Over the last few years, development teams have been pushed to do a lot more with less. The global supply chain disruptions caused by the pandemic and the chip manufacturing shortage in particular impacted the tech industry. These factors have moved developer workloads toward the cloud, created a more asynchronous and remote workforce, and increased demand for modern applications.
All of these changes have come with their own set of challenges. In our recent webinar, AppDev Challenges and Trends to Watch in 2022 (available to watch on-demand) Docker Captain and Solutions Architect for BoxBoat (an IBM company) Brandon Mitchell shared his insights on the critical challenges and trends he’s been seeing from his work helping companies through their containerization journey. Throughout the webinar, Brandon identified valuable opportunities where development teams can continue to build modern and innovative solutions that are also secure and compliant with their organizations’ policies.
Keep reading for a recap of the webinar and to learn more about our new market report, The State of Application Development in 2022 and Beyond.
Today’s AppDev Challenges
Brandon identified the top challenges he’s been seeing in the software development space including:
- Updating legacy systems
- Modernizing components without disrupting software delivery pipelines
- Keeping up with demand for cloud-native apps
To address these challenges, many industry leaders have moved their applications to containers.
Trend #1: Containerization as the norm
According to Brandon, “If you haven’t already started your containerization journey, you’re probably already behind your industry peers so now is the time to jump on that. Yesterday was the time, but there’s no time like the present.” Organizations are migrating everything in containers, including legacy applications, in order to standardize a more efficient software delivery pipeline.
One of the nice things about this trend is that developers get to move toward managing a single workflow, rather than having to manage multiple workflows–one for developers managing the old legacy model and the other for managing all of the different microservices in the new system. Managing multiple workflows leads to friction both in production and in development environments.
Trend #2: CI/CD as the building block to software
CI/CD tends to be the core environment that everyone depends on because everything goes through it–from developer code check-ins to deployments to production. Brandon stated that he’s been seeing a transition away from domain specific language and toward a declarative environment. Developers are spinning up ephemeral containers–when they have a new version, they spin up a new container. The new design for how organizations are deploying out to production is a clean environment that resets to a clean state with all data mapped in terms of volumes.
Modernizing the application stack requires modernizing the CI/CD pipeline. The first step toward this is to try to break things into microservices. One challenge Brandon has seen organizations run into is the combination of services that teams test in development doesn’t always match the combination of services they run in production.
Brandon also described seeing a shift left in security checks. Security tooling is moving earlier in the CI/CD pipeline for faster feedback; ideally, this is happening right on developers’ desktops. Docker Scan is a great tool which allows developers to scan for vulnerabilities right on their machines so they can test their code before they commit it to the Git repo. This process gives the security awareness right to developers when they commit their code and empowers them with the tools they need to be proactive.
Trend #3: Secure Software Supply Chain with DevSecOps
Brandon discussed the trend he’s been seeing of moving security left in further detail. This major shift is driven by a combination of government regulations (e.g., the White House Executive Order) and recent attacks like the SolarWinds attack, Heartbleed, and the OpenSSL vulnerability.
Attackers are going after the supply chain and are looking for vulnerabilities upstream or in build infrastructure. Potentially malicious developers are finding ways to push code into upstream builds, and that code gets pulled into environments and deployed in applications as if it is trusted code because dependencies aren’t being checked. This code can get pulled in with a single command on the developer environment, and is then deployed out to production environments. Some solutions to this that Brandon suggested include:
- Hardening build environments
- Generating software bill of materials (SBOMs)
- Adding signing
- Looking to reproducible builds
- Shifting scanning earlier in the workflow
You can think of SBOMs as an ingredient list where teams can track what they have in all of their compiled applications. Development teams can use SBOMs to identify if what they’ve deployed has a vulnerability, and if it does, they can easily track down every area where this vulnerability in the code is deployed in production. Another important solution is image signing and, along with that, making sure that teams are only signing images that are trusted and verified.
Brandon refers to reproducible builds as the “holy grail” because they’re effective but difficult to implement in a production environment. After building all the way through on an organization’s normal build infrastructure, reproducible builds require running that build in a completely new and separate environment. If the builds don’t match byte for byte, the organization knows something went wrong and needs to investigate. That something could just be a weird configuration, but it could also be an indication that an attacker got in and injected malicious code that needs to be stopped before it goes into production.
The State of Application Development in 2022 and Beyond
During the webinar, Brandon went into more detail on each of the above topics and had a live discussion with Docker Product Marketing Manager, Cat Siemer. He also addressed live Q&A from webinar attendees so be sure to check out the full webinar recording to catch these additional insights.
If you want to learn more about this topic, check out the new market report that we just published, The State of Application Development in 2022 and Beyond which highlights six trends that we predict will be key to the success of any development team and developer centered organizations in 2022. Read the report to learn how development teams keep a competitive edge by modernizing the way they build, share, and run their applications with Docker Business and our other subscription offerings.
Join us at DockerCon 2022
DockerCon is the world’s largest development conference of its kind and it’s coming to you virtually and completely free on May 10th, 2022. DockerCon 2022 is an amazing opportunity for you and your developers to learn directly from the community, get tips, tricks, and best practices that will elevate your Docker knowledge, and to learn about what’s coming up on the Docker Roadmap. You can register for DockerCon now, pre-registration is free and open. If you’re interested in speaking at DockerCon, the DockerCon 2022 Call for Papers is also open, submit your talk here.
Additional resources from the webinar
- Notary v2
- OCI Reference Types Working Group
- CNCF Supply Chain Security Working Group
- Reproducible Builds