The times when projects were created according to the principle “just to bring them to an end” are long gone. Currently, taking care of the security of a given code, project, or application is as important as the application itself. Just as no programmer likes to find out at the end of code writing that the application still needs some feature that changes half of the code, backup, and security issues should be taken into account at the planning stage. The DevSecOps ideology works excellent here, and I am explaining why.
DevOps vs. DevSecOps?
I have already mentioned in GitLab Ci/CD article that DevOps is nothing more than a combination of departments responsible for the development and IT operations. It’s a kind of set of good practices aimed at increasing the cooperation of these two departments and thus accelerating and improving work on a given project. At the turn of recent events, it has also become clear that IT has already appeared in every area of life. This, in turn, began to bring an increasing need to develop applications faster and more efficiently, and the very security of application data and implementations began to become an important issue. No one indeed wants Someone to turn off our refrigerator connected to the Internet remotely, but that also becomes a meaningless issue when we realize that Someone could do the same with a nuclear power plant.
In recent years, the considerable emphasis placed on security has made DevOps evolve into DevSecOps. That is why it’s so important to understand that the DevSecOps pipeline is, in a sense, a further evolution of DevOps and not its competitor. A prime example is the vulnerability CVE-2021-44228, also known as log4shell. This vulnerability was found in the log4j library. The IT world burst into flames, not from the fire of the decay, but from the frantic search for and patching of this vulnerability by all administrators and developers around the globe. To understand why so many programs and systems have been affected by this vulnerability, you need to know what Apache log4j is. It’s a JAVA library and is used in Java Virtual Machine (JVM) and as an attached library for all kinds of produced software that uses or connects to, for example, Apache server. Developed by the Apache Software Foundation as an open-source project, it has been widely used. This is because it’s used to log various events. Unfortunately, the detected vulnerability allowed for the execution of arbitrary code on the server with application privileges, so it’s a critical vulnerability.
Are you switching to a DevSecOps operation model? Remember to secure your code with the first professional GitHub, Bitbucket, GitLab, and Jira backup.
The question is whether, using our CI/CD pipeline, the modern DevSecOps approach, and well-written tests, we can avoid such vulnerabilities in our workflow in the future. I will be frank with you. I spent a few long days analyzing and reviewing the systems it maintains for this vulnerability, and I am not surprised that log4shell is presented as the worst security issue in a decade. I will tell you that the incredible women from the Xopero marketing department also had to endure my failure to meet the deadlines for this reason. I hope they will forgive me someday. Returning to this fascinating topic, let’s now focus on how the IT world is moving towards protecting itself from such security threats in the future. We already know the pipeline workflow that we can automate and, most importantly, carry out regular security tests.
Pipeline and basing the entire application development process on it has become an everyday reality in current projects. The IT world has understood that this improvement supports development and reduces all sorts of problems. It is also important that the largest services such as GitHub focus on DevOps. A great example here is GitLab too, which emphasizes CI/CD, i.e., a set of tools implemented and ready to be used in our pipeline for continuous integration, continuous delivery, and continuous deployment.
Some people call the approach and set of tools behind CI/CD the golden grail in automation of the application development process, and this is not an exaggeration at all. A well-configured one will allow you to automatically create a build, test it, perform security tests, and even if you want to do an automatic deployment, after even the slightest change in the code. Adding to this the fact that GitLab allows you to carry out CI/CD for external repositories, we get a compelling set of tools for automating the production of our projects.
This is not the end, because thanks to CI/CD, in addition to, for example, tests, we can also include manual or automatic backups of our code changes and entire applications after deployment. We can achieve this by adding new steps to our pipeline. Let’s not forget that it may often turn out that we will have to use the GitLab Runner during the tests and deployment process so that the entire process can be carried out correctly. We can automate connection to a remote Docker instance and build and test our application thanks to them. Of course, we can also perform a backup, and here GitProtect will undoubtedly come to the rescue, ensuring that our code is backed-up even with minor changes.
DevSecOps is a set of good practices combining the worlds of development, security, and IT operating. We can say that this is another evolution in the way and approach to application development. It’s worth noting that nowadays, it’s not only the domain of programming and development of all software but the use of DevSecOps as an ideology and approach with good practices can be seen in entire organizations and various projects, sometimes not even related to IT.
Portals such as GitLab are perfect for DevSecOps, as they help teams automate and develop a given project continuously, not forgetting about security. CI/CD is an ideal solution here, as it allows you to perform automatic tests and automated tasks such as deployment, if well planned. However, the most important thing is to have a good and trusted backup solution for our projects. GitProtect is a comprehensive approach to the backup of our projects. Possibilities like scheduling and doing full, differential, and incremental backups are just the beginning of the list. With GitProtect, we get a ready-made product that will allow us to secure and, when necessary, encrypt our backups to further increase our data’s security.