Following on from the Broadcom Webinar at the end of January I wondered what experiences have been had in the wider community about DevOps/DevSecOps and Gen. We all know that the world of application development has changed significantly over the last 5 years. The lines between traditional development and operations have been (rightly) redrawn. The DevOps approach and introduction of supporting automation have enabled the CI/CD [continuous integration/continuous delivery] approach. The missing bit of the jigsaw is the 'Sec' bit of DevSecOps. For those of us who are old enough it is a similar argument to the one historically made about testing/quality assurance … include it as early as possible in the process provides the best return. Nowadays, the idea that 'security' can be bolted on to an application at the end is somewhat dated and misguided. As part of risk mitigation for businesses the question of security must be addressed throughout the process. With that approach in mind the need for supporting tooling to enable its realisation will be understood and appropriate automation (eventually) provided.
CA Gen has been/is viewed as a tool that fits more closely the traditional development approach. Obviously, given the direction of application development it makes sense to consider the more modern approaches. Absolutely, to enable CA Gen to be incorporated into a DevOps approach would start to make it more relevant (again) and maybe change the perception of it as a development tool. Broadcom's focus initially for CA Gen is to focus on the mainframe, making use of tools such as Endevor amongst others. Actively looking for a DevSecOps solution around Gen will obviously make Gen more relevant when considering today's updated approaches and current digital agendas. But, focussing on the mainframe initially leaves a whole swathe of the Gen application landscape not catered for at the moment. I am sure there are many organisations out there who would appreciate the insight of others who have been actively looking at this topic and how it relates to CA Gen. I am sure there are probably other threads I am not aware of that have explored the subject at length.
It would be interesting to hear of any real-world experiences out there, to understand what the appetite is like and what successes have been had? Obviously, if there are any lessons to be learnt it would be good to hear about those also, to avoid making the same mistakes. Have you been able to adopt any products that provide the necessary automated support that would make a DevSecOps approach feasible? Do you believe that incorporating CA Gen into a DevSecOps approach would change the perception of the tool, would it then be viewed as a relevant part of the future roadmap for organisations?