Jason McIntosh, Armory: “with the current developer workload the best practice is to automate wherever possible”

Behind every successful app, website, or software, there is an incredible amount of time and effort put into it by hard-working developers and engineers.

Code is everywhere. From apps like Facebook or Instagram to websites and security measures like VPNs, software is an integral part of our lives. With the demand for software so high, developers need to find new ways to be more efficient and create better solutions for our everyday needs.

To find out more about how the developing process can be improved, we sat down with Jason McIntosh, Principal Engineer at Armory.io – a platform that focuses specifically on deployment to provide an effective and complete solution.

How did the idea of Armory originate? What has your journey been like so far?

The idea for Armory originated from the search for a solution to a complex engineering problem: deployment. The founders experienced the pain of scary deployments with low engineering velocity. They began using Spinnaker and building proprietary capabilities on top of the open-source code, filling in gaps for business-specific capabilities like security and policy management.

The engineers realized other developers probably experienced the same deployment pain, so they worked to bring the power of Spinnaker to enterprises. Our business model began by targeting elite development teams who needed all the bells and whistles. Then we realized pre-elite teams also struggled with the deployment but needed a less-complex solution. To meet this demand, we built continuous deployment as a service (CDaaS) to simplify and automate much of the work. Teams don’t need to understand the deployment strategies or be able to build a pipeline to successfully and reliably deploy code.

Can you tell us a little bit about your continuous deployment solutions? What are their key features?

Armory focuses specifically on deployment to provide an effective and complete solution. Our CDaaS platform offers the following:

• Multi-cluster deployment orchestration
• Declarative deployment with a GitOps experience
• Centrally defined environments
• Blue/Green and Canary deployments
• Automated rollbacks
• Traffic management
• Open ecosystem integration

We also have Continuous Deployment Self-Hosted for larger enterprises, a more heavy-weight solution designed for elite teams.

What would you consider the main challenges development teams run into nowadays?

A primary challenge is a continuous growth in complexity introducing friction into the innovation process. As organizations accelerate their transition to cloud-native architectures, developers have more ways to approach the same engineering tasks, and the growing number of environments and customers complicates deployment. As a result of tool sprawl and increased expectations, developers become inundated with options, taxing their creativity and monopolizing time with tedious imperative tasks that could easily be automated.

How did the recent global events affect your field of work?

The pandemic accelerated businesses’ move to the cloud, increasing developers’ workload. With users increasingly relying on software, development teams face even more pressure to ensure reliability and deliver new features more quickly than ever. The need and desire for automation grew significantly, inspiring Armory to create new functionalities to help assuage the challenges.

What are the best practices companies should follow when developing, and, when launching applications?

With the current developer workload and the availability of tools, a best practice is to automate wherever possible. Continuous integration/continuous delivery (CI/CD) greatly improves DORA metrics. CI enables collaboration by automatically integrating code changes into a single deployable unit. The process emphasizes frequent code check-ins while creating and testing the new build. CD transforms changes into a state ready for production deployment and pushes changes through the pipeline, adding safety and speed to the development cycle and automating tedious but essential steps.

Where does continuous deployment fit? Continuous deployment requires the use of CD. In addition to making a new code version available, continuous deployment ensures it is in use in your production environment. Continuous deployment removes the need for pre-scheduled releases, increases user feedback, and allows developers to address user feedback faster. It standardizes deployment practices, automates pipeline creation, replaces manual checks, allows for progressive deployment and collects and manages observability data.

With automated processes, developers can spend more time writing code and creating a superior product.

What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?

The simplest and largest vulnerability most users hit is still the OWASP top 10. Broken access controls are one of the biggest we see impacting businesses. Many organizations’ authentication/authorization restrictions aren’t set or are improperly set, allowing access to cloud accounts or sensitive resources a user shouldn’t directly access. Going back later to add authentication is always more work than starting with it from the beginning! Improperly exposing or protecting your tooling leads to break-ins.

The other challenge we see is the security space still struggles to explain basic concepts around good security. OIDC is a confusing concept to most developers and a core challenge. Password rotations, protecting sensitive data and explaining how cross-site-scripting works are things many engineers struggle with. Integrating security into your workflows, making the concepts easier to understand, and simplifying the processes could help organizations more effectively implement security best practices from the beginning.

What cyber threats do you find the most concerning nowadays? What can organizations and average individuals do to protect themselves?

Social attacks are still the most concerning. Even the best engineers — including security engineers — can be hit by these! Better MFA (multi-factor authentication) and password managers have helped reduce these kinds of attacks, but they’re still very common. On the downside, password managers are still not used consistently across organizations or at home. The first thing end users should do is use a password manager. Even with this tool, they still must rotate credentials. LastPass’s recent situation is a perfect example that no system is 100% secure.

MFA is the next and mandatory line of defense. MFA has vastly improved the damage from exposed credentials, but we are also seeing new attacks take advantage of MFA “laziness” in verifying that your MFA is coming from you. Organizations should include code verification on MFA rather than just accept push responses. We see signs that “push” notifications aren’t enough, as many attackers are bypassing this by using “push burnout,” where users accidentally click yes or ignore the request promptly.

Last, we’re seeing many more supply chain attacks, including attacks on base shared libraries. A simple change to a core library can instantly infect thousands of downstream resources. This was noticed recently with NPM module changes and the Linux kernel attempt to introduce a vulnerability by security researchers. These attacks do not yet have great mitigations nor receive much focus despite having the potential to do incalculable damage. This is an area the entire development community really needs to think about.

What advancements and innovations in the software development field do you hope to see in the near future?

We want to see an increased emphasis on verification and supply chain security. There’s already been innovation in that space, but the need will grow as both developers and C-suite focus more on protecting their products and customers.

We also hope to see companies incorporate environmental sustainability into their DevOps strategy. Software plays an essential role in energy management, as the decisions made by the program influence the physical infrastructure. The environmental impact should be considered a priority from the first line of code.

What does the future hold for Armory?

Armory is dedicated to improving the deployment experience and reducing the stress on overworked developers. Armory is the first and only company with a deployment orchestration model, and continuing to build the future of CDaaS will be a key initiative. We continue incorporating and improving plug-ins to make continuous deployment available and customizable for everyone. Working closely with our customers and the developer community, we will address new needs, especially in areas related to tool sprawl, security, and environmental impact.