On the sixth day of SecDevOps, let’s consider how meaningful checks can be integrated at every SDLC Workflow (or pipeline) stage.
As a recap, Software Development Lifecycle (SDLC) workflows are used to store, build and integrate software source code. A special form of integration involves the deployment of code to the production environment (deploy). When we think of checks in a pipeline context, think automation; often in the form of tools and/or agents.
What makes a check meaningful?
- Specific to the Stage: The check should be appropriate for the specific stage of the SDLC. For example, static code analysis (SAST) is most relevant during the development stage, while dynamic testing (DAST) is more pertinent during the testing phase.
- Context-Aware: The check should consider the context of the application, including its architecture, technologies used, and potential threat vectors. Testing of a portion of code without context to the whole may lead to misrepresentation of the result. This is particularly likely when there is no one overarching party responsible for production. Think of a User Experience (UX) team, and a separate Application team, versus the Data Science team; all interdependent teams of the delivered software product.
- Identifies Real Concerns: Each check should be capable of identifying actual weakness, not theoretical issues. It should have a low rate of false positives to avoid wasting development resources.
- Thorough Code Coverage: In total checks should cover all critical aspects relevant to the application, including code quality, third-party dependencies, configurations, and runtime behavior. It is unlikely to maintain code coverage greater than 80% owing to complexity, diminishing returns, edge cases.
- Clear Guidance: The output of the check should provide clear and actionable guidance on how to remediate identified issues. This includes detailed explanations and, where possible, examples of how to respond. It is common for automated results to be reviewed by a triage process that further separated the "wheat from the chafe" (the relevant/actionable results from the noise).
- Prioritized Findings: Results should be prioritized based on the severity and potential impact, helping teams focus on the most critical issues first.
- Integrated into Workflow: The check should seamlessly integrate into the existing workflows, ensuring minimal disruption.
- Automated Execution: Automation of the check is crucial to ensure it runs consistently and regularly without requiring manual intervention. Here the training of Artificial Intelligence (AI) agents really shines. Because of the pattern-based nature of workflow checks, the investment in setting-up and training agents has a high likelihood of return.
- Handles Large Codebases: The check should be capable of analyzing large codebases and complex applications efficiently. This is particularly true of distributed applications resulting from the use of micro-services.
- Adaptable: It should be adaptable to changes in the codebase, architecture, and technology stack, ensuring continued relevance as the project evolves at a sustainable cost and impact.
- Feedback Loop: There should be a mechanism for providing feedback and learning from past issues with the checks to improve future checks and practices.
- Regular Updates: The check should be regularly updated to reflect the latest threats, best practices, and technologies.
The theme for this sixth day is to treat your pipeline as a key business enabler configured with meaning feedback to ensure its continued value contribution.
