Today we’ll cover some of the most common pitfalls in DevSecOps. By recognizing these issues and moving quickly to avoid or correct them, you can save yourself time, money, effort, and heartache.
First, let’s spend a few moments defining terms.
The Traditional DevOps Pipeline
The usual DevOps pipeline starts with the developer committing the code using Git to the repositories. Then other developers branch out the repositories to add changes or features to the codebase. And when the new code is pushed to the repository, the continuous integration tool in the codebase (Jenkins, Travis CI, CircleCI, and so on) takes this code and builds it. It makes sure the code passes all the required tests.
Once the code is built, it goes to the deploy phase, where CD (continuous deployment) is triggered. In these phases, the code is deployed to a particular environment according to how the pipeline is configured. It could be QA, Dev, or Production.
You’ve probably heard people say that the DevOps pipeline is the best integration of developers and operations. But often, one critical team that companies miss or neglect before and after code deployment is the security team.
However, this scenario is changing. Now more companies are adopting a new approach, known as DevSecOps. Why? Because it brings in the most critical aspect of building large-scale systems—security—to the traditional DevOps pipeline. And that’s awesome.
So DevSecOps not only integrates with developers and operations, but it also brings security under its umbrella. You can bring the security aspect from the beginning of the pipeline (from the left, as many IT professionals say) to the right (deployment). This change makes it less expensive to fix vulnerabilities.
Now that you know a little about what DevSecOps is, let’s see the common pitfalls and ways to overcome them.
1. Failing to Monitor the Code
Code is constantly changing, and developers are always introducing new libraries and configurations. Because of this, some of these libraries may expose a vulnerability unknown to the developer. Therefore, constantly monitoring the codebase becomes an important and ongoing task of the DevSecOps team. Members of this team take full control of the changed configuration patches and system maintenance.
2. Prioritizing Speed, Not Quality
Too many companies concentrate on the timelines instead of the quality of the product. All they care about is to get the code running in production.
The end goal of the DevSecOps team should be to deliver a secure and functional pipeline. And if you prioritize speed while building this functionality and integrating the security in the pipeline, you may miss out on some important aspect that confuses or annoys your customer.
3. Not Involving Your Security Team
DevSecOps is a continuous process of developing software. Getting the security team involved while creating this pipeline should be the priority—unless you have a small team that doesn’t have a dedicated security group. In that case, you can implement the security principle on your own if the project is small.
As a startup grows into a big enterprise, the team also evolves over time. At this point, you can involve the security team while creating a pipeline to ensure all the security tests are integrated, and no vulnerabilities are exposed.
4. Choosing the Wrong Tools
There are many tools, new and old, that you can use in your DevSecOps pipeline. Some tools are very expensive, and others are irrelevant to your code.
Choosing the right tool to integrate with your pipeline is a useful step you can take to ease your pain in the future. Make sure the tools you choose satisfy the current use case and future use cases of your code and don’t require you to make extensive changes to your code.
For example, if developers have to make a significant effort to initiate scans, they’ll probably stop using the scanning tool. So the security tool you choose needs to make the scanning of code easy for the developer.
Here are some resources you can use to improve your knowledge of DevSecOps. Both of these are from Cprime.
- DevSecOps 101 gives you an a overview of how to integrate security in the DevOps pipeline.
- DevSecOps Boot Camp: This boot camp allows IT teams or motivated individuals who have little idea about DevOps to dive deep into the concepts of DevSecOps and apply the knowledge to practical applications. It’s a led by integrity experts who will guide you and give you the right direction for your DevSecOps journey.