Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Why You Need DevSecOps and Artifact Repositories

March 26, 2019 By Derek Weeks

*Note: Join us for the 2019 Nexus User Conference on June 12. If you have a great Nexus story, submit a talk here.

Helen Beal was once speaking at a conference about what being a DevSecOps engineer is all about. To her surprise, many of the participants in the DevSecOps track were not on board with bringing Security into DevOps. After probing the audience about this, she summed up the concerns into three categories: it could create another silo; that people in organizations have a hard time understanding DevOps, so it might create even more confusion; and, maybe there isn’t room for another area.

Of course, Helen disagrees, and she knows a thing-or-two about DevOps and DevSecOps after spending nearly 20 years in the technology industry with a focus on the Software Development Lifecycle. She is a self-titled DevOpsologist at Ranger4, where she helps organizations implement DevOps. She shares her knowledge speaking around the world, and she was able to join us for our 2018 Nexus User Conference, speaking on artifact repositories and their role in the DevSecOps toolchain.

From a high-level, Helen presented some key recommendations for DevSecOps:

  • Ensure security is everyone’s job

  • Recognize there is a constraint with security personnel. On average, the personnel ratio is 100 developers: 10 operations: 1 security

  • Shift responsibility left and test/verify as early as possible. The lack of sufficient security personnel makes it a constraint. Shift left and automate tasks to reduce the bottleneck and resolve problems earlier

  • Mitigate risk by being proactive

  • Nurture a safety culture

Helen took some time to dive into nurturing a safety culture, laying out key principles/actions organizations can take into behavioral and systemic safety.

Behavioral safety is empowering individuals and teams to act in a way that is safe while moving forward. To nurture behavioral safety, she recommends:

  • Training that failure is a learning opportunity

  • Ensuring shared accountabilities and goals across and between teams

  • Accounting for time to experiment

  • Using collaboration platforms to share learning and best practices

  • Writing actions from retrospectives as experiments and making time to ensure follow-up

She mentioned a couple real-world examples, such as awards for failure at Etsy, LEGO, and P&G and “fail walls” used by Spotify to make failures visible and addressable.

Systemic safety is building safety into your infrastructure. Her recommendations to nurture systemic safety include using:

  • Continuous Integration to break builds

  • Deployment automation to drives consistency/ auditability and allows instant redeploy of last known good state

  • ChatOps to swarm problems and incidents

  • Application performance management to deliver early warnings

  • Limited blast radius approaches such as feature toggles, canary, blue/green, and microservices

  • Integration between the service desk and the product backlog

  • Chaos engineering to teach failure as a habit

After making her case for DevSecOps and laying out how to instill a safety culture, she rolled into artifact repositories. After all, it is a Nexus conference and artifact repositories is a Nexus specialty.

She began with a quote from Manfred Moser, “Manufacturing without a warehouse = development without an artifact repository.” You wouldn’t dream of running a factory without some inventory, and you should do the same thing in software development. The artifact repository holds your inventory of building blocks you pull from and makes sure you have the one you are supposed to be using.

An artifact repository sits at the integration stage of a DevOps toolchain, although it can be referenced in ideation to ensure that the tools you want to use are available.

hb1

And, you can’t have an artifact repository without an open source policy. Well, you shouldn’t. The repository automatically enforces your open source policy, so you won’t be like the 35% of organizations who have an open source policy but ignore it.  

hb2
Helen utilizes Nexus Lifecycle as it tells developers the best artifact to use, mitigates risk, and assists Operations and Security to ensure the right software is being used.

hb3

The big takeaway is that if you aren’t doing DevSecOps, you should. It is inevitable and it is beyond its infancy. It is a mature concept requiring mature tools to assist you. It takes time to get there, but you will be glad you did.

Nexus Lifecycle is one tool you can use. If you are interested in learning more about it and all of the Nexus products, check out the platform here. If you want to hear Helen’s whole talk, you can watch her entire session, for free, here.

And keep an eye out for more session recaps from the 2018 Nexus User Conference - we'll be sharing them every week leading up to this year's conference on June 12.

Tags: artifact repository, devsecops, Nexus User Conference, featured, Post security/devsecops

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.