Open in app

Sign in

Write

Sign in

The five DevSecOps anti-patterns you must avoid

Opcito Technologies
3 min readNov 19, 2024

--

You might be wondering why we need to talk about anti-patterns when we could discuss the patterns. Think of it this way: Anti-patterns are like the “-5” of the process. If non-DevSecOps practices are a “0,” we’re not even at neutral yet. Anti-patterns are like taking a wrong turn on a hiking trail. While you may eventually find your way back, you’ll waste more time and energy than if you had avoided that detour. We first must stop the bad habits (anti-patterns) before adding real value.

This blog is all about what NOT to do in DevSecOps. Once that’s established, we can push forward into good practices (but that’s for another blog). Let’s start by addressing some of the most prevalent anti-patterns and discuss how to overcome them. Remember, preventing bad habits is just as important as adopting good ones.

Anti-pattern — 5: PUSH RIGHT! Passing the PaaS

This is what happens when teams start playing hot potato with responsibility.

  • Dev: “Security? Nah, that’s infra’s problem.”
  • Infra: “Well, I don’t handle all the code. QA should catch this!”
  • QA: “Hey, the functionality works, what else do you want from me?”

Does this sound familiar to you? Everyone is pushing the security issue onto someone else’s plate, causing a snowballing effect on the problem. What should happen instead?

  • QA must say: “Hey, functionality is solid, but our pen tests showed vulnerabilities!”
  • Infra must say: “Let me tighten those security gaps, and here’s a tool to monitor the rest.”
  • Dev must say: “Sure, with this secure infrastructure, I can write code that’s as safe as it is functional!”

That’s called shifting left. Let’s stop pushing responsibility down the line and start taking ownership earlier in the process. Security should be baked in from the start, not slapped on like an afterthought.

Anti-pattern — 4: The blame game

Uh-oh, a vulnerability gets exploited. What happens?

  • Dev: “Hey, I can’t fix insecure infrastructure!”
  • Infra: “You want full security? That’s going to cost us big time.”
  • QA: “Was that even in the sprint? Not my problem.”

This finger-pointing game is a disaster. When security issues arise, the right move is collaboration instead of playing defense. What should we see?

  • Dev saying: “Let’s identify where code could be tightened up.”
  • Infra saying: “I’ll figure out how to better secure our resources without skyrocketing costs.”
  • QA saying: “Let’s ensure security tests are baked into every sprint. We’ll catch vulnerabilities next time before they even hit production.”

Anti-pattern — 3: Security theatre

This is where teams think they’re being secure, but it’s all just for show. You’ve seen it:

  • Running security scans but not reading the reports.
  • Holding security meetings that could have been emails (or just ignored).
  • Using tools that generate tons of data (read more..)
Devsecops
Devsecops Antipatterns
Devsecops Solutions
DevOps
Devsecops Practices

--

--

Opcito Technologies
Opcito Technologies

Written by Opcito Technologies

210 Followers
188 Following

Product engineering experts specializing in DevOps, Containers, Cloud, Automation, Blockchain, Test Engineering, & Open Source Tech

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams