What is DevSecOps anyway?
DevSecOps is the realisation that incorporating security considerations in to DevOps is key to maximising the efficiency of software development. The joining up of development and operations is not enough to ensure agiity in todays environments. Development should be undertaken with a security first mindset.
At Abstract Leap we embrace the DevSecOps movement in order to leverage our teams as efficiently as possible. We have a combination of tools and techniques that combine to help us deliver high quality software frequently.
The different phases
At development time, we embed DevSecOps through the following:
- Security first mindset - developers think about the security of the software during the design process
- Automated testing - we make use of automated tests to prevent regressions.
- Continuous integration - we continually build and test our code as changes are made by developers.
- Code review - we perform peer and principal code reviews for all non-trivial pieces of functionality.
- Static analysis - we make use of automated tools to check for common software issues.
Release time is crunch time as far as DevOps goes, the point at which they cross over explicity. To help manage this we use:
- Continuous delivery - our code deployment is deployed automatically using Azure DevOps pipelines
- Infrastructure as code - as a proponent of the Azure cloud, we make use of automated infrastructure provisioning.
- Feature flags - we make use of feature flags to deploy code to select users and perform A/B testing.
Once the software is in production we use the following tools for operations:
- Error Monitoring - our software automatically sends errors to our team so that we fix them asap.
- Application Performance Monitoring - we can discover performance issues before they have any meaningful impact.
- Web Application Firewalls - Our web applications are protected by WAF.
- Cloud scale - using Azure enables us to build on the shoulder of giants.