DevSecOps: Turning Disillusionment into Enlightenment

The purpose and intent of DevSecOps is to create the mindset within the enterprise that “everyone is responsible for security.”

In order to succeed, all stakeholders in the software development process — from Dev to QA to Ops — must adopt security as a key component that’s fully integrated throughout the software development process. This means making security part of an application’s DNA, starting from its initial conception all the way through to the release.

But for most enterprises, DevSecOps still remains aspirational. Much of the blame can be attributed to the difficulties of implementing such a culture change, but it’s also partly due to a lack of DevSecOps tools that are easy to adopt and won’t get in everyone’s way. That’s where the ActiveState Platform can help.


Transparency is Key to DevSecOps Enlightenment

The ActiveState Platform provides a plugin for interpreted languages (such as Python), which can be installed directly into the runtime environment interpreter. The plugin then monitors the application at runtime for vulnerabilities and open source licensing violations all the way from a developer’s desktop, throughout the CI/CD chain and into production.

The plugin runs only when a new package/module/library is loaded. On load, information about that component (name, version, and license) is sent to the ActiveState Platform’s Security & Compliance (S&C) dashboard. The Platform then checks that component to determine whether any Common Vulnerabilities and Exposures (CVEs) have been reported against it, and categorizes the component’s open source license type for easy reference (Apache, MIT, GPL, etc).

As a result, every stakeholder in the organization can check the S&C dashboard to quickly understand the risk associated with an application at any point in the dev, test and release process. In this way, everyone in the enterprise can truly become responsible for security without derailing their existing function.


DevSecOps without the Pain

DevSecOps has traditionally meant a culture change, along with the adoption of new tools and processes that impose a “tax” on all participants. eg., training on, implementing and maintaining new tools, education about new processes, etc. This tax slows down time to market and works against adoption. The ActiveState plugin takes a different approach:

  • Fire and Forget – by incorporating the plugin into the original runtime environment for the project, it will be propagated to all dev, test and production environments. As a result, there’s no need to install and maintain the plugin in each deployment environment, decreasing overhead.
  • Speed Time to Market – many DevSecOps tools require a new instance to be set up so that new tests can be run and validated within your CI/CD chain, delaying time to market. By way of contrast, the ActiveState plugin runs whenever and wherever the code is run, removing the need for a separate test instance. In fact, since the plugin creates a “Bill of Materials” (BoM) of all components in your application, and the Platform continuously checks that BoM for vulnerabilities, the result is far fewer false positives than you typically obtain when running a single point-in-time security profile during your CI/CD process. As a result, you may be able to modify or even remove certain CI/CD tests, further speeding time to market.


DevSecOps Transformation

I wish I could say that just by implementing the ActiveState Platform, your organization will instantly make the leap to DevSecOps. Unfortunately, such a transformation will take time. But by empowering everyone in the organization with vulnerability and compliance information in a single, central dashboard you’ll have gone a long way to reducing security threats in your organization.

  • Know which applications are running with vulnerable or outdated components
  • Understand how long an application has been at risk of being compromised
  • Verify that best practices are being followed with respect to resolving security and compliance issues before they’re deployed in production
  • Avoid the bottleneck that shifts everything left, onto the developer: empower all stakeholders to identify and resolve issues wherever it makes sense.

The next step is yours.


For More Information:

To see just how the ActiveState Platform’s Security & Compliance functionality can help you be successful with your DevSecOps initiative, view our series of product demos:

Dana Crane

Dana Crane

Experienced Product Marketer and Product Manager with a demonstrated history of success in the computer software industry. Strong skills in Product Lifecycle Management, Pragmatic Marketing methods, Enterprise Software, Software as a Service (SaaS), Agile Methodologies, Customer Relationship Management (CRM), and Go-to-market Strategy.