When you think of automation, it is hard not to immediately picture robots operating on a factory floor or endlessly producing code, but this subject is much more complicated, nuanced, and ultimately impactful than the tropes around it when applied to software specifically – please note that this will not include a discussion of AI nor the perspective of Elon Musk on the same!
Automation in software and related IT operations is primarily focused on mitigating risk around application/code deployment, security functions, and other administrative items: e.g., testing, code reviews, or even primary code production to guide development best practices. Automation in this context may be as simple as implementing code to handle pushes to production rather than tasking developers with this, or as complex as leveraging an algorithm to review code being written. As such, it is important to consider the relevance of your problem to a wide range of solutions.
There will always be room for improvement but consider that sound strategy outweighs a ‘tech tornado’.
Automation in Context: Application/Code Deployment
Automation can be used with very little upfront investment of time and resources in application/code development and has ancillary security benefits when managed effectively.
Consider that most organizations still depend on the skill (and honesty) of human resources in managing their most critical moments of fragility when bringing code or expensive applications to production. It is not to say that developers who perform these activities cannot be trusted but they are effectively less reliable than a block of code to gatekeep and manage this process.
Consider that well-written code will not botch a deployment as it typically encounters problematic environmental variables before committing. Your skilled developer may not. The same mechanism is also unable to be compromised by a social engineering attack or personal debt – it has no vulnerability on this front. I only say this because it is true and have nothing but the utmost respect for all of those who work in the field of software development and engineering.
There are very expensive programs that make the most of their market relevance on this basis alone, acting as secure and well-knit code and application gatekeepers. You may consider tooling such as GitLab or something as basic as a container in addition to a few strings for validation and still realize enormous benefits in terms of quality and the sleep your CTO (Chief Technology Officer) or CISO (Chief Information Security Officer) are able to get.
Automation in Context: Security
Automation in terms of software security is perhaps best expressed in the context of threat response and mitigation. Even well-skilled modern security teams typically ignore most alerts whether due to capacity or perceived ‘importance’. The problem here is much more significant because threat actors have employed a higher degree of automation in their attack patterns and thus having automation tooling for the defense is even more important. It is also necessary to *always* have human staffing for certain threats and so automation should be seen as a liberation of sorts in the security space. Human staff should always receive associated reports and still respond to critical alerts.
Manual operations of security teams can also miss or even create vulnerabilities, not to mention enable insider attacks and social engineering opportunities. Since the most common attacks are increasingly automated and reducing human involvement is beneficial for financial *and* security reasons, it just makes sense to employ some tooling today. Whether this involves a simple configuration/network/asset scanner, or a more sophisticated security orchestration, automation, and response (SOAR) framework is highly variable based on your business needs. Consider that automation may not necessarily replace full-time employees but should free them to pursue more complex and nuanced work as well!
Another benefit can be in terms of external reporting and assurance efforts – audits *may* be easier and certainly your entire company can rest a little easier (especially the CISO / CTO) knowing that critical infrastructure is protected around the clock without staffing concerns. It is also notable that service desk and ticketing burdens of large (or small) organizations can also be rolled into the more extensive solutions to create ancillary value beyond security in a primary sense.
Automation in Context: Testing/Code Reviews
Testing and Code Reviews can add quite a bit of workload to development teams that should be primarily focused on delivering rapid-value and creative solutions; while it will still make sense for some degree of manual or human-directed testing and review, many items can be managed with automated testing suites without a loss of quality. Note that this is not AI but rather a ‘bucket’ of configurable testing scenarios and gating that can free your teams from drudgery and can even be marketable in some cases: i.e., CI/CD leverage with mature tooling can be positioned as an *indicator* of product quality.
It should be noted that the assumption of code quality and ‘readiness’ should still (and hopefully always will) be gatekept by human operators but ultimately, automation can reduce the busyness prior to articulated validation.
Automation in Context: Code Production
I am not a huge fan of the current tooling but my bias aside, several options have been developed and are heavily marketed for code production automation – it should be noted that these tools are not to be assumed ‘secure’ for more sensitive uses but may provide quite a bit of leverage in learning. Think of this tooling as a companion when writing code that automatically analyzes work in progress before a commit or submission. You can benefit from catching errors, transpositions, and problematic references but mainly write the code yourself as a creator. As such, GitHub or Amazon CodeWhisperer among others can provide real-time auditing and I will admit that particularly for logically intensive machine learning applications, it does provide value.
However, you and your IT leadership should make sure you understand the terms & conditions of any given tool before deployment. You may find a great ‘companion’ if applicable to your environment.
Automation: Moving Forward
The path forward for automation is open – this is not rhetorical laziness as the proliferation of so-called AI and related automated tooling is accelerating at an unprecedented pace. The next 10-20 years will likely end much primary coding by human beings. Security spaces in IT will become more challenging but fulfilling for coding resources displaced by new technology.
I picture an operational environment in which coding, QA, and related tasks are almost entirely machine-managed but human workers take on increasingly abstract knowledge tasks and operate much like conventional businesspeople. This is not necessarily a bad thing, but it should also be our responsibility to understand this ‘liberating’ technology as it develops rapidly. Ethical practices should be paramount, and I would hope that much of what has been done in academic philosophy can be appropriately refined or distilled to help manage this miracle of human thought. There will still need to be individuals that can adequately understand what is being done and ‘mirror’ the machines, so to speak. A young technologist should hold out hope for the practical use of coding skills yet understand the mechanism of action will be quite different and that their role will change dramatically over time.
Abstraction and flowery language aside, it is dangerous to assume that the progress will all be positive as the same dangers of all technology exist here: misuse, misconfiguration, and the peril of ‘ownership’ as it applies to intellectual or physical property. We must be careful to manage the reward of development and ensure that we do not unnecessarily concentrate or complicate deployments to the extent that control becomes a matter of choice rather than policy and culture. Just as we developed atomic energy (with the other application) and learned from our mistakes, there will be changes made in-flight. We owe it to ourselves to behave ethically, principally focused on the greatest *human* good with all of this.