Oliver Milke (@OliverMilke) of Cloudogu (@Cloudogu) thinks it is time to think differently about the way to provision and operate a DevSecOps toolchain. He outlined his ideas and showed how they could be done step-by-step at the Nexus User Conference.
He noted that development teams often feel they have to choose between two options. For example, choosing between cloud software or on-premise software. Oliver asks, "Shouldn't it be possible to have the best of both worlds?"
A system you make AND buy;
A system on the cloud AND on-prem;
A system that supports a single vendor AND multi-vendor software;
A system that supports open source software centralization AND distribution software (depending on requirements)
Of these DevSecOps toolchain characteristics, what does your team need? Consider carefully and get input across disciplines. Teams must work collaboratively to create a managed state model that supports current and future needs.
Oliver makes some suggestions based on his work with Cloudogu. The Cloudogu EcoSystem is a platform that provides standardized architecture and automated cloud services for integrated toolchains. Sonatype IQ and Sonatype Nexus Repository are two tools baked into Cloudogu's customizable dashboard.
Interestingly, the German government is one of Cloudogu's biggest customers. This enables government departments to build digital-first, self-service portals for contractors and citizens.
Oliver recommends decoupling vendor toolsets. Don't be afraid to connect competing products to experiment. Doing so has the potential for greater flexibility, scalability, and interconnectivity.
Another important consideration is your ability to backup and restore work. "This is an often overlooked step," reports Oliver. People forget that you must regularly test your data backups to ensure they can be restored.
When was the last time you tested your backup system to see if it works? Those affected by ransomware know for sure, and without any doubt. Avoid this predicament. Backing up, and testing, are important tasks in security hygiene.
Oliver and Cloudogu, like many in the open source community, have contributed plugin tools. Find them at exchange.sonatype.com and GitHub:
Nexus-carp - a reverse proxy authentication for Sonatype Nexus Repository 3 that offers single sign on (SSO) capabilities;
Nexus-scripting - CLI for remotely invoking groovy scripts on Sonatype Nexus Repository;
Nexus-claim - a plugin that defines Sonatype Nexus Repository structure as code.
We look forward to future contributions to the open source community, and invite others to join.