and DevSecOps

Learn more and get inspired by other materials we’ve published for your reading pleasure:

• DevSecOps: Injecting Security into CD Pipelines. Learn how DevSecOps impacts on the CD pipeline and the security posture of agile development teams.

• Realizing the full potential of DevSecOps. Four strategies to achieve a true DevSecOps culture.

• Supercharge your DevSecOps mission with Atlassian tools. Atlassian is now available on the United States Air Force Platform One.

• How Dynatrace and Atlassian help transform your operations team to work smarter not harder. Have you ever wondered how you can improve incident and problem resolution for enterprise software? The team at Atlassian & Dynatrace have been wondering, and decided to collaborate to identify the right solution.