DevSecOps is a powerful approach towards software development, enabling faster delivery and improved efficiency.

During my QCon London 2024 presentation, I explored how teams face varying levels of inefficiency in their DevSecOps processes, hindering progress and innovation.

I highlighted common issues like excessive debugging time and inefficient workflows, while also demonstrating how Artificial Intelligence (AI) can be a powerful tool to streamline these processes and boost efficiency.

Let’s explore DevSecOps and its connection to cloud native. As you navigate the DevSecOps journey, consider your current stage. Are you deploying, automating tests, utilizing a staging environment, or starting from scratch?

Throughout this discussion, I encourage you to identify the most inefficient task you currently face. Is it issue creation, coding, testing, security scanning, deployment, troubleshooting, root cause analysis, or something else?

Imagine the potential of AI to enhance efficiency. However, it’s crucial to acknowledge the importance of workflow diversity. We’ll explore specific examples later.

Establishing guardrails for AI is essential. Ensure data security and prevent leaks from your environment. Additionally, it’s vital to measure the impact of AI. Don’t implement AI simply because others are. Build a compelling case and demonstrate its value. We’ll delve into this aspect as well.

In the fast-paced world of software development, simplifying workflows is crucial for efficiency and success. In 2024, 70% of respondents shared that it takes developers in their organization more than a month to onboard and become productive, up from 66% in 2023 (source: GitLab 2024 Global DevSecOps Survey). AI is ready to restructure the way we work. By using AI in our workflows, we can unlock a lot of benefits, including improved efficiency, reduced time spent on repetitive tasks, enhanced understanding of code, increased collaboration and knowledge sharing, and a streamlined onboarding process.

AI drastically transforms software development, optimizing workflows throughout various stages and roles such as development, operations, and security. These enhancements pertain to processes including planning, management, coding, testing, documenting, and reviewing.

AI capabilities in code generation and suggestions contribute to more effective coding by automating autocompletion and spotting missing dependencies. AI also aids in code comprehension, offering explanations, suggesting ways to boost performance, and helping refactor verbose code into object-oriented designs or different programming languages.

Beyond coding, AI enhances operational tasks by turning brief descriptions into detailed reports, thereby conserving time and resources. It can also encapsulate long discussions and technical descriptions, allowing team members to quickly catch up and participate effectively.

Anthropic Claude Workbench is an essential AI tool for conducting prompt-based queries with Large Language Models (LLMs). Simple prompts can dictate thorough guidelines on initiating a Golang project, detailing CLI commands, configuring GitLab CI/CD, and setting up OpenTelemetry, streamlining the information gathering process and enhancing productivity, particularly for new contributors.

Additionally, AI can assist in creating detailed issue descriptions, expanding simple ideas into thorough proposals. For instance, it considered whether to apply different instrumentation techniques like SDKs or auto-instrumentation in the source code. This initiates productive dialogues and helps in evaluating various options.

Moreover, AI is useful in summarizing extensive discussions and strategies, providing a succinct understanding of elaborate topics. By inputting data into the Anthropic Claude 3 Workbench, it summarily compresses the insights, promoting quicker decision-making and strategic focus.

AI also demonstrates its adaptability by providing summaries of prolonged issue descriptions, creating Kubernetes observability CLIs using Go, transforming Go code into Rust, and suggesting reviewers for merge requests.

Turning our attention from development to operations, discover how AI could transform root cause analysis, observability, error tracking, performance, and cost management. An example issue is a delayed CI/CD pipeline, depicted humorously in the modified XKCD 303 comic.

AI technologies have the capability to sift through job logs automatically, delivering actionable insights and recommending solutions. Developers can enhance their troubleshooting efficiency by tailoring prompts for the AI, allowing for quick issue identification and receiving optimization suggestions. It’s important to exclude sensitive information such as passwords and credentials before such automated analysis. With well-designed prompts, AI can shed light on underlying issues in a manner that’s comprehensible to software engineers, thus speeding up the resolution process.

When dealing with cloud-native deployments, resolving disruptions in Kubernetes can be quite complicated. Utilizing tools such as k8sgpt, a CNCF sandbox project, can mitigate these challenges. This tool employs LLMs to scrutinize deployments and provide expert advice from either an SRE standpoint or for optimizing efficiency. It is compatible with multiple LLMs and can even operate locally using Ollama on a MacBook.

Another crucial facet of operations is observability, where AI can enhance the analysis of log data. In times of operational incidents, AI is capable of summarizing extensive log information to quickly identify primary issues, which facilitates a faster remedy. An example of this capability is seen in Honeycomb’s latest AI integration, which incorporates query assistants and other AI-driven tools to handle complex tasks in observability.

Finally, sustainability monitoring is making strides, with tools like Kepler leveraging eBPF and machine learning to predict energy usage in Kubernetes setups. This enables companies to optimize both costs and eco-friendliness, thereby minimizing their environmental impact.

These instances highlight how AI is reshaping operations, enhancing efficiency, and fostering innovation across different sectors.

Focusing next on security processes, AI proves to be a tremendous asset in identifying and managing vulnerabilities, improving security assessments, and tackling supply chain risks. Despite 67% of developers reporting that at least a quarter of their coding involves open-source libraries, only 21% of companies make use of a software bill of materials (SBOM) to track the components in their software products (source: GitLab 2024 Global DevSecOps Report).

Reflecting on a previous security incident involving a CVE in an open-source tool which had unintended repercussions, it becomes evident that a thorough comprehension of vulnerabilities and their permanent remedies is essential.

AI aids in demystifying complex security vulnerabilities, making it easier to grasp concepts such as format string vulnerabilities, command injection, timing attacks, and buffer overflows. By comprehending the ways in which harmful attackers leverage these vulnerabilities, developers can deploy effective solutions that avoid creating new issues or degrading the quality of the code.

With queries like “Explain this vulnerability as a software security engineer,” AI can examine code fragments, outline possible exploitation methods, and recommend solid solutions. Additionally, AI is capable of initiating merge requests or pull requests with suggested code modifications, thereby automating the correction process and ensuring that security checks and CI/CD pipelines approve the amendments.

This efficient method saves time while also minimizing the likelihood of human errors, enhancing the management of vulnerabilities to be more productive and reliable.

Focusing on AI safeguards, it’s essential to consider factors like privacy, data protection, performance, and the general appropriateness of AI in our operations. Primarily, the use of data needs careful examination. Your data, including source code, must not be employed to refine AI models to prevent potential data breaches. Additionally, proprietary information should not be transferred to third-party providers for analysis, particularly in sensitive sectors such as finance or government.

It is vital for AI features that utilize chat history to have transparent data retention policies and deletion practices. A public statement regarding data usage and privacy is crucial, along with verification of policies from your DevOps or AI provider.

Securing access to AI features and models is equally important. Mechanisms for governance must be established to control use, with robust measures to block sensitive information from being sent to AI prompts.

Ensuring the validation of responses from AI prompts is essential to prevent misuse. It is important to set clear guidelines and requirements for team members to foster responsible and ethical exploitation of AI tools.

Maintaining transparency is critical; there should be accessible documentation concerning the use, development, and updates of AI tools. It’s also important to have a strategy for dealing with AI malfunctions or updates in models to keep up productivity. An AI Transparency Center, similar to GitLab’s, can offer crucial insights and data.

Performance monitoring is vital, whether you’re using SaaS APIs, self-managed APIs, or local LLMs. Observability tools like OpenLLMetry and LangSmith can help track the behavior and performance of AI in your workflows.

Finally, validation of LLMs is crucial due to the potential for hallucinations. Frameworks for testing and metrics for evaluation are essential to ensure the quality and reliability of AI-generated responses.

By diligently addressing these considerations, you can harness the power of AI while minimizing risks and ensuring responsible and effective integration into your workflows.

Transitioning from guardrails to impact, measuring the effects of AI on development workflows poses a new challenge. It’s crucial to move beyond traditional developer productivity metrics and explore alternative approaches.

Consider using DORA metrics along with collecting team feedback and conducting satisfaction surveys. It is also vital to track code quality, test coverage, and monitor how often CI/CD pipelines fail. Evaluate whether the time to release is reducing or staying constant.

It is crucial to create detailed dashboards to monitor these measurements, employing tools like Grafana or similar platforms. Analyzing this data helps us understand the impact of AI on our processes and pinpoint areas that need enhancement. The journey towards precise measurement is continuous, but ongoing investigation and improvement in our approaches will provide a fuller picture of how AI affects productivity and overall developmental results.

While the adoption of AI in workflows is encouraging, it is necessary to implement safeguards for security, privacy, and data handling, and to confirm the effectiveness of AI. Techniques such as Retrieval Augmented Generation (RAG) can further elevate AI’s capabilities.

RAG overcomes some limitations of LLMs that are trained on outdated data by incorporating external information sources like documents or knowledge bases. This approach involves loading these resources into a vector store and integrating them with the LLM, allowing users to access recent and precise data, including topics like recent advancements in Rust or current weather conditions in London.

RAG has practical applications, such as creating knowledge base chats for platforms like Discord or Slack. Even complex documents like the GitLab handbook can be loaded and queried effectively.

With tools like LangChain and local LLM providers like Ollama, building your own RAG-powered solutions is accessible. This empowers you to leverage proprietary data without relying on external SaaS providers, ensuring data security and privacy.

Another area to watch is AI/LLM agents, which are rapidly evolving. They can dynamically gather data to answer complex questions, enhancing accuracy and efficiency. While the technology is still in development, it holds great potential for DevSecOps.

Additionally, consider custom prompts and models for specific use cases. Local LLMs trained on internal data offer security and privacy benefits. Explore proxy tuning as a cost-effective alternative to full retraining for customization. These advanced techniques can further optimize your DevSecOps workflows.

In conclusion, to ensure efficient DevSecOps implementation, there are several key considerations. Firstly, from a workflow perspective, repetitive tasks, low test coverage, and bugs can be addressed by utilizing code suggestions, generating tests, and employing chat prompts. Secondly, in the security domain, addressing security regressions that delay releases requires vulnerability explanations, resolution, and team knowledge building.

Finally, from an operations standpoint, developers spending excessive time on failing deployments can benefit from root cause analysis and tools like k8sgpt. By addressing these considerations, organizations can enhance their DevSecOps practices and streamline their software development and delivery processes.

You can access the public talk slides here, providing additional URLs and references.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.