Bringing DevSecOps Best Practices to Liberty-based Cloud Native Development using GitLab for IBM
Author: Randy Langehennig
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. The IBM WebSphere Liberty runtime is very well suited to these environments and performs extremely well against alternative solutions.
Cloud native applications are a fundamentally new and exciting approach to designing and building software. However, it also raises a completely new set of security challenges. For example, when you move to a microservice model, end-to-end visibility, monitoring, and detection of security issues become more complex and difficult to execute.
In this blog post, we will learn why DevSecOps is essential for every development project. We will observe how to incorporate best practices to secure your applications early and throughout your development process. Using GitLab for IBM, you can leverage the out-of-the-box capabilities to ensure your Liberty cloud-native application is secure with each code commit in an environment that encourages collaboration, ease of use, and efficiency.
If your team isn’t implementing security from the start of a project, it is time to get on board with DevSecOps. Let’s take a look at how to get started.
A Day in the Life of a Cloud-Native Liberty Developer
In this blog, I am going to provide an example of a day in the life of a Liberty cloud native developer. Our team chose Liberty for our development as it is very developer friendly and cloud ready as shown below:
Our team is working to modernize the way we develop our Liberty containers to adopt more agile methodologies and to bring best practices to this new world of “cloud native” development. The following diagram helps to illustrate the environment being used:
We are using GitLab as you can see above to drive our development including using Git from a source code management perspective, the built-in GitLab Container Registry, and the CI/CD pipeline capability. Our pipeline includes best practices to scan for security issues at time of code commit. This can be referred to as “shift-left testing” which includes container scanning, SAST, DAST, license compliance, secret detection, and much more. We are also leveraging some great IBM DevOps tooling to help us achieve our goals to deliver quality software at a much quicker pace than we have in the past.
Exploring our GitLab Project
In GitLab, you will create a new project that will include your source code that is stored in Git. Here is a screen shot of our project we are using for this example: