Morioh
Login
Kole Haag

Kole Haag

3 years ago

No, this is not an article about criteria for picking the Most Valuable Player in your company, this is about the DevSecOps culture in the year of the release of your Minimum Viable Product (MVP). You got a product released, it caught the eyes of some sharks, dragons or angels and they decided to back you up… awesome. So you got your Series A banked, you celebrated, you rewarded your employees with bonuses and office pool tables and tap beer in the canteen… Congratulations, you finished the intro level. You are now in the game.

What’s the next step?! You invest heavily in marketing, you start hiring ruthlessly, maybe you bring in a squadron of contractors, the brand is forming… Can you handle it?! It depends on your processes. The process is a term I do not use lightly. No company can handle rapid growth in both employment and/or customers without a well defined governing process on how things are done. Enter the DevSecOps culture. I intentionally used the term “culture” and not “team” or “engineer(s)” or something similar, because my belief is that DevSecOps should be more than just a job position. DevSecOps means above all else “awareness”. Awareness of your Development, Security, and Operations processes. The DevSecOps engineers are those that are responsible for putting those processes in place and have the not so gratifying role of “process police”. The moment right after securing your investment is the opportune moment to take a step back and reflect on several aspects of your software.

Assess

First things first. Get the band together, sit down in a circle, and take a birds-eye view of everything. But take an eagle-eye’s view (zoom in closely on everything). The most common corners cut during the development of an MVP are in the areas of:

  • Security
  • Integrations
  • Change tracking
  • Performance
  • Documentation

Every company building an MVP is willing to sweep a bit of technical debt under the rug here and there in one or more of these areas, and that is understandable to some extent. But now that the MVP is out and investment is secured and expansion is more likely to happen, you have no excuse not to double back and address this.

Security

When you started building the app you made all the users in your cloud provider account with administrator permissions. That’s fine, they all needed to get things done quickly, and having a single admin could potentially be a bottleneck.

Furthermore, your team is distributed, so you allow access to your resources (e.g. database) from everywhere because the developers can work faster if they can just hook up their local machine directly to the staging or even production database, but that’s also fine because you put a super-secure password on the database user.

Enter DevSecOps awareness. These corners that were cut to get things moving faster are now a potential risk for a major issue in the future. With business “booming” there’s bound to be someone that will look to exploit any vulnerability new software are likely to have. Whether that would be for a bounty, intentional damage, or just for the sake of it, is irrelevant.

In summary, here’s a security checklist:

  • Revoke everyone’s admin permissions and apply the Least Privilege Principle.
  • Rotate all access keys. It’s always nice to have a fresh start and to see all the green checkmarks next to your IAM users.
  • Close off access to your internal resources. Set up VPNs, Session Managers, etc.
  • Manage your secrets properly. AWS Secrets Manager, Hashicorp Vault, s3vaultlib, etc.
  • Isolate your environments.
  • Set up a Disaster Recovery procedure.

Continuous Integration/Delivery

Ok, in today’s world it is somewhat of a must to run CI at least, right from the start. If you do, great, this should make things easier. Nevertheless, with a sudden expansion of your team of engineers, a properly set up CI (or even better, CD) process can mean the difference between success and failure. How do you justify to your team a release process that takes several hours of on-hands work just to fix a certain bug or roll out a new feature?! You don’t. You automate it. You automate everything possible. In order to be able to cope with the sudden increase in traffic and team velocity, a proper CI/CD pipeline is a must.

  • Continuous builds and tests
  • Promote artifacts, don’t promote code
  • Maintain backward compatibility as much as possible
  • Release small, release often
  • Feature switches are your best friend

#funding #startup #software #devops #devsecops

DevSecOps: Anno MVP

medium.com

DevSecOps: Anno MVP

So you got your Series A banked, you celebrated, got some pool tables and tap beer for the canteen…Congratulations, you are now in the…

1.20 GEEK