The Role of DevOps in the New Reality

Process automation

Let's start with the main thing – automation. Our research has shown that this is one of the key drivers of DevOps implementation in Russia. Already 38% of companies use DevOps practices specifically to reduce development costs by automating routine processes. At the same time, such things as deployment, code vulnerability testing, testing and requirements collection are most often automated.

Interestingly, 42% of managers named the lack of qualified personnel capable of working with a modern DevOps stack as the main obstacle to implementing automation. There is a clear imbalance in the market – the demand for such specialists far exceeds the supply. And this creates serious difficulties for many companies.

One of the key trends in the industry is the active use of AI tools. Our survey showed that 51% of companies already use artificial intelligence at various stages of development. Most often, these are machine learning-based systems that help optimize testing processes, find defects in code, and provide recommendations for improving quality and performance. Although there are more exotic examples – chatbots, unit test generation, automatic refactoring, and so on.

Alexey Rybalko

Container Development Environment Security Specialist at Kaspersky Lab

AI tools can significantly speed up development, but the developer is responsible for the final code, who must check the code received from the “AI partner” in accordance with the practices of writing secure code. In addition to AI, a full set of code controls and checks is used during the development process, designed to help ensure security. In addition to developer tools, after the code is transferred to the repository, code security output control departments come into play, using tools to analyze the received code. Their task is to ensure that the developers' code does not contain dangerous structures or potentially vulnerable spots.

Of course, implementing AI in DevOps is not easy. It requires specialized knowledge and skills, high-quality data for training models, and streamlined processes for collecting and labeling datasets. It is no coincidence that 36% of respondents named the lack of competencies as the main barrier to using AI. Plus, no one has canceled the need to control the quality of models, the explainability of their decisions, and ethical aspects. But overall, the trend is clear: AI will play an increasingly important role in automating development processes.

Quality and speed of development

Another important aspect that our survey examined was how DevOps affects the quality of products and the speed of their delivery to end users. It turned out that for the vast majority of companies (more than 60%) these are priority tasks. Moreover, they are directly related to the level of automation and the use of modern development tools.

Arthur Galeev

Head of DevOps Department, IBS

DevOps/DevSecOps in IBS is already commonplace, no application is developed without the implementation of CI/CD, monitoring and other tools. It directly affects the speed, it is difficult to calculate, but in general, releases are sent to production to customers 2-3 times faster.

The more processes can be automated and transferred to a continuous integration and delivery cycle (CI/CD), the higher the development speed and the more stable the quality of products. Ideally, the code gets into production only after it successfully passes the entire chain of tests – unit, integration, regression, acceptance. And if an error occurs at any stage, developers immediately receive feedback and can quickly fix the problem.

However, it’s not that simple. Implementing modern DevOps tools, especially those related to test automation, can be quite expensive. According to our data, 48% of companies plan to replace their current systems in the coming year, but many are stopped by the high cost of licenses and the shortage of specialists capable of working with them.

One of the options for solving this problem is to switch to open-source tools. Our research showed that their share of use has grown from 56 to 73% in a year. Open Source attracts companies not only because of its lower cost of ownership, but also because of its flexibility, the ability to customize and refine for their tasks. In addition, large communities have formed around popular open solutions such as Jenkins, Selenium, Allure, where you can get support and best practices.

Another trend we have noted is the transition to cloud infrastructure. Already 69% of companies use hybrid clouds, combining private and public environments. This allows optimizing costs, ensuring flexibility and scalability of the infrastructure for changing business needs. At the same time, 44% plan to actively migrate DevOps tools to clouds in the coming year.

True, there are some pitfalls here. The main one is information security issues. According to our data, this is the key barrier that stops many companies from fully switching to public clouds. It is necessary to ensure data protection, compliance with regular requirements, and transparency of the provider's processes. It is no coincidence that 50% of respondents named the openness of internal security processes as the main criterion for choosing a cloud platform.

Let's sum it up. Devops directly affects the speed and quality of software development due to the automation of processes and the introduction of modern tools – from continuous integration to cloud environments. But for many companies, this is associated with serious challenges – the need to change the architecture, high licensing costs, and a shortage of personnel in the market. Open Source and clouds can partially solve these problems, but require special attention to security and compatibility issues. In general, the trend towards increasing the speed and quality of development through DevOps is clear and will only intensify.

Development Security: DevSecOps

Now about one of the most important and hottest trends at the intersection of DevOps and security — DevSecOps. This is an approach in which security practices and tools are integrated into all stages of the development life cycle — from planning to operation. The goal is to identify and eliminate vulnerabilities and security defects as early as possible, reduce risks and comply with regulatory requirements.

Arthur Galeev

Head of DevOps Department, IBS

To improve security, IBS implements DevSecOps practices in accordance with GOST R 56939, and also uses tools such as SAST, DAST, Fuzzing, Pentest. Secret management, working with vulnerabilities in dependencies and compliance with secure development standards are the main challenges we face.

According to our research, this topic is very relevant for Russian companies. Already 77% of respondents said that they have dedicated teams or specialists for secure development (SecDevOps). At the same time, 80% assess the current level of maturity of their information security processes as high (4–5 points out of 5). This suggests that security is gradually ceasing to be something external to development and operation, but is becoming an integral part of the entire product life cycle.

Among the most common security practices and tools in the CI/CD process are static code analysis (SAST), which is used by 44% of companies, dynamic application analysis (DAST) — 43%, vulnerability scanning in open-source components (SCA) — 33%, fuzz testing — 6%. This is a basic set that allows you to find typical vulnerabilities and code flaws at the assembly and testing stage.

In addition, many companies are implementing special policies and procedures for secure development, such as code quality gates, container scanning, and protection of secrets and credentials in repositories and CI/CD platforms. However, there are problems. The main one is the lack of expertise and competencies at the intersection of information security and development. According to our data, 36% of companies noted the lack of specialists as the main barrier to the full implementation of security in DevOps. Implementation of DevSecOps practices requires employees to have not only technical skills, but also the ability to build processes, communicate with development teams, and take into account the features of specific products and platforms.

Alexey Rybalko

Container Development Environment Security Specialist at Kaspersky Lab

Companies can provide significant assistance in this matter. I will cite Kaspersky Lab as an example. We cooperate with universities, help teachers in training qualified cybersecurity personnel. We have a developed internship program, within the framework of which senior students undergo practical training and participate in work on an equal basis with specialists, study the specifics of information security in practice, undergo internal training, and pass exams.

In addition, many information security tools are quite resource-intensive and can slow down the build and delivery process, especially when it comes to large and complex projects. Combining speed and security is a non-trivial task that requires constant optimization, profiling, and parallel scanning. And of course, there is no escape from import substitution. Many familiar information security tools in the DevSecOps area are either currently unavailable or have high risks of shutdown and license revocation.

In general, despite all the difficulties, the trend towards integrating information security into DevOps will definitely continue. On the one hand, external risks and regulatory requirements are growing, on the other hand, the maturity of development and operation is increasing. Security is becoming the same must-have requirement for product quality as reliability, performance, and ease of use. And the sooner companies start moving towards DevSecOps, the easier it will be for them to scale these practices and reduce technical and regulatory risks.

Cloud technologies

Now let's move on to one of the hottest topics at the intersection of development, operations, and infrastructure — cloud platforms. As our research has shown, clouds have become an integral part of the DevOps landscape in most Russian companies.

Andrey Belevantsev

Doctor of Physical and Mathematical Sciences, Professor of the Russian Academy of Sciences, Head of the Program Analysis and Optimization Department, ISP RAS

Our projects are focused on development, and in system programming, the programs being created are quite complex – many dependent components, mostly open, we often modify open software to suit our needs. Therefore, properly built DevOps systems are extremely relevant, they help speed up development, quickly test many hypotheses and get a quality product. The main thing is that you can track the results of all experiments, simultaneously maintain several versions of the system being developed, and work out feedback with customers. Specifically, in our team, the Jenkins and GitLab bundle has proven itself well, but, of course, it wasn’t without a bit of tinkering.

This arrangement is quite understandable. On the one hand, public clouds provide flexibility, scalability, access to advanced services and tools. On the other hand, many companies are not ready to fully entrust critical data and systems to external providers. This is especially true for banks, government agencies, and industrial enterprises. The hybrid model allows you to find a balance: keep the most sensitive components in-house, and transfer the rest to external platforms.

The breakdown of cloud service providers is interesting. The Russian market is quite fragmented, with many local players. More and more companies are already using domestic platforms, and their share is growing.

Nevertheless, some companies still use foreign clouds, mainly due to inertia – many have their data, infrastructure, and development processes concentrated there. It is difficult and expensive to quickly transfer this to other platforms. Plus, not all domestic providers can provide the required level of quality, support, and functionality of services, especially in the enterprise segment. Although the gap is gradually narrowing.

The most striking trend here is the strengthening of requirements for data and software sovereignty. According to our data, it is critical for a number of companies to store key systems and data in Russian jurisdiction, under the protection of local laws. Moreover, many customers, including government agencies, clearly specify such requirements in contracts and technical specifications. This means that providers will have to tighten up their infrastructure, certification, and support to meet these needs.

The main difficulty for cloud service providers is the lack of expertise and personnel. To sell and implement modern cloud solutions, providers need not just engineers and administrators, but architects, consultants, evangelists. Those who understand the tasks of specific industries (retail, fintech, manufacturing), speak the language of business, can design an optimal solution for customer requirements, calculate the economics, justify the value for business. But there is a shortage of such specialists on the market. They have to grow internally, poach, invest in training and developing talent. These are long-term investments, but they are essential.

Team and process management

And finally, about the main asset, without which the entire digital transformation and DevOps are impossible in principle – about people. Our study has once again shown that the main challenge and limitation of DevOps development in Russia remains the shortage of personnel. Moreover, the shortage is felt at all levels – developers, engineers, architects, managers. The market is overheated, competition for talent is higher than ever.

Pavel Degtyarev

Director of Product Development at EKOPSI Consulting

Digital transformation is a change of culture first and foremost. There is a classic study by McKinsey in 2014, which showed that teams that implement changes in the management structure, processes, business practices as “changes in themselves,” yesterday they worked the old way, and tomorrow we will start in a new way, achieve success in 5% of cases. But if you first assess what should change in the daily behavior of employees and influence it — change the practices of decision-making, planning, communication, etc., the probability of success of changes reaches 52%. This is 10 times higher..

Universities and colleges continue to focus on fundamental knowledge, basic languages, and technologies of the past generation. And the market needs specialists who can work with modern frameworks, understand DevOps processes and tools, and can understand subject areas. Such competencies cannot be formed at a school desk; they are acquired only in real projects, at the intersection of business and technology.

Therefore, many companies are forced to develop personnel internally – through internships, schools, talent development programs. For example, one company has had an educational department for several years that trains specialists at the intersection of different disciplines – development, data analysis, cybersecurity, product management. The best students and graduates are invited to work for themselves, some go to other companies. In fact, this company acts as a supplier of personnel for the entire market and covers not only its own needs, but also the needs of partners and clients. This is a good example of the symbiosis of education and business.

Arthur Galeev

Head of DevOps Department, IBS

We work with universities in the cities where IBS is present, conduct internships, develop specialists within the company, and are always open to candidates who are looking for an internship.

And to retain talent, companies resort to various tricks: they offer high salaries and bonuses, improve social packages, provide remote work and relocation opportunities. But the main thing, in my opinion, is to create an internal environment that motivates people to learn, experiment, and bring in new ideas and practices. We need a culture of communication and exchange of experience between teams, joint solutions to engineering problems, mutual support, and respect. Only in such an environment do people feel comfortable and safe, see the meaning and value of their work, and can realize their potential.

I would like to separately note the importance of upgrading the soft skills of technical specialists. It is not enough to be able to write code according to the technical specifications; you need to be able to explain your decisions, argue, negotiate, and manage stakeholder expectations. Many conflicts and problems in DevOps arise not because of technical errors, but because of communication barriers and misunderstandings between development, operations, and business teams. The same developer must be able not only to implement a feature, but also to explain its value to the product, coordinate requirements with an analyst, test it with a quality engineer, and hand it over to the operator. And this requires presentation skills, negotiations, conflict management, and emotional intelligence. Unfortunately, few teach this, so you have to upgrade yourself and learn from your mistakes.

And finally, about remote work and distributed teams. The pandemic and the departure of many foreign companies pushed this trend forward; people realized that they can work effectively from home, if only they have tasks and the Internet. On the one hand, this untied the hands of employers — now they can hire talent from the regions, save on offices, and attract experts for projects. On the other hand, it complicated communication and coordination, increased the risks of leaks and security. After all, when people do not see each other in person, engagement and trust are lost, they work in different time zones, it is more difficult to transfer knowledge, and synchronize work.

Therefore, companies that practice distributed development (and there are already more than 50% of them) have to strengthen the technical and cultural components. Use asynchronous communication tools (mail, messengers, task boards), knowledge documentation practices (wiki, confluence), remote pair programming tools and code review. And of course, call each other more often, hold virtual meetings and synchronizations, organize informal meetings to strengthen relationships.

In general, remote work is not a panacea, but a test of the strength of processes and culture, which not every company can withstand. But what can you do – the trend is clear.

Conclusion

Our research has shown that the Russian DevOps market is actively developing, despite all the challenges and limitations. More and more companies are implementing practices and tools aimed at accelerating and improving the quality of development. The level of automation, penetration of cloud platforms, and integration of information security into the development cycle are growing. Although most are still far from full maturity, the trends are definitely positive.

The main drivers of this transformation are the customers themselves, who demand from IT an increasingly rapid response to business changes, frequent releases of new products and features, high quality and security of digital services. And the most acute pain points are the shortage of expertise and personnel in the market, the difficulties of transitioning from monolithic architectures to microservices and clouds, regulatory restrictions on data transfer and the use of foreign solutions.

In these conditions, the role of domestic vendors and integrators is increasing, who can offer customers comprehensive solutions for DevOps and digitalization, without being tied to foreign platforms and taking into account Russian specifics. They should focus on training and certifying clients, packaging standard products and services, a flexible pricing model and support. And even better – invest in their own schools and academies, grow talents, form expert communities around themselves. Although this is a long way, it is the most correct one.