DevSecOps: Anno MVP

DevSecOps: Anno MVP

So you got your Series A banked, you celebrated, got some pool tables and tap beer for the canteen…Congratulations, you are now in the…

No, this is not an article about criteria for picking the Most Valuable Player in your company, this is about the DevSecOps culture in the year of the release of your Minimum Viable Product (MVP). You got a product released, it caught the eyes of some sharks, dragons or angels and they decided to back you up… awesome. So you got your Series A banked, you celebrated, you rewarded your employees with bonuses and office pool tables and tap beer in the canteen… Congratulations, you finished the intro level. You are now in the game.

What’s the next step?! You invest heavily in marketing, you start hiring ruthlessly, maybe you bring in a squadron of contractors, the brand is forming… Can you handle it?! It depends on your processes. The process is a term I do not use lightly. No company can handle rapid growth in both employment and/or customers without a well defined governing process on how things are done. Enter the DevSecOps culture. I intentionally used the term “culture” and not “team” or “engineer(s)” or something similar, because my belief is that DevSecOps should be more than just a job position. DevSecOps means above all else “awareness”. Awareness of your Development, Security, and Operations processes. The DevSecOps engineers are those that are responsible for putting those processes in place and have the not so gratifying role of “process police”. The moment right after securing your investment is the opportune moment to take a step back and reflect on several aspects of your software.

Assess

First things first. Get the band together, sit down in a circle, and take a birds-eye view of everything. But take an eagle-eye’s view (zoom in closely on everything). The most common corners cut during the development of an MVP are in the areas of:

  • Security
  • Integrations
  • Change tracking
  • Performance
  • Documentation

Every company building an MVP is willing to sweep a bit of technical debt under the rug here and there in one or more of these areas, and that is understandable to some extent. But now that the MVP is out and investment is secured and expansion is more likely to happen, you have no excuse not to double back and address this.

Security

When you started building the app you made all the users in your cloud provider account with administrator permissions. That’s fine, they all needed to get things done quickly, and having a single admin could potentially be a bottleneck.

Furthermore, your team is distributed, so you allow access to your resources (e.g. database) from everywhere because the developers can work faster if they can just hook up their local machine directly to the staging or even production database, but that’s also fine because you put a super-secure password on the database user.

Enter DevSecOps awareness. These corners that were cut to get things moving faster are now a potential risk for a major issue in the future. With business “booming” there’s bound to be someone that will look to exploit any vulnerability new software are likely to have. Whether that would be for a bounty, intentional damage, or just for the sake of it, is irrelevant.

In summary, here’s a security checklist:

  • Revoke everyone’s admin permissions and apply the Least Privilege Principle.
  • Rotate all access keys. It’s always nice to have a fresh start and to see all the green checkmarks next to your IAM users.
  • Close off access to your internal resources. Set up VPNs, Session Managers, etc.
  • Manage your secrets properly. AWS Secrets Manager, Hashicorp Vault, s3vaultlib, etc.
  • Isolate your environments.
  • Set up a Disaster Recovery procedure.

Continuous Integration/Delivery

Ok, in today’s world it is somewhat of a must to run CI at least, right from the start. If you do, great, this should make things easier. Nevertheless, with a sudden expansion of your team of engineers, a properly set up CI (or even better, CD) process can mean the difference between success and failure. How do you justify to your team a release process that takes several hours of on-hands work just to fix a certain bug or roll out a new feature?! You don’t. You automate it. You automate everything possible. In order to be able to cope with the sudden increase in traffic and team velocity, a proper CI/CD pipeline is a must.

  • Continuous builds and tests
  • Promote artifacts, don’t promote code
  • Maintain backward compatibility as much as possible
  • Release small, release often
  • Feature switches are your best friend

funding startup software devops devsecops

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

Software Developer vs Software Engineer — Differences: Bogus or Real?

In this article, see if there are any differences between software developers and software engineers. What you’re about to read mostly revolves around my personal thoughts, deductions, and offbeat imagination. If you have different sentiments, add them in the comment section, and let’s dispute! So, today’s topic…

What Is DevOps and Is Enterprise DevOps Any Good?

What is DevOps? How are organizations transitioning to DevOps? Is it possible for organizations to shift to enterprise DevOps? Read more to find out!

DevOps Automation: How to Apply Automation Into Your Software Delivery Process

DevOps automation tools help increase your application development agility and speed up delivery for software changes.

Custom Software vs Off-the-shelf Software: How to select a better one for your business?

Custom Software or Off-the-shelf software, the question in mind for many business personnel. Read this blog to get help to make right decision that will benefit your business.