DevSecOps teams generally work with an assortment of hardware that is provisioned for them. Traditionally, they have had to create a separate set of build scripts for each platform used for continuous integration, delivery, and security testing. This approach is inefficient as the initial effort and cost of developing a set has to be essentially duplicated for each current or future platform that the DevSecOps teams use. Developing platform-specific build scripts and DevSecOps processes also has its own challenges, which include
- Any change made to one—readability updates, bug or security fixes, and build/security enhancements—must be replicated carefully on the others. When done conscientiously, this should not pose a problem, but it does add to the maintenance overhead.
- Whenever a new platform is made available to the DevSecOps teams, they must rewrite the build and security operations all over again. For proprietary platforms, this can also bring the risk of vendor lock-in.
- Platform-specific code and build scripts tend to create platform-specific subject matter experts (SMEs). If the SME for a particular platform leaves the organization, it could create a burden on other platform SMEs to continue the DevSecOps upkeep for that platform in addition to the ones they are already responsible for.
The write once, run anywhere ethos can provide DevSecOps teams with the same benefits that programmers get when writing cross-platform code. Cross-platform software development entails the need to perform security testing on multiple platforms as an essential part of DevSecOps.
In a typical DevSecOps workflow, the script downloads the source code, runs the appropriate compilation operations to ensure that the code produces a valid build, and runs tests against the source code (unit, integration, functional, etc.). Then a series of security testing is performed, which can include static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), image and container security vulnerability scanning, manual secure source code reviews, and penetration testing. Assuming everything passes these tests, the last step is the deployment of the software either into a testing domain for quality assurance testing or user-acceptance verification, or into a central repository for future deployments.
This workflow will be the same regardless of the platform that it is run on, so a cross-platform security solution is truly the ideal approach here. It enables the DevSecOps team to focus on the content of the workflow and deliver value faster because they can focus on the development, security, and operations process(es), rather than spending time in (re)writing the same logic for different platforms.