top of page

Unlocking Security Excellence in Activate's DevSecOps Practices

Andre Aliaman, Cloud Engineer

March 25, 2024

Unlocking Security Excellence in Activate's DevSecOps Practices

Key Takeaways

    1. Following Industry Best Practices in SDLC

    2. Putting Security First with DevSecOps

    3. Embracing Efficient CI/CD Development

Known for our excellence and reliability as one of Singapore's top technology consultancies, Activate is deeply committed to constructing secure applications from our foundations. This commitment is evident in our adoption of DevSecOps, a pivotal practice emphasising 'shift-left,' integrating security throughout the development lifecycle. Serving as the cornerstone of our approach, it ensures that security considerations are seamlessly woven into every stage of our software development process.  

 

Our methodologies have evolved through extensive collaboration, experiences with various standardisations, and successful implementations, establishing them as proven pillars for achieving excellence in every project we undertake.  

 

This article, authored by Andre Aliman, will explore some of these practices that consistently yield positive outcomes in our clients’ projects.

 

 

The Importance of Source Code Management 

 

Source Code Management (SCM), or Version Control Systems (VCS), is fundamental to our DevSecOps approach. It helps us track changes made to code, documentation, and other project assets, allowing us to: 

  • Collaborate seamlessly: Teams can work on the same codebase simultaneously without conflicts. 

  • Go back in time: We can quickly revert to previous versions if needed. 

  • Identify changes: We can pinpoint who made what changes and when aiding in troubleshooting and audit trails. 

Essential Components of Version Control 

 

We leverage Git-based tool, a powerful and distributed VCS, to track various project elements, including:

  • Source code: Track every line of code, ensuring all changes are documented and traceable. 

  • Configuration files: Securely manage application settings and environment variables. 

  • Documentation: Maintain version history of project documentation for clear audit trails. 

Extending Utilisation Version Control in Activate for a Streamlined Development Process 

 

To ensure a smooth and organised development process, every significant commit is tagged with a version number and accompanied by comprehensive logs. This allows developers to track target changes in their code and ensure they're well documented, especially for knowledge transfer and debugging purposes. 

 

Activate extends version control beyond code, covering: 

  • Automated Test Scripts or Test Cases: Meticulous tracking of test script changes indirectly ensures consistency and reliability for software releases. 

  • Golden Scripts: We manage our golden script, which is crucial for us to maintain development lifecycle stages, including installation, build, deployment, rollback, migration, and the CI/CD pipeline. 

  • Infrastructure as Code (IaC):   This is a scripting technique that helps simplify the management and creation of infrastructure in a programmatically driven manner, ensuring accurate setup and management of components such as networks, servers, databases, etc 

 

 

Code Merge Practices at Activate  

 

We ensure agility by committing functional code to short-lived branches daily. These branches are swiftly merged into the main repository through pull requests, maintaining a small batch size for quick issue detection. Pull requests are reviewed by peers before merging, ensuring correctness and alignment with respective stories or tickets. 

Our Code Review Practices: 

  • Maintaining small batch sizes for efficient reviews. 

  • Reviews must include changes to test cases when applicable. 

  • Ensuring automated tests pass before approving pull requests. 


Our Practices for Building and Packaging 

 

At Activate, we leverage CI/CD to enhance our SDLC and application quality. We facilitate seamless tracking within the application delivery pipeline by associating code changes with respective tickets. This ensures all features are thoroughly tested before merging into the main trunk. 


“Our methodologies have evolved through extensive collaboration, experiences with various standardisations, and successful implementations, establishing them as proven pillars for achieving excellence in every project we undertake.”

Strengthening Efficiency through Automated CI Pipelines 

 

Our CI pipeline aligns with industry-leading security standards such as IM8 Policy and NIST strategies, thereby bolstering the security posture of all our deployed software. This commitment sets our CI process apart, embedding security considerations at every stage of development. 

 


Automating Essential Triggers for Swift Actions 

 

Within our CI pipeline, we employ automated triggers to initiate crucial tasks like automated tests, Static Application Security Testing (SAST) scans, and code linting/formatting immediately after committing. To enhance efficiency, we strategically schedule slower tests at specific times or trigger them by events. Builds are automatically initiated following the merging of pull requests, ensuring a smooth integration process.



Automatic vs. Manual Triggers 

 

In our approach, we prioritise automatic triggers for efficiency, utilising manual triggers sparingly and selectively when necessary. 

 


Maintaining a Comprehensive Build History 

 

Our CI pipelines are meticulously designed to maintain detailed records of execution and logs, ensuring comprehensive visibility and traceability. Moreover, we are considering using external storage for long-term audit and tracking needs, which would enhance accountability and transparency in our development process. 


 This commitment to DevSecOps allows us to deliver secure, high-quality applications at exceptional speed, giving you peace of mind and a safe experience for your users. 

bottom of page