Equinox IT Blog

Forget DevSecOps and DevTestOps - your DevOps should have these baked-in

I hate DevSecOps. I hate DevTestOps. I'm not too fond of any term between the Dev and the Ops.

I'm not saying you shouldn't do security, testing or any value-add elements of the Software Development Life Cycle (SDLC), because you should. In fact, you must.

Dev-Anything-Ops

You should shift all the things left as much as you can.

It irks me when you take something so fundamental and try to call it DevSomethingOps like this is some new way to slice a loaf of bread because it is not.

Let's go back to the basics. Why DevOps? One of my favourite definitions is "to deliver more value, faster, and safer". We want to ensure that what we deliver is repeatable, tested for function and quality (including security), immutable, and moves us forward.

And this applies whether we are deploying to a production environment or some janky test rig. We must include security testing in all layers (or at least as much as practicable) of our delivery pipeline for every run, not just those that go to Production.

We all know how the cost of defect or vulnerability remediation gets exponentially more expensive as we move to the right along a deployment chain. Why would you skip something as fundamental as security testing just because it isn't going to be pushed out blinking into the sunlight just yet?

The sooner we find the error of our ways, the quicker and cheaper they are to fix before someone sees it.

Remember to bake in your security testing, both internal and external facing. It costs the same to include layers of security testing in a pipeline compared to adding it at the end. And because it's pushed left, it may cost less overall.

For example, you can use GitHub’s Advanced Security features on your public repos to enable code and secret scanning as well as dependency reviews. And adding GitHub Advance Security to your organisation will enable these features in your private repos as well, and include the security overview feature. You can check it out in action here.

Adding security testing can be as simple as checking the marketplace for your delivery mechanism of choice, and I'm sure you will find many options. And if not, get in touch, and I can help you get up and running with GitHub!

Just, please, don't call it DevSomethingOps.

To learn more about accelerating your business with DevOps, register now for our events: Wellington on 7 September and Auckland on 9 September.

DevOps-bluesky-banner

Subscribe by email