Modern Application Development (or MAD) is a set of development methodologies that enables organizations to reduce their time-to-market goals, accelerate operational agility, and efficiently produce high quality solutions for their end-users.
Organizations aiming to adopt MAD methodologies must ensure that they possess a higher maturity model, familiarity with new technologies, and the ability to automate different parts of the application delivery process when needed.
Simply put, just because you have a CI/CD pipeline with Slack integration does not automatically mean that you have a modern development process. You will need to address a ton of other issues to achieve excellence. In this article, we will explain the fundamental components of a code pipeline in relation to MAD methodologies.
Code Pipelines for Modern Application Development
Adopt a Developer-Centric Workflow
All of the application’s components, services, code, and artifacts should be managed using tools that are developer-friendly. For example, developers leverage quality control tools, host code in a centralized server for security and accountability, and use Git for version control, scripting (Makefiles), and linting. By centering your application development process around a convenient developer toolbox, you unlock modern code pipeline workflows.
Project Tracking Integration
Every software component or feature should include adequate documentation that’s captured and monitored in requirements management software or a project tracker. With Jira, for example, you can manage projects, schedules, and task assignments, as well as track your process and verify that you meet all requirements for each feature. You can also link associated PRs with tasks so that you have a clear audit record of your project’s status – from initiation to deployment.
Fig. 1: Jira for Tracking Application Projects and Requirements
CI/CD with DevSecOps
A process monitors all development changes that are committed to a version control system and starts processes to build, test, and verify that the new version of the software is working as expected. At this point, we should also mention that your security team should be involved by implementing security-related controls and checks alongside your pipeline in accordance with the latest security assurance requirements. This will ensure that each new version of the software is secured and safe to deploy in production.
Modern applications should always contain a variety of internal and external test cases that run on each commit pushed into the remote shared repository. This way, the whole team can monitor validation progress and pinpoint any issues before merging into the main branch.
Fig. 2: Automated Tests Running on Each Commit
Secure, Immutable Container Images
Bundling your application into immutable container images is a brilliant way to modernize. This way, you can perform other checks and validations, streamline the release versioning of your app, and govern its lifetime. Using container images, you can make advanced technological integrations with orchestration engines like Kubernetes or Nomad.
Infrastructure as Code
The infrastructure in which the application resides should also be tracked and declared as code. Popular tools like Terraform and AWS CloudFormation allow this functionality, and they can serve as individual repositories as well. IaC tooling enables a more predictable and automated workflow. Once your application is deployed, it needs to be observable and debuggable from a single pane of glass (or monitoring platform). This is to ensure that the day-to-day operational status of the application is monitored constantly. It also creates new ways to manage infrastructure services.
Observability and Monitoring
If you encounter a production issue, your on-call engineers will be able to observe and understand the problem based on the output metrics and tracing information.
GitOps All the Way Through
Ultimately, adopting a GitOps mindset will give your application posture a modern edge. With GitOps operations, you can rely on a single source of truth, use declarative infrastructure and applications, and have the ability to reproduce the whole system from the version control system.
Which Dev Tools Will Work Well in MAD?
Although the aforementioned components are critical for successful MAD, you may find that some of your existing tools may not work productively toward this goal. For example, you may find that certain communication tools are too restrictive or lack integrations with your pipeline.
In addition, some tools that were once popular when VMs were prevalent are old news now that everyone is using containers. For example, Vagrant was once extremely helpful when you were trying to emulate a production environment. Now, it isn’t really feasible to use if your stack cannot fit inside a single machine (or you’d have to spin up several VMs). You’d have to either connect to a local shared cluster or swap out a remote service with a local one so that you could test experimental features.
In general, you need to periodically review each app, dev tool, and external service to verify that it aligns with the problems you’re trying to solve. If it doesn’t, then you should reconsider its suitability for your organization.
Technology, Personnel, and Process Challenges You Might Encounter in MAD
As with every new modernization activity, there are some challenges that are likely to surface along the way. The most significant is resistance to change, both from a risk-based analysis point of view (the “if it works, don’t change it” mentality) and from a technological familiarity point of view.
For example, you might be very surprised to know that many developers are only familiar with the basics of Docker. Maybe they know how to run a container locally, but how about configuring it for production? Or do they only know how to copy an existing Dockerfile or CI/CD pipeline configuration from similar projects? Anything more complicated, and they will either ask for more time to learn the technology, delegate the task to a more senior person, or utilize a tool or service that they found by searching online.
Broadly speaking, converging tasks in MAD requires effort and collaboration in terms of setting the bar, automating manual tasks, and integrating those tools together. The first step is to define the specific parts of MAD in a template, which will help you understand the process and also serve as the basis for further improvements.
Conclusion and Next Steps
In this article, we outlined the basics of Modern Application Development (MAD) and explained how a code pipeline looks when you’re developing MAD software. We discussed the fundamental reasons why MAD adopts a developer-centric approach and why some of the older dev tools might not work effectively with this new workflow. To sum up, we explained some of the most common challenges that you might face when transitioning to MAD, especially from a security point of view.
Importantly, this transformational process might take some time for your organization to adopt. Since security and safety are paramount, you don’t want to expose the organization to excessive risk. For a smoother transition, you should consider offloading some of that risk to specialized vendors like Checkmarx. Checkmarx offers a complete end-to-end Application Security Testing Platform for the MAD pipeline that ticks all the boxes in terms of scalability, usability, developer-friendliness, and developer engagement. Feel free to request a demo to see how they can help you achieve secure MAD code pipelines.
Theo Despoudis is a Senior Software Engineer, a consultant and an experienced mentor. He has a keen interest in Open Sourcchris te Architectures, Cloud Computing, best practices and functional programming. He occasionally blogs on several publishing platforms and enjoys creating projects from inspiration. Follow him on Twitter @nerdokto. He can be contacted via http://www.techway.io/.
Need Help with Your MAD Security Initiatives?
Organizations who are not 100% sure how to address application security testing (AST) in the context of MAD can also look to Checkmarx. Having a successfully integrated AppSec testing program as part of your organization’s processes is a necessary component for MAD success.
Checkmarx AppSec Accelerator was designed to address this exact need. AppSec Accelerator is an end-to-end Managed Service that helps you define and execute the ideal AppSec Program and Strategy for your organization. Learn more about AppSec Accelerator here.
To learn more about security in the context of Modern Application Development, we have curated a collection of resources here.