5 Features of a Successful DevSecOps Pipeline | TechWell

5 Features of a Successful DevSecOps Pipeline

Sunset over the sea seen from the inside of a large pipe, photo by Erlend Ekseth

With the DevSecOps movement on the rise, many are wondering what makes a good DevSecOps pipeline. What is the best way to build security into an existing continuous integration, continuous delivery, and continuous deployment pipeline?

Let’s take a look at five essential features of successful DevSecOps pipelines and analyze where security can benefit most.

1. Precommit hooks

Precommit checks are used to find common security issues before changes are committed into source code repositories. The use of precommit hooks is very powerful. They can help tedious manual tasks, increase productivity, and ensure checks are enforced every time. A good DevSecOps pipeline includes these checks with integrated unit tests, static code analysis, and code review to help update existing thread modelsand enable risk analysis to be performed incrementally.

2. Commit-time testing

At each check-in to the source code repository, it’s important to build and perform some basic automated testing of the application. These tests should run (and fail) fast in order to provide rapid results to developers. By integrating some quick static application security testing (SAST) tools to run a subset of your top vulnerabilities based on your risk assessment, you can provide fast, incremental feedback and empower development teams to remediate critical and high-risk issues.

3. Build-time testing and analysis

When commit-time checks are successful, your next step is to build the application and break the build with any failure. If the code compiles, you’ll want to rerun unit tests, a full SAST scan, and third-party binary analysis. In the event these quality gates fail, you’ll want to prevent code from being promoted until a developer inspects and resolves any issues.

4. Deployment checks

If your build is completed, it’s time to deploy the application to a test environment and perform pre- and post-deployment security checks. Testing post-deployment provides an ongoing level of assurance that operational and functional changes haven’t introduced new security issues. Unit testing in your infrastructure-as-code tool of choice and using it to force strong security configurations builds in security controls early.

Once provisioning and deployment checks are complete, it’s time to look into performing dynamic application security testing (DAST), fuzzing, performance and load testing, and monitoring of the system to provide a baseline and gain an understanding of what production should act and behave like. This is the last phase before production is released.

5. DevSecOps in production

If you’ve managed to make it this far and deployed in production, you’re not done yet. Log inspection and continuous monitoring are key components of your DevSecOps capabilities. Findings in this phase should be identified and fed back to development teams to change developer behavior.

When implementing security into your DevSecOps pipeline, it’s important to conduct these activities with purpose and not get stuck in a governance checklist. None of these elements is stuck in stone.

Automation is invaluable to reducing security risk and making it successful. Making such activities integral to each part of your pipeline ensures DevOps teams own the security of their application in the same way they own quality, development, and operations.

Up Next

About the Author

TechWell Insights To Go

(* Required fields)

Get the latest stories delivered to your inbox every week.