Risks associated with DevOps

The DevOps story begins with the Agile approach to application delivery, which emphasizes people and communication over processes and tools. Participants focus on a specific phase of the project, carrying out a small amount of work in a specified period of time.

 DevOps and application delivery

The DevOps approach brings development and operations together with the goal of streamlining the application building and deployment process.

Under the DevOps model, You have specific tasks that must be carried out, but that requires all participants to work together.

?      Continuous integration provides a mechanism for adding, updating, building, testing, and validating the code on a regular schedule.

?      Continuous delivery works with continuous integration to provide a structure for developing, testing, and deploying code as part of an automated process.

?      Continuous testing automats operations while supporting such tasks as unit and functional testing.

?      Continuous deployment provides a structure for automatically releasing code that has been committed to the repository and has passed the testing phase.

?      Continuous monitoring tracks and reports issues occurred in application delivery process.

A DevOps environment also incorporate technologies as containerization, microservices, or infrastructure as code.

Many companies are using DevOps for efficient application deployment. DevOps ensures a shorter time to market, a better product quality and higher levels of customer satisfaction. but, it also involves new security risks.

The tools that DevOps Toolchain uses, like Jenkins, do not have a common standard, making it challenging for companies to establish specific security measures for each and every tool.

The DevOps recommends some ways to start:

1.    Add static analysis tools to the deployment pipeline. Static analysis can catch coding style errors and also identify security vulnerabilities.

2.    Add vulnerability scanning to the deployment pipeline. Vulnerability scanning inspects application dependencies and system packages for known security vulnerabilities

3.    Integrate InfoSec and another production telemetry for counters on password resets, logins, or second-factor challenges. 

4.    The knowledge base on how the system works is small, and it is probably tacit knowledge. Losing one key person may damage the entire process.

5.    Make sure your maintenance resources feel valued and are committed to staying the journey. If they are involved in other systems, find someone to who will be on this project 100%.

6.    While budget has been allocated for toolsets, the expertise to make the right choice is missing.

7.    You could save a lot of time and stress by calling in some subject matter experts, who are experienced enough to recommend a shortlist of what will work for your environment.

8.    While you have the right skills to manage the project, you do not have anybody who understands what has to be implemented, how long it will take, and how to phase it.

9.    The people who maintain it know exactly what needs fixing, but never have the time or budget.

10. Dev and Ops have worked closely together because of the crashes.

Continuous delivery pipelines move application code from its source and deliver it to the end users as an application. Yet building and managing a continuous delivery pipeline cannot be successful without fully understanding how to manage the risk involved.

Risks Involved:

Test Automation : Since writing new tests from scratch could delay launching your automated build process, you tend to use existing automated tests. The problem is that these tests are functional unit tests that developers use to make sure that what they build works. These tests needs to be run before releasing a product into production.

Resolution: The best way to resolve test automation risks is by creating a broad range of automated tests. You must also create integration tests to ensure that the new code can be integrated into the system. Tests should include non-functional tests as well that check performance, external APIs, dependencies, and security. 

Tooling:  If user’s feel the new tools make the process burdensome, start looking for their own alternatives. choosing the wrong CI/CD tool set is a risk you should avoid at all costs. if some tools are not properly configured, or integrated into the system, they will cause blockages. A system that creates delays will be a problem not just within a company but outside the company as well.

Resolution: Finding the right tools requires extensive research, and any team or organization unwilling to allocate enough time to this selection process is already taking pointless risks. Always check the number of options available. 

Security Risks: Building a delivery pipeline is a crucial DevOps practice. One of the most important issues when building an automatic delivery pipeline is the risk of prioritizing convenience and efficiency over security. Proper enforcement of software security involves listening to the news, being conscious of the newest exploits, and deploying patches. This process is often exhausting, especially if it’s not your core area of experience or responsibility.

Resolution: Many security risks are caused by a lack of knowledge, which can be resolved by training. Being able to identify potential risks and understand how to resolve them is easier to perform when you are relaxed than at the time you are dealing with their negative impacts.

Organizational Uncertainty :  If no one knows what methodology they are following, what it necessitates, why it matters, and the expected goals and outcomes, the project is lost. Often this leads to everybody arguing over definitions and the way to use them. Your delivery pipeline will fail if you are not creating a supportive environment and organizational culture.

Resolution: The risks associated with organizational confusion and chaos can be reduced by enforcing policies and practices. This involves regulating the agile and DevOps terminology and practices across your organization. It is equally important to make sure that all stakeholders and team members have the right agile and DevOps training.

Poor Quality Code :  Static code analysis is a collection of algorithms and techniques used to analyze source code to automatically find errors or poor coding practices.

Static code analysis, looks at applications in non-runtime environments. It is used to cover the entire code base and identify all the vulnerable patterns. Static code analysis is a great way to automate code review process.

The tasks solved by static code analysis software can be divided into 3 main categories:

?     Detecting errors in programs

?      Recommendations on code formatting. 

?      Metrics computation. Software metrics are a measure that lets you get a numerical value of some property of software specifications what are software characteristics? Well it could be:

1. Whether the coding has been done following a specific convention
2. Whether good practices have been followed and bad practices avoided
3. Are there any potential bugs or security vulnerabilities
4. Is there any duplicate code
5. Is the code logic very complex
6. Whether the code has unit tests
7. Whether the code follows good design and architecture principles

Risk: In project people do use Static source code analyzer, they run scanner on their code but do not try to resolves those issues, bugs, duplication etc.

Resolution : If you are using any Static source code analyze than you should set a threshold and based on it your pipeline should proceed. If there is enough bugs than it is recommend to fail your pipeline, work on the issues and then proceed.

Security vulnerabilities : Usually people tend to ignore security risks associated with the application when they are deploying applications using Devops Pipeline. This becomes a major threat once the application hits production.

Resolution: Static application security testing (SAST), is used to analyze source code to find security vulnerabilities that make your applications vulnerable to attack. SAST tools automatically identify critical vulnerabilities such as SQL injection, cross-site scripting and others. Thus, integrating static security analysis into the SDLC results in the overall quality of the code developed.