DevSecOps: Collaborate Confidently with Open Source Tools

September 22, 2021

Engineering

Leveraging open source collaboration software as part of your DevSecOps strategy keeps developer teams working together securely and privately.

There is a Cambrian explosion currently underway in the collaboration tools space. The exponential rise in remote working as a result of naturally evolving workplaces and aided by the recent pandemic has created an opportunity for lots of different collaboration tools to take center stage. 

As our collaboration tools improve, work that would have been nearly impossible to do remotely is becoming more and more common. Whether we’re communicating via audio and video, sharing large files in the blink of an eye, poring over designs together, or collaborating on a single document in real-time, collaboration tools are shaping the way we work every day.

Though these tools provide a lot of upsides, they come with their own share of challenges — having to remember all of the passwords required to access each tool, for example. And as we integrate our tools together, different usability and compatibility challenges begin to emerge.

A more fundamental challenge today is the fact that organizations need collaboration tools to be highly secure. After all, businesses need to protect the privacy of various work environments and provide complete integrity so that workers can collaborate with confidence.

Choosing the Right Collaboration Tool for Your Team

These requirements have raised many points of contention, both old and new. In turn, organizations need to ask themselves a series of questions to ensure they make the right technology choices:

  • Should we build our own tools or buy a solution?
  • Should we use open source or proprietary solutions?
  • Should we use cloud-based solutions or host our own technology on-prem?

With all of these discussions back on the table with new parameters and new points of contention, decision-makers are bound to struggle to strike the right balance between having tools that permit sufficient mobility and continuing to maintain security and integrity.

With all this in mind, let’s assess the advantages and disadvantages that come with each category. 

Open Source vs. Proprietary

Open source software gives developer teams visibility into the code and offers limitless potential for customization. But there’s a learning curve to using it, and many open source solutions won’t be compatible with every other tool you use right out of the box. Proprietary software usually offers more reliable support, but allows less transparency into the code itself, requiring users to trust the software builders more.

Open Source vs. Proprietary Software for DevSecOps

SaaS vs. On-prem

While SaaS software has some clear advantages around usability and scalability, it isn’t without its downsides, including concerns around data privacy and security. By contrast, on-premise software offers better security controls, at the cost of great maintenance demands.

SaaS vs On-prem Software for DevSecOps

Build vs. Buy

While building your own software can seem like a great way for development teams to create exactly the solution they need, it almost always requires a large time and resource investment. Buying a solution offers much faster returns, but can be costly.

Building vs Buying Software for DevSecOps

What’s important to note in all of this is that the capabilities for providing security and privacy differ greatly depending on which options you choose. 

Designing Software Decisions for DevSecOps: What Makes Software Secure?

Up next, we’ll begin identifying the best path towards creating safe and sustainable software that is also capable of meeting the goals of an organization. We’ll explore this by identifying the underlying paradigms that create the most secure collaboration software.

Being Open Source

Having source code that is open and available for modifications and provides extensibility is perhaps the cornerstone of creating secure collaboration software.

Giving developers access to the core of the collaborative application allows for transparency into the inner workings of the software solution. This allows teams to design their communications and security protocols appropriately and dovetail them into the applications.

In addition to all the above, being open source allows you to design DevOps pipelines into which all security requirements checks can be automated during the build itself, which creates a framework called DevSecOps.

Being Self-Hosted

When using SaaS solutions or public cloud infrastructure, you lose control, governance, and transparency — to the point that gaining a single window of transparency into collaboration operations is a major challenge.

Self-hosted collaboration software provides a sufficient amount of auditability and allows security postures that completely align with desired outcomes. Hosting collaboration software on-premises enables a strong security perimeter that is very customizable and has a minimum number of dependencies. 

What’s more, being self-hosted also allows excellent situational awareness at all times — whether during normal operations or when troubleshooting incidents.

Being Neither Built from Scratch or Right Out of the Box

Many software engineering teams tend to get stuck in the build-versus-buy dichotomy. Being open source and hosting software on owned infrastructure represents a solid middle path that can help you bypass the build-or-buy decision. 

This allows teams to build the security features that they want and integrate additional security mechanisms that they might want to use as plugins or extensions.

Being Community-Maintained

Linus’s law states that “given enough eyeballs, all bugs are shallow.” Using software that has a large, vibrant, and active community around it means that a lot of people are coming together to improve the project.

In particular, a community-driven approach allows the identification and possible mitigation of all kinds of bugs, threats, and vulnerabilities. This is simply not possible when using closed-source or proprietary software.

The Right Software Lets You Unlock the DevSecOps Advantage

Fast-moving development teams can’t afford to let security be an afterthought. Ensuring that security practices and protocols are embedded in your workflow from the first step onward is essential. With the DevSecOps approach, the security needs of all companies, ranging from the smallest of organizations to large enterprises, can be covered, from security testing and vulnerability scanning to compliance requirements, auditing, and traceability. 

Ultimately, opting for open source, self-hosted software that is supported by a strong community gives you more control over features, deployment, and security. This means a DevSecOps paradigm can be superimposed over the way collaboration software is deployed by an organization.

At Mattermost, our goal is to deliver a feature-complete, secure open source collaboration solution designed for the way developer teams actually work. If you’re interested in learning more about how teams use Mattermost to enable their DevSecOps workflows, connecting with Mattermost contributors, or asking questions about the platform, we’d love for you to join our community.

mm

Ram Iyengar is an engineer by practice and an educator at heart. He enjoys helping engineering teams around the world discover new and creative ways to work.

Read More Engineering Articles