Best practices for continued system solutions delivery

Berhan Karagoez
Berhan Karagoez used Ask the Experts™
What would you say are some of the best practices when it comes to securing your system(s) against dependencies (any you can think of) to enable continuous access and delivery to/of data.

Do we need to replicate things that much between servers/countries, what would be alternative approaches?

I am thinking in concepts of things like: security, cloud, blockchains, messaging and whatever you have in mind.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

That's a really big topic that doesn't really fit the format of Expert's Exchange, but I'll try to answer a little bit, particularly regarding messaging.

Continuous access and delivery, in general, *requires* some level of replication to work right. Whether that replication is between servers in the same data center, servers in different data centers, or a combination of the two, you cannot feasibly provide continuous access without multiple servers with the same data configured in a way that allows one to take over if the other fails. That's the close technical aspect, replicated servers/storage with load balancing or some other method for automated failover.

Beyond that, there is very little in the way of best practices because it always varies based on business need.
btanExec Consultant
Distinguished Expert 2018

I am thinking towards building the Continuous Integration / Continuous Deployment (CI/CD) chain which as a common platform, that can be centrally managed and enforce on strict checks including dependencies. You decide the tool pipeline and having open source in a way helps, but build a variety to scope the test and code review into it. More commonly termed CI/CD driven with security objective under the context of DevSecOps. Ultimately, we are advocating "shift left" mindset to have security requirement and development done early and has fast turnaround to release checked and more secure services - in continuous fashion.

One notable thing to mention in this issue is the fact that this kind of vulnerability is listed in OWASP Top 10 2017. E.g. A9 - Using components with known vulnerabilities. These tools are continuously updated, based on security data obtained from CVE (Common Vulnerabilities and Exposures) data and developer reports, and can be used in CI/CD servers as well.

Some tools for info

Tools like Ansible, InSpec, or OpenSCAP can be leveraged to alert of any security problems that our servers may have integrated to CI/CD pipelines.

OWASP’s dependency checking tool, which is mainly thought for Java projects but has been expanded to other platforms, like .NET, with experimental support for Ruby, Node.js, Python, and C/C++.

Bundler Audit is made with the popular language Ruby in mind. Its vulnerability database is GitHub repository-based, and it is regularly updated. This allows Ruby developers to keep their gems up-to-date in security terms.

Pipenv is a packaging tool for Python that is gaining momentum every day and brings together many aspects of Python development: management of virtual environments (virtualenv), package definition (pip), and others. One of its included features is a package security audit, right out of the box.

Node Package Manager (since version 6) includes an audit feature that allows developers to check for vulnerabilities in their projects’ dependencies.

Worthy to note also on Semantic Versioning standard.

Many packaging systems are automatic when syncing versions and dependencies of your dependencies are upgraded easily. But this may cause functionality breakage. This is the main reason the community created the Semantic Versioning standard.

Usually, security vulnerability mitigation are put in the patch versions, but sometimes, you will need to upgrade to a minor or major version, and if that happens, you must do feature testing, because these kinds of upgrades could cause problems with functionality.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial