Tattle -
We have recently made numerous improvements to Feluda, following a security-first approach to allow long-term maintenance and active contributions. These approaches are not specific to Feluda, but can be applied to any software project. These articles are written for a technical audience, and we hope they help other projects learn how to implement these practices for a safer digital experience.
When building software projects, every developer should take ownership ensuring that the code they write is secure, before it can be accepted into the codebase. Though the idea is daunting, the learning curve has substantially reduced with current security tooling that also serve as teaching aids. This approach ensures that the responsibility of maintaining security does not fall solely on a separate cybersecurity team to fix bugs after the code is already in the repository. Hence, bug fixes occur earlier in the development pipeline, or more towards the left when the development cycle is visualized as starting from the left and ending at the right. Hence, this approach to secure code development is also known as a shift-left approach. The process is part of what the "DevSecOps" team aims to accomplish. As the name suggests, this includes development, security and operations. These teams have different objectives that are generally misaligned. Developers want faster development, operations folks desire stability, while the cybersecurity people want secure code. DevSecOps is guided by the CALMS framework - Culture, Automation, Lean, Measurement, and Sharing. The approach advocates for a culture shift towards collaboration, automating components for reproducible and stable systems, implementing the process in a lean manner for agility, measuring improvements from the processes implemented, and sharing knowledge to break down siloed teams for increased trust, agility and reliability.
We will now discuss how we implemented automations for Feluda within the development cycle for increased security, reduced technical debt, code robustness and stability.
