DevOps is a modern application development and delivery approach that helps organisations to release quality software more quickly into production with less defects! Though DevOps itself is not a product, implementing its practices requires services and tools. Microsoft offers two widely used platforms for implementing DevOps practices – the Azure DevOps platform and the GitHub platform.  

Adopting a DevOps approach does not yield benefits in isolation, but rather in conjunction with other concepts such as Agile planning and Cloud computing. By utilising platforms such as GitHub for implementing DevOps practices and Azure for cloud services, organisations can achieve a continuous “Code to Cloud” process. This process emphasizes the use of modern CICD platforms to streamline software development for applications running on cloud-based infrastructure and services, including cloud-managed container orchestration platforms and serverless computing services, instead of relying on traditional on-premises servers and infrastructure. 

Supply chain attacks 

As organisations embrace this approach, security teams are faced with new challenges due to the increased velocity, automation, and decentralisation of the development process. Attackers are increasingly targeting organisations through their software development processes. This is where software supply chain security becomes crucial! The software supply chain encompasses everything necessary to create and deliver software, including IDEs, source control systems, build systems, deployment systems, CICD platforms, runtime environments, and various artifacts such as application code, open-source dependencies, infrastructure code, and deployment artifacts. 

Securing the software supply chain is not an easy task and requires a comprehensive and thorough approach. Figure 1 divides the GitHub to Azure code-to-cloud pipeline into five stages.  

NOTE: GitHub offers multiple product options, but this article will centre on GitHub Enterprise which offers some capabilities that are not available in the other options. Specifically, I will emphasize security areas that I consider crucial but may be overlooked. 

Securing the DEVELOPMENT stage 

The development stage is where the code is created, and the first step towards securing this stage is to ensure that developers are using a secure environment for development. A significant concern is the possibility of a compromised development environment resulting from the use of unpatched IDEs or the installation of vulnerable or malicious extensions. IDEs, like any other application, can contain vulnerabilities and require regular updates to ensure their security. A recent example is CVE-2022-41034, a critical vulnerability disclosed for Visual Studio Code that allows for remote code execution on any system with the IDE installed.  

Using a managed development environment like GitHub Codespaces provides the advantage of quickly applying necessary patches to ensure the environment’s security. In addition to this, each Codespaces environment runs on its own freshly built isolated virtual machine and network with a firewall used to block incoming connections from the internet and internal networks.  

Codespaces also  

Securing the SOURCE CONTROL stage 

The source control stage is where the code is stored, discussed, and managed, and it is essential to ensure that the source code repository is secure. This starts with access controls and permissions. Only authorised individuals should have access to our repositories.  

To access GitHub enterprise services and resources, users need to be authenticated. There are three methods for adding users to our GitHub Enterprise organisation for access (Figure 2).  

The first option is to invite users with their personal GitHub account which enables them to authenticate through GitHub.com and access our organisation resources. With this option, the user maintains control of their identity (since it is their personal account), and can continue to contribute to other enterprises, organisations, and repositories outside of our organisation. 

The second option is to use an external identity provider that supports SAML single sign-on. With this option, users authenticate with an identity in the external SAML provider that is linked to a personal GitHub identity. This means that while users are still utilising a GitHub identity to access our organisation’s resources, the actual authentication takes place through the external identity provider. The identity can be used for contributions to other enterprises, organisations, and repositories outside of our organisation. 

The third option is to use “Enterprise Managed Users“ – EMU which is similar to other single sign-on solutions. With EMU, users will access GitHub organisation resources using a single identity created and managed in the external identity provider. They do not need to have a personal GitHub identity. This gives the most control for enterprise users. 

The recommendation, if you are an enterprise, is to use either the second option or the third option. 

To perform any actions on GitHub, such as creating a pull request in a repository, a person must have sufficient access to the relevant resource. This access is controlled by permissions. A permission is the ability to perform a specific action. For example, the ability to delete an issue is a permission. A role is a set of permissions you can assign to individuals or teams. 

GitHub supports roles at different levels depending on what we are looking to achieve: 

• Organisation-level roles which are sets of permissions that can be assigned to individuals or teams to manage the organisation settings, repositories, teams. 
• Repository-level roles which gives organisation members, outside collaborators and teams of people varying levels of access to repositories. 
• Team-level roles that give permissions to manage a team.  

The recommendation here is to carefully guard and audit assignment of roles like Organisation owners. It is also prudent to be mindful of the base permission set, which affects all members of an organisation who access any of its repositories (except outside collaborators). 

Securing the BUILD stage 

The build stage is where the code is compiled into an executable or deployable artifact, and it is essential to ensure that the build process is secure. Implementing security in this phase involves adding automated security tools like Static application security testing (SAST) tools, software composition analysis (SCA) and unit testing. It is important to test the build output artifacts. 

A key area of concern here is the heavy dependence on open-source libraries, indicating that development teams have transitioned from creating software to assembling it. Veracode’s “state of software security research” analysed the proportion of code included in software and found that 97% of Java applications consist of open-source libraries. The percentage of third-party code in .NET applications was around 60% whereas JavaScript and Python applications were found to contain about 50% of open-source libraries. This approach makes practical sense as it enables teams to provide value to customers more efficiently without duplicating efforts. 

However, using someone else’s code can come with potential risks. By incorporating their code into your application, you’re essentially giving them access to your code repository. It’s important to consider whether you trust the author and contributors of the code you’re using, as well as whether the code could contain flaws or vulnerabilities that may impact your customers or users. This is especially true for transitive dependencies, which make up a significant portion of JavaScript dependencies (over 98% according to GitHub State of the Octoverse report 2021). Even if the code you’re using appears to be secure, the transitive dependencies it relies on could contain vulnerabilities that you’re not aware of. 

GitHub Advanced Security includes features for supply chain security that enable you to scan software dependencies for potential vulnerabilities. Additionally, the GitHub Marketplace provides numerous actions that allow you to seamlessly integrate third-party security platforms, such as Prisma Cloud, into your GitHub workflows. This can help ensure that your code is protected and secure from potential threats. 

Securing the DEPLOY stage 

The deploy stage is where software that has been tested and approved (artifact) is sent to the production environment. This may happen without the need for manual intervention (automatically), and it makes it faster and more efficient to roll-out product changes. Implementing security in this phase involves making sure that the artifacts we are releasing and the environment we are releasing them to are verified, secure and compliant. This includes making sure that the artifacts are stored in a secure and trusted location and having processes in place to validate the integrity of the artifacts against tampering. 

GitHub Packages provides a hosting service for storing and managing software packages. Packages are stored in a secure registry, and access is controlled by the user’s authentication and authorisation credentials. 

Many companies also use infrastructure as code (IaC) to set up their environments prior to deploying new or updated artifacts. However, it’s crucial to ensure that these IaC templates adhere to security guidelines and compliance requirements, particularly with regards to encryption, logging, and secure access. 

According to a study by the Unit42 team, several open-source deployment artifacts were analysed, and the results were concerning. Specifically, the study found that 64% of Terraform modules had at least one high or critical insecure configuration, 99% of Kubernetes Helm charts had misconfigurations, and 91% of container images had at least one critical or high severity vulnerability. These findings highlight the importance of thoroughly assessing and validating IaC templates to ensure that they are secure and compliant before deploying them. The extensibility of GitHub with marketplace extensions makes it easy to integrate open-source tools like Chekov for this use case. 

Securing the RUNTIME stage 

In the runtime stage, the focus is on running and maintaining deployed software in the production environment. Implementing security in this phase involves regularly applying security patches and updates to keep the software and runtime environment up to date; Monitoring for security vulnerabilities or breaches; Implementing security controls such as firewalls and intrusion detection systems; Implementing processes for regularly reviewing and analysing security logs to identify potential threats; Establishing processes for responding to and mitigating security incidents. Azure has an excellent security baseline documentation that I recommend looking into.

The post ​​​Securing the Code to Cloud Pipeline with GitHub and Azure​ appeared first on Microsoft Industry Blogs - United Kingdom.

Serverless models abstract the underlying compute infrastructure, allowing developers to focus on business logic without needing extensive startup or maintenance cost to set up the solution. Serverless reduces overall costs since you only pay for the duration the code was executed, meaning an event-driven model is suitable for situations where an event triggers a defined action. For example, receiving an incoming device messages to store for later use, or a database update that needs some further processing.

There are many places to start when it comes to serverless computing, but let’s start with a CI/CD application frontend.

CI/CD for serverless application frontend on Azure

Serverless computing abstracts the servers, infrastructure, and operating systems, allowing developers to focus on application development. A robust CI/CD (or Continuous Integration/Continuous Delivery) of such applications allows companies to ship fully tested and integrated software versions within minutes of development. It provides the backbone of the modern DevOps environment.

But what does CI/CD actually mean?

• Continuous Integration allows development teams to integrate code changes in a shared repository almost instantaneously. This ability, coupled with automated build and testing before the changes are integrated, ensures that only fully functional application code is available for deployment.
• Continuous Delivery allows changes in the source code, configuration, content, and other artefacts to be delivered to production, and ready to be deployed to end-users, as quickly and safely as possible. The process keeps the code in a deployable state at all times. A special case of this is Continuous Deployment, which includes actual deployment to end users.

This tutorial discusses a CI/CD pipeline for the web frontend of a serverless reference implementation. This pipeline is developed using Azure services. The web frontend demonstrates a modern web application, with client-side JavaScript, reusable server-side APIs, and pre-built markup, alternatively called JAMstack. You can find the code in this GitHub repository. The readme describes the steps to download, build, and deploy the application, so be sure to follow along in setting up this serverless instance.

The following diagram describes the CI/CD pipeline used in this sample frontend:

Next Steps

You can create serverless apps using familiar tools right from your own developer environment and on your favourite operating system. Get first-class services to build, test and deploy functions, containers and Kubernetes-based applications.

CI/CD for serverless

• Get unlimited, cloud-hosted private git repos with Azure DevOps. Easily set up continuous integration/continuous delivery (CI/CD), add automatic package management, automatically trigger builds, and deploy to Kubernetes, Azure Functions, Azure Web Apps or any cloud.

App development tools

• Build, run and debug serverless applications with a comprehensive set of developer tools. Use emulators to develop your apps locally for advanced scenarios like Functions and Kubernetes, then easily target them to Azure when you’re ready to deploy.

Further Reading

• View Code walkthrough: Serverless application with Azure Functions on Microsoft Docs
• Create serverless applications on Microsoft Learn
• Create serverless logic with Azure Functions on Microsoft Learn
• Create a long-running serverless workflow with Durable Functions on Microsoft Learn

The post Getting started with serverless on Azure appeared first on Microsoft Industry Blogs - United Kingdom.

Software is complex, but writing software is even more complex. There are so many factors that come into play when writing software that it is hard to think of all the exceptions that might occur and cause all sorts of havoc. We need UI tests, smoke tests, regression tests, edge case tests, integration tests, and so on.

If the organisation relies on us to run all these tests every time they make a change, we would be spending most of their time testing rather than coding.

We as developers and IT Pros know, or should know, how important it is to test the created work. Testing software requires a different mindset than developing software does. When tests are written by developers who are not trained in writing tests, we don’t always get the results at the quality level we need.

To minimise the risks, it would be helpful if we tested our software in many ways, which means we need to have a lot of tests in place. These could come in the form of Unit Tests, Integration Tests, Automated UI tests and many other methods.

Testing also helps during development. We often find that refactoring a piece of code leads to unwanted side effects. Sometimes when fixing a bug, the developers inadvertently introduce new bugs in other parts of the system. Having a good set of unit tests in place might help by alerting the developer that something is wrong.

• Learn more about Test Driven Development (TDD) on Microsoft Docs.

This works only if the testing is done regularly and consistently. Most of us developers know we need to run unit tests to get better software, but that is not enough.

Test automation helps

The answer to this dilemma is obvious: automate the tests.

In Visual Studio, you can turn on the option to run all tests continuously or at least after each build. This way a defect will be caught as soon as possible if the right tests were written. When this setting is on, we cannot forget about running them—the tools remembers this for us.

Other types of tests are more problematic. You usually do not want to run a full integration test after each build because these test runs can take hours.

A better solution would be to have them as part of your build pipeline. If you use Azure DevOps, you can take advantage of the Build Pipelines engine, which enables you to script out all tests and run them whenever you see fit.

For instance, you can build a pipeline that runs after each code check-in. These tests usually include unit tests and some regression tests. They run quickly and notify developers when their code is not accepted.

Other tests, such as UI and integration tests, can be set up to run at a fixed interval. It is customary to have these tests run every night, but in these days of global teams it’s hard to identify what night is. So, you have to come up with a time that works for you.

With Azure Pipelines, you can automate all sorts of builds and tests, including Python, Java, and Mobile, among others.

Where to begin?

Testing is something that needs to be done from the start. To have the biggest chance of success, testing needs to be part of every step of the software design process. During design, planning, development, and deployment, testing should be on everybody’s mind all the time. Test professionals can help with identifying good test cases, but since a lot of the tests are being automated, developers will be part of the test team as well.

We can break down the process as follows:

1. Identify which types of test can be run often and which ones should be run periodically.
2. Write the test plans on a high level
3. Create unit tests
4. Create UI Tests
5. Create integration tests.

But remember, it is very important have these tests in place, and to run them often. If you make them automated where possible, and as part of your build pipeline, you can never forget to run them.

Learn More

• Read up on Unit Testing on Microsoft Docs
• Run quality tests in your build pipeline by using Azure Pipelines
• Run functional tests in Azure Pipelines
• Deploy applications with Azure DevOps
• Develop, test, and deploy an Azure Function with Visual Studio

The post How to create an effective test plan appeared first on Microsoft Industry Blogs - United Kingdom.

As a society, we use apps to manage, connect and augment our day-to-day lives. So, it’s understandable that when we go to work, we expect to have the same. Apps can help organisations modernise processes, create new innovations and uncover opportunities.

According to the IDC, this growing demand for digital solutions means that 500 million new applications will be built in the next five years. And with a shortfall of 4 million developers predicted by 2025, most organisations don’t have enough developers to create the apps they need. We call this the App Gap Challenge:

The gap between the number of software developers you have today and the number of software developers you need to build the next generation of apps.

So how can organisations solve this? Low/no code platforms like Microsoft Power Apps can help speed up app development and democratise it across the organisation.

Empower developers to innovate with low/no code

Low/no code solutions allows the rapid building of solutions that automate and streamline routine tasks. This allows developers to focus on more high-value, complex work. According to The Total Economic Impact™ Of Power Apps commissioned study by Forrester Consulting, Power Apps can reduce app development and costs by 74 percent.

It can also help organisations drive a growth mindset culture in development teams. They can use Power Apps to quickly prototype a new idea and deploy this capability rapidly.

Take, for example, AstraZeneca’s HealthyMind app. The biopharmaceutical company wanted to ensure their employees had convenient, secure access to mental health resources. It took the developer team just four months to build the solution on Power Apps.

“Key to the choice [of Power Apps] was its ease of use. It is low code, so it is quick to develop and deploy. This all meant that we were able to design and build HealthyMind very quickly,” says Matt O’Halloran, Head of Workplace and Enterprise Services at AstraZeneca.

A platform like Power Apps can also connect to hundreds of different data sources including Microsoft Dataverse. This brings all your business data together into a single source of truth. Your developers can easily customise and extend capabilities in Azure and leverage business data from your systems of record such as Microsoft Dynamics 365 and Surface through Microsoft 365.

“[HealthyMind’s] natural integration with the broader suite that we use enabled us to deliver the application within the context of Teams, which was another game-changing factor,” says O’Halloran.

Drive digitisation with citizen development

With low/no code, development is democratised throughout your organisation. It allows anyone to solve business problems themselves.

At Centrica, citizen developers have built over 1,000 apps.

“We’ve really embraced this technology in Centrica. We’ve made an effort to be on the front foot and use the latest technology first, rather than waiting for it to be embedded and then acting,” says James Boswell, Director, Design and Engineering at Centrica. “It was a conscious risk but it’s worked really well – it’s giving us some great benefits and rewards and we’re well on the way to ensuring all our employees are digital employees.” 

For the energy services and solutions company, Power Apps has changed perceptions and steered to business-led development. Take, their finance team for example, in a couple of months they built an app that simplified and automated coordinating tax returns across different regimes. 

Build fusion teams to digitise and innovate faster

What happens when you combine your pro developers and citizen developers? You build fusion teams and unlock the true value of low/no code. According to Gartner, 84 percent of companies already have a fusion team.

By bringing together people with different experiences and knowledge into a multi-disciplinary team, you’ll build more innovative, inclusive apps, faster.

In a fusion team, citizen developers, with the support of pro developers, can rapidly build more complex applications. Citizen developers can focus on the UI, whilst pro developers can create and manage the APIs needed to enrich the application with key data sources. This accelerates time-to-delivery. Fusion teams can deploy solutions up to two and a half times faster than traditional siloed teams.

Centrica used a fusion team to develop an app that matches Centrica volunteers with people from the Trussell Trust charity.

“We’ve got people from all over the business working together. Some are working on the development work, some on the UI, some acting as scrum masters to manage the project. It’s all being done by people who came to the clinics and volunteered. And it will be a huge help to the Trussell Trust,” says Roy Young, Global Head of Office 365.

Build a fusion team

1. Find your use case

Pick a relevant problem that needs solving quickly and when solved, provides a considerable impact.

• Assemble your team

Have a mixture of proactive employees from across many lines of business, such as customer service, developers, team leaders, business leads.

• Plan your roadmap

Determine how much time it’ll take to create, implement, and produce results. Make sure you have time to troubleshoot and determine which solutions work best.

• Accept mistakes along the way

By working in an agile environment, your team will constantly be testing and may have to be ready to pivot when necessary.

Drive digitalisation and innovation

Power Apps helps organisations increase agility by giving everyone the ability to rapidly build low-code apps that drive innovation, modernise processes and solve tough challenges.

Cara Barratt, Workplace Transformation Lead at AstraZeneca agrees, “…we’re really looking at how we can empower our colleagues across AstraZeneca so those that have great ideas can develop their own use cases.”

Find out more

Accelerate innovation with low-code

Microsoft Power Apps

Join a Power App Microsoft Training Day

Make app building easier

Take the Fusion Development Learning Path

Take a fusion development approach to building apps

About the author

As a Power Platform Technical Specialist at Microsoft, Simon takes great pride in helping companies solve their business problems and generate insight into data, providing rapid answers to business questions through use of the Power Platform (specifically Power BI, Power Apps, Power Automate, Power Virtual Agents, Dataverse and AI Builder). He enjoys working with the people in customer organisations who are helping to drive transformation using this technology and seeing the impact it has on their organisations and their careers.

The post How low/no code solutions can accelerate innovation and digitisation appeared first on Microsoft Industry Blogs - United Kingdom.

Welcome to our new MVP Spotlight series! We’ll be talking with some of the wonderful people in our MVP program about their areas of expertise, so that we can learn more about how they got started and their recommendations for others doing the same. We’ll also point you towards the resources they’ve worked on, whether it be articles, videos or podcasts, to help you level-up your own skills.

Meet Marcel, DevOps MVP

This time I caught up with Marcel Lupo, where I asked him about his personal DevOps journey, and how others can get started on their own.

Chris: Introduce yourself!

Marcel: I’m a Microsoft DevOps MVP, Cloud Solutions & DevOps Architect and technical speaker focused on Microsoft technologies in the Azure cloud platform. I specialise particularly in Automation, DevOps and Developer Technologies, with a strong focus on Infrastructure as Code (IaC), Azure DevOps and GitHub. I am passionate about technology and how it can be used in automation to bring true value and solve complex business problems.

I’m a regular speaker at conferences and meetups, and enjoy sharing knowledge and technical content with the wider tech community. I currently work at Avanade UK&I as a Group Manager in DevOps Engineering. As a global DevOps lead for infrastructure and operations professionals, I help build next-generation operating models for digital organisations and help them adopt DevOps culture and innovate on cloud platform services such as Azure.

C: How did you get into DevOps?

M: Coming mainly from the OPS end of the spectrum, I started out as a very seasoned sysadmin with over 18 years’ experience across large and small companies where I had always taken the “Automate everything” approach. I saw the role of systems administration as a role that shouldn’t exist if a system was configured and maintained right.

So wherever I worked I wanted to make things easier not only for myself but for others around me, empowering myself and others to accelerate and succeed in tasks taken on the day to day. I looked at every process and improved on it, taking any repetitive tasks and automating them. I wanted to make things simpler, such as changing 10-step manual processes to a “zero-touch” fully automated solution. Spotting and improving inefficiencies with companies I worked with was also high on my list of objectives.

I transitioned into what is known today as DevOps naturally due to my past working experience with automation. The exposure working alongside developers and embracing the “DEV” culture and the way we worked together meant we ultimately adapted the same practises and disciplines into Operational teams, Security teams and IT teams, where we shared a lot of amazing success stories. We worked with large companies using the Microsoft Cloud to continuously innovate and do incredible things, but most of all to increase efficiencies through the automation of build and deployment, through scalable workloads and much more.

C: Why should other people adopt DevOps?

M: There are so many benefits to adopting DevOps and it’s by no means limited to the following, but DevOps has been proven to increase the speed, efficiency and quality of software delivery as well as improving staff morale and motivation. It removes the communication barriers between teams, therefore removing the reliance on the availability of an individual person or team for software delivery to progress. Efficiency is increased as decisions are made collectively by all involved, and feedback to those decisions is rapid.

Work quality is also improved by the introduction of automation which removes repetitive tasks. DevOps delivers applications, infrastructure and even security in a consistent fashion, removing the mistakes that humans typically make. As the burden of manual work is removed from staff members, they can then focus on more creative work that increases their job satisfaction and adds real value to the organisation.

By establishing automated services, the ongoing operational costs are lower than the human equivalent. There is also a significant speed advantage as automated processes are much faster. The quality of the entire release process improves because steps in the pipeline become standardised, thus creating predictable outcomes.

The DevOps approach results in ease, reliability and confidence to release frequently. This allows for continuous feedback to be rapidly incorporated into future releases, whether that be for software delivery, infrastructure builds or even operational and security automation to be truly Agile.

C: Do you have any tips for people starting their DevOps journey?

M: DevOps is without a doubt the future. It can be applied everywhere – it’s not just for developers developing applications or a product. DevOps can be applied to Infrastructure, Operational tasks, and even Security. When it comes to identifying skillsets and the need for the understanding of how to work in a DevOps environment, there is no doubting that it is becoming more and more important.

DevOps is certainly a culture, and not a role, so my advice is to begin learning as much as possible about DevOps and the culture behind it. It can be applied to almost any environment, as it’s not limited to software delivery. Having prior development or developer experience can also be particularly helpful, but it’s not essential, coming from a non-developer background myself.

I would say that I never saw myself as a developer, but in reality, if you write any sort of automation scripts whether that be PowerShell, Python, Bash… you are essentially a developer.

For anyone starting out, I would recommend learning at least one scripting language and try to automate tasks. Start with the foundations first and also learn about cloud and what cloud platforms are and when to use them. Look at how you can adopt cloud technology and automation together. Microsoft has some amazing foundational courses and certifications in their cloud platform, Azure. But most of all, have fun!

Marcel’s DevOps content

Fortunately for us, Marcel has written a wealth of content both on DevOps and on topics related to it, so it’s a great way to get stuck in. Check out our curated selection of articles below, but be sure to check Dev.to for a more comprehensive list of everything that is available.

Articles

• GitHub Codespaces Pro Tips
  • Introduction to GitHub Codespaces – Building your first Dev Container
  • Integrating Azure DevOps with GitHub – Hybrid Model
  • Hosting your self hosted runners on GitHub Codespaces
  • Hosting Azure DevOps Pipelines agents on GitHub Codespaces
• Terraform Pro Tips
  • Connect Terraform to Azure DevOps Git Repos over SSH
  • Terraform – Complex Variable Types
  • Terraform – Sensitive Output
  • Terraform – Creating dynamic variables using locals
  • Terraform – Filter results using ‘for’ loops
  • Terraform – Selective configuration with ‘lookup()’
• Self Hosted GitHub Runner containers on Azure
  • Create a Docker based Self Hosted GitHub runner Windows container
  • Create a Docker based Self Hosted GitHub runner Linux container
  • Build Docker based GitHub runner containers on Azure Container Registry (ACR)
  • Run Docker based GitHub runner containers on Azure Container Instances (ACI)
  • Autoscaling self hosted GitHub runner containers with Azure Container Apps (ACA)
  • Run Docker based GitHub runner containers on GitHub Codespaces

Videos and Podcasts

• Automate Azure Role Based Access Control using Azure DevOps
• Automate password rotation with Github and Azure
• Automate Azure Resource Decommissions (with tracking)

You can find Marcel on Dev.to and Twitter. He’s also organising and speaking at the London Microsoft DevOps Meetup on November 2nd.

Learn more

• Improve your DevOps practices with these ebooks
• How you can improve your DevOps practices
• The five most common mistakes approaching DevOps
• An introduction to DevSecOps

The post MVP Spotlight: Learning DevOps with Marcel Lupo appeared first on Microsoft Industry Blogs - United Kingdom.

We have been bombarded with marketing telling us that the future is the cloud and that we must migrate everything. The reality is that hybrid, I believe, is a permanent state. It’s not just a transition. A lot of IT Pros wonder how to get started – to integrate the goodness of cloud services in a way that brings value and efficiencies without the need for a complete rip and replace.

Case in point, I spoke to a conference attendee last month in Vienna and he made a statement that stuck with me. He basically said that it was easier to find guidance on migrating everything than finding guidance on slowly integrating cloud services in his environment when it makes sense. I can’t confirm his findings, but I can agree that finding the right information for each specific situation can sometimes be challenging.

Our approach to hybrid environments is to be consistent – it’s the way we enable unified management, common identity framework and security. Taking that approach also allows for seamless extension to the cloud when it makes sense for you. This is where technologies like Azure Arc are so impactful as they simplify the way to provide a centralised, unified way to:

• Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager.
• Manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure regardless of their location.
• Use familiar Azure services and management capabilities, regardless of where they live.
• Continue using traditional ITOps while introducing DevOps practices to support new cloud native patterns in your environment.
• Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes clusters and cluster extensions.

To that end, our team has started a series that will take you on a journey. A journey of a typical on-prem only environment where we gradually implement cloud services to lighten up efficiencies and the power of cloud services to the benefit of the business. Step by step, with a look at why and not just how you too should look at cloud services:

• Connecting your environment to the cloud.
• Connect to your on-prem server from anywhere.
• Setting up DNS in a Hybrid Environment.
• Securely Manage my On-prem Server Using Cloud services.
• Planning the Monitoring of my hybrid environment.
• Apply Azure Policy to Azure Arc-enabled Servers in a Hybrid environment.
• How does Azure Stack HCI fit into Hybrid Cloud Services?

More articles will be added to this list in the near future. However, we are very interested in hearing about your challenges in this area, and as such we have set up an email address you can use to tell us about the scenarios you are challenged with. You can reach us at ITOpsTalk-Feedback@microsoft.com or as usual on our discord server.

Cheers!

Learn more

• This article was written for the Monthly TechNet UK IT Pro Newsletter – sign up today!
• A look at the announcements from Microsoft Build 2022
• What to catch up on from Build 2022
• New Azure features and functionality for July​ 2022 – Microsoft Build edition

The post Applying cloud goodness to your existing environments appeared first on Microsoft Industry Blogs - United Kingdom.

Many believe that it’s difficult to get started with Azure DevOps, but that’s really not the case.

Azure DevOps can deploy to any cloud on-premise, and you can bring any code to our tooling. This means it’s not just for Windows developers, or .NET developers, but for everyone – be it multi-platform, open source, or your on-premise environment.

One thing it’s really great for is CICD – or Continuous Integration, Continuous Delivery – and it does this with automation. So things like infrastructure code, using third-party tools like Terraform, or deploying ARM templates into Azure, can all be done automatically. You can even look at automating your actual code with your developers using Azure pipelines.

Azure DevOps can also manage projects and tasks. It’s great for project managers to know what tasks exist, when they’re being assigned to each person, and when they’ve been completed. It’s also possible to see which tasks are creating blockers, so you can manage your workflow more effectively.

To help you along your DevOps journey, we’re taking a look at some of the best free ebooks from Microsoft. Enjoy!

Azure DevOps explained

Deliver quality applications efficiently and at scale with Azure DevOps tools for every phase of the development lifecycle. Get this e-book to help you plan projects, collaborate on code development, and build and deploy applications faster. Also, explore ways to increase quality and customer satisfaction with continuous software delivery.

In Azure DevOps explained, you’ll find DevOps principles and follow tutorials to learn how to:

• Manage projects with Kanban boards and securely manage source code with repositories.
• Enable continuous integration and continuous delivery (CI/CD) by creating build and release pipelines with fully integrated package management.
• Send applications faster by using GitHub and Azure DevOps together.
• Improve code quality and manage project testing lifecycles with Azure Test Plans.
• Set up CI/CD pipelines for .NET-based applications and container-based infrastructures with step-by-step instructions.

Visualise your DevOps workflow

Visualising your end-to-end DevOps workflow can be tough. Being able to see your workflow will allow you to see your strengths and where you have room to optimise your tooling. The DevOps Workflow Generator will allow you to configure and visualise your specific workflow – exportable in one easy-to-read report that you can download on demand.

Additionally, we’ll be taking the aggregated, anonymous data from this tool and reporting the latest trends that we find to you. We’re looking forward to learning more and to sharing our findings with you.

6 tips to integrate security into your DevOps practices

DevOps proven practices illustrate how collaboration between developer and operations teams leads to faster software delivery. Now, the issue facing digital leaders is the security and compliancy of their code, workflows and infrastructure. The logical next step: integrate your security team with the existing DevOps team – breaking down another organisational silo. In this e-book, you will learn how to:

• Develop a security-first company culture to drive DevSecOps adoption
• Proactively secure your code, workflows, infrastructure and software supply chain against vulnerabilities
• Provide your teams with shared tooling and best practices to enable end-to-end visibility and traceability
• Leverage improved insights and policy automation to realise continuous compliancy

Securing Enterprise DevOps Environments

Download the Microsoft & Sogeti e-book, Securing Enterprise DevOps Environments, to learn to fortify all three attack surfaces of enterprise DevOps environments and implement the culture changes necessary to thrive in our dangerous new world. We’ll explore the ideal secure and regulatory-ready setup of Enterprise DevOps tools and practices, focusing on three specific areas:

• Secure the developer environment.
• Secure the DevOps platform environments.
• Secure the application environments.

MLOps with Azure Machine Learning

Not every organisation’s machine learning DevOps (MLOps) requirements are the same. The MLOps architecture for a large, multinational enterprise is unlikely to fit a small startup. Organisations start small and build up as their maturity, model catalogue, and experience grow.

Microsoft aims to meet organisations where they are on their ML/AI journey. Our leading technologies and robust MLOps capabilities can help you accelerate the machine learning lifecycle and empower data scientists and developers to build, train, and deploy models on a secure, trusted platform that supports a wide range of productive experiences and is designed for responsible machine learning.

Useful Links

• An introduction to DevSecOps
• Get stuck into more DevOps on Microsoft Learn
• How to get started with Microsoft certifications
• View live and on-demand sessions on Azure and more on Microsoft Learn TV

The post Improve your DevOps practices with these ebooks appeared first on Microsoft Industry Blogs - United Kingdom.

DevOps is a way of working that lets you better respond to your industry’s trends and your customer’s needs. But knowing what DevOps is is only the beginning – what really matters, at an organisational level, is its effective deployment. Understanding how best to execute DevOps means empowering a more agile business that can innovate at the drop of a hat.

In the digital workplace, you don’t want to be playing catch-up. That’s when competitors gain the advantage. By correctly implementing DevOps – and embracing it throughout your organisation’s culture – you can transform your efficiency and effectiveness.

1. Create a Value Stream Map

Before you can move your DevOps forward, you should spend time looking at the way it is now. If you haven’t introduced DevOps into your business yet, then use this time to study your current processes.

What you’re aiming to identify is:

• What’s working?
• Where can improvements be made?
• Have your processes scaled as your business has grown?

One of the best ways to do this is to create a Value Stream Map.

This is a visual method of charting the way you work now. Start by determining your start and end points – for instance, from the manufacture of a product to the customer’s purchase. Between those two, add each step of your process. Leave nothing out. Along the bottom of the map, add a timeline, showing how long each step takes. Now, you can see at a glance where time is wasted and how DevOps can improve output.

During this early stage, you should determine what you want to achieve from your reformulated DevOps. This might be increasing efficiencies or reducing the time spent on activities that don’t add value to your customers. Try to distil these desires down to two or three goals. This way, you can keep your entire team focused on them.

2. Get buy-in across the business

Change can be scary – and because DevOps has the potential to alter everything across your organisation, you may find you get push-back from parts of the workforce. Look out for complaints like ‘But we’ve always done it that way.’

You’ll need to gain buy-in from employees, and buy-in begins – where else? – at the beginning. You can’t one day foist new processes on an unsuspecting team. Well, you can, but the results will be poor. Nor can you simply explain why the new ways are better than the bad old days.

Share your vision. Show how the business will improve using the Value Stream Map you created. Ask them for their ideas, too, as this encourages employees to take joint-ownership over the new practices as they join you on the journey.

You’ll find that “union of people, process, and products” is more unified with everyone on-board.

3. Use the right tools

Make sure you’re equipping your whole team with the best tools for the job that won’t cause your team to waste more time. The wrong tools or lazy workarounds will only exacerbate the issues you’re trying to iron out.

The Azure DevOps suite of tools can be used by any business looking to improve the employee and customer experience. You’re free to use them regardless of your chosen operating system or whether you’re in the cloud on on-premises.

There are five tools to support you:

• Azure Boards can be used by multiple teams to plan, track, and collaborate on work
• Azure Pipelines is for building, testing, and deploying
• Azure Test Plans is a manual and exploratory toolkit
• Azure Repos lets you store unlimited Git repos in the cloud
• Azure Artifacts enables you to create, host and share package feeds

This gives you the complete end-to-end package. You’ll always have access to tools that cover every aspect of DevOps delivery, from the planning stage to deployment.

To begin, visit dev.azure.com and click ‘Start free’. Once you’re logged in with a Microsoft account, you can create a new organisation and get started.

4. Think agile, stay agile

You’ve likely heard the software development term ‘agile’ before. It’s a principle that states that you can achieve better results by valuing…

• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Responding to change over following a plan

It’s so easy to get locked into a certain mind-set, following clunky processes not because they make sense but because ‘that’s how we do it’. That’s not your fault, nor the fault of your team. It happens to all businesses as they scale up. But who benefits from these processes?

Thinking ‘agile’ means you become more open and proactive as a business. The result is, an enhanced employee experience and service levels, leading to a rise in customer satisfaction.

To take a more agile approach, start using Azure Boards. This DevOps tool is ready-made for planning and prioritising changes, and assigning specific tasks to people. You may also find it useful to refer back to your value stream map.

5. Don’t stop innovating

Integrating DevOps into your business is a gradual process. Far too many businesses balk at the time it can take to properly implement new processes, or grow impatient because results aren’t instant. However, there’s an even worse sin: stopping immediately after completion.

The most successful DevOps users are continually monitoring and testing; regularly tweaking processes to suit business needs, and integrating security into their software. This lets them deploy on a more regular basis, with a greater predictability and security – and again, that benefits employees and customers who receives the end-product.

Glean as much data as you can throughout the process. Every change, every tweak to your process offers up more information that will help you improve operations with every iteration.

Find out more

• Get started with Azure DevOps
• The five most common mistakes approaching DevOps
• An introduction to DevSecOps
• How you and your team can improve communication this year
• How Evolv are using Azure DevOps to help develop affordable rehabilitation technologies

The post How you can improve your DevOps practices appeared first on Microsoft Industry Blogs - United Kingdom.

Security is a key part of DevOps. But how does a team know it’s secure? Is it ever really possible to deliver a completely secure service?

Unfortunately, the answer is no. DevSecOps is a continuous and ongoing effort that requires the attention of everyone on the team. While the job is never truly done, the practices teams employ to prevent and handle breaches produce systems that are as secure and resilient as possible.

Teams that don’t have a formal DevSecOps strategy are encouraged to begin the planning as soon as possible. At first there may be some resistance from team members who don’t fully appreciate the threats that exist. Others may not feel that the team is equipped to face the problem and that any special investment would be a wasteful distraction from shipping features. However, it’s necessary to begin the conversation to build consensus as to the nature of the risks, how the team can mitigate them, and whether the team needs resources they don’t currently have.

Resources

• Microsoft Learn: Introduction to DevOps
• Microsoft Learn: Introduction to Azure DevOps
• Microsoft Learn: Work with Azure Repos and GitHub

Get started with DevSecOps

With Microsoft Learn, you can kick off your journey into DevSecOps with easy to understand training – and best of all, it’s free! This is the perfect way to work through new software.

• Microsoft Learn: Introduction to Secure DevOps
• Microsoft Learn: Provision and test environments
• Microsoft Learn: Security Monitoring and Governance

Learn more about DevSecOps

Already using DevSecOps and want to go further? Whether it’s learning something new within DevSecOps or becoming certified, there’s plenty more to explore and discover.

• Watch: Secure GitHub Actions with Azure Workload Identity Federation
• Watch: Secure DevOps with Pulumi and Terraform
• Watch: Secure DevOps with ARM and Bicep

Further resources

• DevSecOps on Microsoft Docs
• Getting started with Azure DevOps
• The five most common mistakes approaching DevOps
• View available Microsoft Certifications
• Sign up for the Monthly TechNet UK IT Pro Newsletter for more!

The post An introduction to DevSecOps appeared first on Microsoft Industry Blogs - United Kingdom.

The teams who develop and manage these solutions – developers – are at the heart of the organisation. They’re critical in enabling your organisation to respond to your customer’s needs.

And when it comes to digital innovation, speed is crucial but so is having a structured plan in place. At the same time, innovation is open to everyone. Therefore, organisations need the right tools to create a culture of innovation.

Professional developers can use Visual Studio and GitHub to modernise existing and develop new applications.

You can also empower a new stream of innovation– citizen developers. These employees understand a business process and want to improve on it but might not have the developer expertise. Now with Power Apps, they can use low/no code solutions to build what they need.

Here are six ways to build a customer-centric culture by empowering your developers.

Move to the public cloud

Innovation happens faster in the cloud. Whether you need to modernise existing applications, simplify complex environments or create new apps, you can benefit from the scalability and flexibility of Azure. Developers can build on a secure foundation in any language or foundation, from anywhere.

Simplify complex and distributed environments across multiple clouds and edge environments with Azure Hybrid cloud solutions. Bring Azure management to your entire IT estate and run Azure services anywhere.

As the UK’s leading omnichannel payments business, PayPoint needs to maintain business as usual while managing increasing demand for its services. With Azure, they were able to respond with agility and even develop and deploy new functionality without downtime to customers.

Shorten time-to-market

According to a Gartner survey study, positive customer experiences drive more revenue, higher employee satisfaction and greater customer retention.

Organisations have a strong sense of urgency in going digital. This is driving demand for tools and services that shorten time-to-market and drive those positive customer experiences.

With tools like Azure DevOps and Visual Studio Code, with automation through DevOps Pipelines, GitHub Actions, the ability to streamline business processes with Power Automate and more increases the efficiency of your developer teams. They can then focus on innovating the customer experience.

Reassess investments

Customers increasingly expect products and services that factor in what they care about – be that macro topics like climate impact, or micro impacts such as their experience interacting with your products.

To meet these demands, organisations must find new ways to deliver service at scale. They need to focus on and connect with the customer experience – no matter how many business units, systems, supply chains and processes that customer journey may span. And do this all while reducing costs.

This requires a new way of thinking.

Many organisations are starting by setting a strategic approach and thinking of themselves as a software company first. Then, they’re leveraging digital technology to deliver on their vision.

Solutions built using the Azure platform offer near-instant provisioning of resources. This lowers innovation costs and enables a faster time-to-market. In fact, Forrester found the average cost to develop an application is 74 percent less with Power Apps.

Empower developers

According to McKinsey & Company, organisations with developer velocity experience four to times faster revenue growth, 60 percent higher return to shareholders, and 20 percent higher operating margin.

Unleash the creative energy of developers by leveraging Azure innovation tools. This enables them to build productively, foster secure collaboration, and remove barriers so they can scale faster innovation at lower cost.

Help them build the skills they need to bring ideas to life with certifications and training. Give developers autonomy, decision making and automate back-end processes so they can focus on bringing innovation.

Drive citizen development

Over 86 percent of organisations already struggle to hire developers. In fact, Gartner predicts that by 2023, there will be four times as many end-user or citizen developers, compared to experienced developers in enterprises.

Empower the people closest to the problem to become citizen developers and solve problems themselves. With low/no code solutions like Power Apps anyone, regardless of their technical capability, can work together on the same platform to create solutions with a high level of agility.

Heathrow Airport employees have eliminated 75,000 pages of paperwork and reduced data entry by nearly 1,000 hours through the low-code development of 30 apps, helping the airport reduce its costs.

Infuse intelligence

The applications that both developers and citizen developers are building are powering important customer centric business processes. By applying AI and machine learning, organisations can infuse intelligence with real-time personalisation and serve up customised algorithms.

Alder Hey Children’s Hospital, uses Azure’s integrated platform with AI to build an algorithm that predicts bed space utilisation. The data is then available on Power BI so healthcare employees can quickly and simply understand the insights.

Empower developers to build a customer-centric culture

By unleashing the full potential of developers and citizen developers, organisations will enable growth, solve a wide range of business problems, and drive digital modernisation.

According to McKinsey, organisations with a developer mindset have 4 to 5 times higher revenue growth and 55 percent higher innovation.

Build a growth mindset culture where developers can drive innovation from anywhere, powered by a comprehensive portfolio of technology that complements your business needs.

We are the only company that has that full stack that spans across the breadth of both tech adoption and tech capability to build, and ultimately increase your chance of succeeding.

Find out more

Resources for leaders:

Watch the webinar: Unleash your developers to innovate

Take the Developer Velocity Assessment

Imagine digital innovation that makes a difference

Deliver a seamless experience with real impact

Build a growth mindset

Make app building easier

Resources for developer teams:

Explore the Dev Hub

Watch Microsoft Build on demand

Get certified

About the author

Denise leads the the digital and app innovation team, working directly with customers to uncover new opportunities. She has over 20 years’ experience in transformation leadership and business change delivery. With a proven ability to drive growth, innovation and performance turnaround across complex organisations, she has delivered new cloud services, automated processes and ways of working across the largest banking system in the UK.

The post The developer-customer connection: Why dev-centred cultures are customer-centric cultures appeared first on Microsoft Industry Blogs - United Kingdom.