Oliver Milke (@OliverMilke) of Cloudogu (@Cloudogu) thinks it is time to think differently about the way to provision and operate a DevSecOps toolchain. He outlined his ideas and showed how they could be done step-by-step at the Nexus User Conference.
He noted that development teams often feel they have to choose between two options. For example, choosing between cloud software or on-premise software. Oliver asks, "Shouldn't it be possible to have the best of both worlds?"
Best of Many Worlds
Oliver defines this cake-and-eat-it-too toolchain as:-
A system you make AND buy;
-
A system on the cloud AND on-prem;
-
A system that supports a single vendor AND multi-vendor software;
-
A system that supports open source software centralization AND distribution software (depending on requirements)
Of these DevSecOps toolchain characteristics, what does your team need? Consider carefully and get input across disciplines. Teams must work collaboratively to create a managed state model that supports current and future needs.
Oliver makes some suggestions based on his work with Cloudogu. The Cloudogu EcoSystem is a platform that provides standardized architecture and automated cloud services for integrated toolchains. Sonatype IQ and Sonatype Nexus Repository are two tools baked into Cloudogu's customizable dashboard.
Interestingly, the German government is one of Cloudogu's biggest customers. This enables government departments to build digital-first, self-service portals for contractors and citizens.
Strengthen Your DevSecOps Toolchain
Toolchain Decoupling
Oliver recommends decoupling vendor toolsets. Don't be afraid to connect competing products to experiment. Doing so has the potential for greater flexibility, scalability, and interconnectivity.
Ransomware Protection
Another important consideration is your ability to backup and restore work. "This is an often overlooked step," reports Oliver. People forget that you must regularly test your data backups to ensure they can be restored.
When was the last time you tested your backup system to see if it works? Those affected by ransomware know for sure, and without any doubt. Avoid this predicament. Backing up, and testing, are important tasks in security hygiene.
Community Contributions Yield Solid Returns
Oliver and Cloudogu, like many in the open source community, have contributed plugin tools. Find them at exchange.sonatype.com and GitHub:
-
Nexus-carp - a reverse proxy authentication for Sonatype Nexus Repository 3 that offers single sign on (SSO) capabilities;
-
Nexus-scripting - CLI for remotely invoking groovy scripts on Sonatype Nexus Repository;
-
Nexus-claim - a plugin that defines Sonatype Nexus Repository structure as code.
We look forward to future contributions to the open source community, and invite others to join.
Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.
Explore All Posts by Katie McCaskeyTags
Code 3x Faster with Less False Positives
Build, test, and launch secure applications without rework. Explore how the Sonatype platform can enhance productivity and security.