View profile

Fudge Sunday - Needle in a Fullstack

Start the week more informed 🤔💡🤯🤓
This week we take a closer look at DevSec, SCA, xAST, RASP, DevSecOps, FinOps, and code search.

The Velvelettes "Needle in a  Haystack" (1965)
The Velvelettes "Needle in a Haystack" (1965)
Getting Informed
First, let’s expand some DevSec acronyms and give some examples. As a starter, you’ll want to recall the concept of a “software bill of materials” (SBOM) from Fudge Sunday #55.
Software Composition Analysis (SCA) is a method for looking at all the code that wasn’t written (by you or your team) but was inherited from somewhere else externally along the development journey and now represents a dependency. Or, to understand why SCA is important, please consider Dependency aka xkcd 2347.
There's always a xkcd for everything
There's always a xkcd for everything
🎶 I'm tellin' you the natural facts 🎶
Application Security Testing (xAST) is a generalized approach for static (SAST), dynamic (DAST), or interactive (IAST) scanning methods when testing for vulnerabilities. Now, if this sounds like a shift-left disruption ready market, keep reading.
Run-time Application Security Protection (RASP) can be a specific wrapper approach that assumes a specific known context for the internal design of specific software. The RASP approach also enabled the creation of the Web Application and API Protection (WAAP) market because everything that could become an API will become an API on a long enough timeline.
Examples of companies from A to Z in this space include (with deep links to an educational blog post) AppDome, Checkmarx, Contrast, Data Theorem, Imperva, Invicti, Micro Focus, Onapsis, Qualys, Rapid7, Snyk, Synopsys, Veracode, WhiteHat Security, and Zimperium. And that’s just to name a few.
Interestingly, DevSec related features are increasingly appearing as partner integrations (and likely as an eventual native competitive parity offer) within collaborative code services such as GitHub and GitLab.
These approaches can be helpful in trying to find a needle… in a fullstack. Right?
So, what about about when the build breaks? Or you just inherited responsibility for a new (to you) codebase that was assembled over a time period longer than your entire career? Or your DevOps and DevSecOps teams are shifting their entire approach to everything in order to embrace an Infrastructure as Code (IaC) ethos?
🎶 You'd better look before you leap 🎶
🎶 Still water sometimes runs very deep 🎶
If software is eating the world, then the world is fast becoming an ever larger and ever more varied collection of code. So identifying the costs of time to productive contribution for a new hire on sprawling high risk high probability high drama committee consensus likely to break the build global monolithic repository vs. discrete de-risked specific modular codebase that empowers smaller more autonomous distributed teams isn’t just a metrics driven mindset – it’s sound fiscal policy.
For example:
Beyang Liu
Nothing like using @sourcegraph to build @sourcegraph—we're migrating from global CSS to CSS Modules and our frontend platform team is using Code Insights to track migration progress:
HN Comment on Onboarding
Now, imagine combining FinOps to DevSecOps in a deeper practice. And for your consideration, the newsletter is once again including a read and a repo to explore the eventuality of shift-left oriented FinOps DevSecOps combinations.
Recommended Read and Repo
Software Supply Chain Security (SSCS)
Sourcegraph: Universal code search
Work Plug!
As a reminder, I work at Faction. What’s Faction you ask?🤔🤔🤔🤔
Faction provides clientele with cloud data services across hyperscale providers to maximize innovation and multicloud outcomes.🤓☁️📊🚀
We’re hiring at Faction!🎉🤓☁️🚀
To see our current openings click here.⬅️🤓☁️🚀
Or, bookmark 🦄🤓☁️🚀
I am linking to my disclosure.
Did you enjoy this issue? Yes No
Jay Cuthrell
Jay Cuthrell @JayCuthrell

Sometimes a song, always a topic (or two), a read, and a repo -- every Sunday!

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.
1903 Live Oak St #92 Beaufort, NC 28516-0092