Criteria to Choose DevSecOps Platform
Introduction
DevSecOps has become de facto for organizations as the threat landscape is expanding fast. Organizations also have to adhere to different compliances and security norms that make the DevSecOps adoption a perfect choice. But when the organization decides to make the shift, there is a lot of confusion around the implementation like what transformations are needed in terms of processes, tools, and cultural shift? One also has to opt for the correct platform for DevSecOps adoption. These questions and choices may sound a little overwhelming. In this blog, we will explore some of the criteria one must consider while opting for a DevSecOps platform whether it is an end-to-end DevSecOps platform or a customized one.
Evolution of the software development process
If we think of the way projects were built in the past, we can see considerable changes in the processes as well as tools. As businesses are going online, 24*7 availability has become a business necessity. Also, rapidly changing business needs expect them to be agile and flexible. As a result, Automation has emerged as de facto. With Agile methodology, deliveries became faster but rapid changes made the use of third-party and open-source components unavoidable. This led to the introduction of vulnerability in the code. Also, the applications started moving to the cloud and in turn containers. This expanded the treat landscape even more. If the security checks are carried out at the end just before the project is about to jump into the production environment, fixing the vulnerabilities becomes 3X costlier.
That’s why DevSecOps could make its debut. In DevSecOps security is taken care of right from the development phase. This is called shift-left. The developers are enabled to identify and fix the vulnerabilities in the code as they write the code. The vulnerabilities are also identified in the third-party components, open-source components, and container images. Automation is implemented at every phase to speed up the process.
This change introduced new challenges in terms of tool choices, team enablement, big technology stack developing the mindset of the team, and of course the investment. But, the benefits are visible, so more and more organizations are ready to ride the DevSecOps wave.
Now the question is “Which DevSecOps platform?” one must opt for? Let’s ponder on some of the criteria one must think of while making a choice among different available DevSecOps platforms.
Get Set Go…
Creating a Roadmap
DevSecOps is not the destination but it’s a journey that imbibes security at every life cycle phase of the project. It is essential to create a roadmap and identify the milestones so that one can assess the achievement of the DevSecOps adoption. The major adoption in DevSecOps is Security. One can either plan a complete DevSecOps adoption in one go or the incremental one where CICD and some of the app security features like SAST and SCA can be implemented first and other security measures like IaC and Container Image security scanning can be adopted later (Depending on the priority). Implementation of the new tool needs training and adoption by the team members. One has to build a team’s mindset to adopt these changes smoothly.
Criteria to choose DevSecOps platform
There are various end-to-end DevSecOps platforms available in the market. One can even opt for the chain of varied tools from different vendors to make customized DevSecOps platforms.
Before jumping to the discussion of the tools and platforms, let’s have a quick glance at a list of genres of tools in DevSecOps.
One can choose one or more tools in a single genre to have a customized DevSecOps Platform.
Criterion 1: End-to-end platform or Customized platform
When companies make the first move to embrace DevSecOps, it is advisable that the adoption has to be incremental. If the projects are small in number and size, one can opt for different tools in the different life cycle phases of DevSecOps project development.
e.g. You can have a set of tools like Jenkins for CI-CD, Snyk for SAST, and use Open telemetry for observability.
If the projects are complex and more in number, one should opt for a single complete DevSecOps platform where you get complete visibility across the platform and different life cycle phases are able to communicate with each other.
End-to-end DevSecOps Platforms
Looking at the big list of tools DevSecOps may sound complex but there are a few end-to-end DevSecOps platforms that span all the above genres and offer better connectivity among different life cycle phases. Let’s have a look at two such end-to-end DevSecOps Platforms.
GitLab: GitLab is well known for its Source Code Management, but the platform has much more to offer when it comes to DevSecOps.
It is an end-to-end DevSecOps platform that shows multiple capabilities like Source code management, CI-CD, Application Security, Observability, and Value Stream Management. Moreover, GitLab is Open Source. It is also available as Community Edition. It also has powerful AI ML capabilities.
GitHub: This is an end-to-end DevSecOps Platform. One has to install different components to make GitHub a complete DevSecOps platform [ GitHub Actions for CI-CD or CodeQL for Security Checks]. It also has excellent AI ML capabilities like Copilot(AI pair Programmer)
Criterion 2: Saas Version or self-managed
In the Saas Version of DevSecOps, you need not bother about the setup. While in the self-hosted (Installed On-Prem) one has to manage the DevSecOps platform on its own, right from the installation, and security to maintenance. Also, backup, privacy, security, and updates should be managed in-house.
Most organizations opt for the On-Prem/ Self Hosted version for security reasons. It gives them the freedom to implement their own security practices. Again, being on-prem makes the system less vulnerable as one can choose the security guardrails as per the requirement.
Saas’s version of platforms may offer different sets of features to different user groups. E.g On a GitLab self-managed instance, a GitLab subscription provides the same set of features for all users. On GitLab SaaS, you can apply a subscription to a group namespace. You cannot apply a subscription to a personal namespace.
Community edition Vs paid platforms
This decision totally depends on the types of projects, the complexity of projects, the volume of the projects, and the kind of support one requires. One can always start with the community edition for small projects and go for the paid versions as and when one decides to expand their DevSecOps capability.
Level Of Security and Compliances
SAST, DAST, SCA, Dependency Scanning, and Container Image Scanning are some of the security scanning one has to implement while adopting DevSecOps. One must check whether all these security scans are supported by the platform and the level of automation it supports while remediating it. One can also opt for Application Security tools like Snyk, Fortify, Checkmarx, etc.
You must also investigate whether the platform aligns itself to achieve the required compliances.
Documentation
Once the application is onboarded the documentation support plays a critical role. Well well-documented platform makes tool adoption easier and avoids long trails of support communication for small queries.
Integrations
It is necessary to check if the new platform is capable of integrating with existing and new tools. One may continue with the existing tools to avoid migrations and other
Service and Support
After-sales support includes training on the use of the product, updates for software, implementation support, etc. One must check the availability of after-sales support to have hassle-free adoption of the platform.
You also need to check the promptness, type of support, and the available support channels.
Resource Intensiveness :
Is the platform heavy or lightweight? If the platform itself has a bigger footprint and consumes more resources, we need to make provision for the required resources in order to use it optimally.
Conclusion
While embracing DevSecOps, one has to plan a roadmap and choose the tools or end-to-end DevSecOps platform accordingly. Incremental adoption is advisable where one can start with a few DevSecOps capabilities like CI CD, SAST, DAST, and observability and later can add more capabilities as and when the model achieves some maturity. Similarly choosing an on-prem or SaaS version is a decision that has to be taken considering company policies. Saas versions have their own benefits. It’s advisable to start with the community edition tools and promote to the paid versions once you achieve some maturity in the DevSecOps capability. Level of Security, Compliance, Documentation, and Support are some more criteria that one must check out before landing on a final decision.
By Sonal Kakar.