Unlocking Security Excellence in Activate's DevSecOps Practices
Andre Aliaman, Cloud Engineer
Key Takeaways
- 1. Following Industry Best Practices in SDLC
2. Putting Security First with DevSecOps
3. Embracing Efficient CI/CD Development
Known for our excellence and reliability as one of Singapore's top technology consultancies, Activate is deeply committed to constructing secure applications from our foundations. This commitment is evident in our adoption of DevSecOps, a pivotal practice emphasising 'shift-left,' integrating security throughout the development lifecycle. Serving as the cornerstone of our approach, it ensures that security considerations are seamlessly woven into every stage of our software development process.
Our methodologies have evolved through extensive collaboration, experiences with various standardisations, and successful implementations, establishing them as proven pillars for achieving excellence in every project we undertake.
This article, authored by Andre Aliman, will explore some of these practices that consistently yield positive outcomes in our clients’ projects.
The Importance of Source Code Management
Source Code Management (SCM), or Version Control Systems (VCS), is fundamental to our DevSecOps approach. It helps us track changes made to code, documentation, and other project assets, allowing us to:
Collaborate seamlessly: Teams can work on the same codebase simultaneously without conflicts.
Go back in time: We can quickly revert to previous versions if needed.
Identify changes: We can pinpoint who made what changes and when aiding in troubleshooting and audit trails.
Essential Components of Version Control
We leverage Git-based tool, a powerful and distributed VCS, to track various project elements, including:
Source code: Track every line of code, ensuring all changes are documented and traceable.
Configuration files: Securely manage application settings and environment variables.
Documentation: Maintain version history of project documentation for clear audit trails.
Extending Utilisation Version Control in Activate for a Streamlined Development Process
To ensure a smooth and organised development process, every significant commit is tagged with a version number and accompanied by comprehensive logs. This allows developers to track target changes in their code and ensure they're well documented, especially for knowledge transfer and debugging purposes.
Activate extends version control beyond code, covering:
Automated Test Scripts or Test Cases: Meticulous tracking of test script changes indirectly ensures consistency and reliability for software releases.
Golden Scripts: We manage our golden script, which is crucial for us to maintain development lifecycle stages, including installation, build, deployment, rollback, migration, and the CI/CD pipeline.
Infrastructure as Code (IaC): This is a scripting technique that helps simplify the management and creation of infrastructure in a programmatically driven manner, ensuring accurate setup and management of components such as networks, servers, databases, etc
Code Merge Practices at Activate
We ensure agility by committing functional code to short-lived branches daily. These branches are swiftly merged into the main repository through pull requests, maintaining a small batch size for quick issue detection. Pull requests are reviewed by peers before merging, ensuring correctness and alignment with respective stories or tickets.
Our Code Review Practices:
Maintaining small batch sizes for efficient reviews.
Reviews must include changes to test cases when applicable.
Ensuring automated tests pass before approving pull requests.
Our Practices for Building and Packaging
At Activate, we leverage CI/CD to enhance our SDLC and application quality. We facilitate seamless tracking within the application delivery pipeline by associating code changes with respective tickets. This ensures all features are thoroughly tested before merging into the main trunk.
Strengthening Efficiency through Automated CI Pipelines
Our CI pipeline aligns with industry-leading security standards such as IM8 Policy and NIST strategies, thereby bolstering the security posture of all our deployed software. This commitment sets our CI process apart, embedding security considerations at every stage of development.
Automating Essential Triggers for Swift Actions
Within our CI pipeline, we employ automated triggers to initiate crucial tasks like automated tests, Static Application Security Testing (SAST) scans, and code linting/formatting immediately after committing. To enhance efficiency, we strategically schedule slower tests at specific times or trigger them by events. Builds are automatically initiated following the merging of pull requests, ensuring a smooth integration process.
Automatic vs. Manual Triggers
In our approach, we prioritise automatic triggers for efficiency, utilising manual triggers sparingly and selectively when necessary.
Maintaining a Comprehensive Build History
Our CI pipelines are meticulously designed to maintain detailed records of execution and logs, ensuring comprehensive visibility and traceability. Moreover, we are considering using external storage for long-term audit and tracking needs, which would enhance accountability and transparency in our development process.
This commitment to DevSecOps allows us to deliver secure, high-quality applications at exceptional speed, giving you peace of mind and a safe experience for your users.
“Our methodologies have evolved through extensive collaboration, experiences with various standardisations, and successful implementations, establishing them as proven pillars for achieving excellence in every project we undertake.”