DevOps as Craft

DevOps and DeSecOps in Romania - descoperă cum să integrezi securitatea în procesul de dezvoltare a aplicațiilor. Practica, tendințe, și instrumente.

14 Things That Go Wrong Over and Over in DevSecOps

by · Published · Updated

There are a lot of things that can go wrong with DevSecOps that practitioners should be aware of and avoid.

1. Breaking builds on false positives

Part of the DevOps process is building applications. However, sometimes introducing security will break the build process, due to identification of a false-positive issue.

“If we’re breaking builds on false positives, what we’re actually doing is breaking trust,” Janca said.

2. Turning on tools without testing them

Janca said that far too often she has seen security teams turn on tools for DevOps pipelines without testing them, which can cause any number of issues.

3. Artificial gates

Part of the DevSecOps process is providing “gates” — points where a pipeline is inspected for compliance with a certain policy. Janca said she has seen security professionals add gates to a process just to slow it down so they can have some form of control. Inevitably what will happen is developers will just go around the gates anyway.

4. Missing test results

Another common issue is that of missing test results. For whatever reason, DevSecOps professionals don’t always share all the results with developers building code, which ultimately leads to less security.

5. Runaway tests

Janca noted that she has seen tests implemented by security teams that run for 18 hours or more, while developers’ own tests run in a fraction of that amount of time.

“If a test runs a really long time, that derails everyone’s work on that team all day,” she said.

6. Impossible SLAs

Many organizations are driven by service-level agreements (SLAs), and in some cases those SLAs are impossible for any security or development team to achieve.

7. Untrained staff

Giving staff the responsibility to complete a task without proper training will generally lead to suboptimal results.

8. Bugs lost in the backlog

DevSecOps teams sometimes place discovered bugs in a “backlog,” to be addressed at some future point.

“I feel like the backlog is a place where bugs go to die, and they just stay there forever,” Janca said.

9. No positive reinforcement

Positive reinforcement and attitude from security teams and leadership are often lacking in DevSecOps.

“Security folks are known for being negative, and we come with bad news,” she said.

10. Only worrying about your part

There are a lot of moving pieces with modern development. When DevSecOps pros are only concerned with their own small piece, it doesn’t always help move the whole project forward.

11. Multiple bug trackers

Janca said she has often seen security professionals use multiple tools to track bugs, making it difficult for development teams to know where to look for issues.

12. Insecure software development lifecycle

Simply dropping in a tool and saying that’s security is not enough to secure the software development lifecycle, which is what Janca has seen many teams do.

13. Overly permissive CI/CD

If everyone has full administrative controls over a CI/CD pipeline, then anyone can disable a test.

14. Automation ONLY in the CI/CD

CI/CD pipelines are typically automated, but there are other areas of development and security that can and should be automated as well.

Tags:

You may also like...