News and Notes from the Makers of Nexus | Sonatype Blog

DevSecOps Without Compromise

Written by Katie McCaskey | June 26, 2019

Oliver Milke (@OliverMilke) of Cloudogu (@Cloudogu) thinks it is time to think differently about the way to provision and operate a DevSecOps toolchain. He outlined his ideas and showed how they could be done, step-by-step, at the Nexus User Conference.

He noted that development teams often feel they have to choose between two options. For example, choosing between cloud software or on-premise software. Oliver asks, “Shouldn’t it be possible to have the best of both worlds?”

Best of Many Worlds

Oliver defines this cake-and-eat-it-too toolchain as:
  • A system you make AND buy;
  • A system on the cloud AND on-prem;
  • A system that supports a single vendor AND multi-vendor software;
  • A system that supports open source software centralization AND distribution software (depending on requirements)

Of these DevSecOps toolchain characteristics, what does your team need? Consider carefully and get input across disciplines. Teams must work collaboratively to create a managed state model that supports current and future needs.

Oliver makes some suggestions based on his work with Cloudogu. The Cloudogu EcoSystem is a platform that provides standardized architecture and automated cloud services for integrated toolchains. Sonatype’s Nexus IQ and Nexus Repository Manager are two tools baked into Cloudogu’s customizable dashboard.

Interestingly, the German government is one of Cloudogu’s biggest customers. This enables government departments to build digital-first, self-service portals for contractors and citizens.

Strengthen Your DevSecOps Toolchain

Toolchain Decoupling

Oliver recommends decoupling vendor toolsets. Don’t be afraid to connect competing products to experiment. Doing so has the potential for greater flexibility, scalability, and interconnectivity.

Ransomware Protection

Another important consideration is your ability to backup and restore work. “This is an often overlooked step,” reports Oliver. People forget that you must regularly test your data backups to ensure they can be restored.

When was the last time you tested your backup system to see if it works? Those affected by ransomware know for sure, and without any doubt. Avoid this predicament. Backing up, and testing, are important tasks in security hygiene.

Oliver walks through how easy it is to build a toolchain with Cloudogu, here:

Community Contributions Yield Solid Returns

Oliver and Cloudogu, like many in the open source community, have contributed plugin tools. Find them at exchange.sonatype.com and GitHub:

  • Nexus-carp - a reverse proxy authentication for Nexus Repository 3 that offers single sign on (SSO) capabilities;

  • Nexus-scripting - CLI for remotely invoking groovy scripts on Nexus Repository Manager;

  • Nexus-claim - a plugin that defines Nexus Repository Manager structure as code.

We look forward to future contributions to the open source community, and invite others to join.

 
View full post