More and more Salesforce teams are adopting DevOps and reaping the rewards. But what about DevSecOps — a term that’s been doing the rounds for a little while?
In this article we’ll look at how DevOps and DevSecOps differ, challenges and best practices for DevSecOps implementation, and the functionality you need in your tech stack to succeed. We’ll also see how Gearset streamlines everything you need into a single platform.
What is DevSecOps?
DevSecOps practices are about breaking down silos between development, security and operations — with security consciously placed at the center. As teams who have already implemented DevOps will know, security should be a key consideration for any DevOps team. So DevSecOps is simply DevOps done well — where security is integrated into every stage of the DevOps lifecycle, not left as an afterthought.
Salesforce DevSecOps
If you’re applying DevOps principles to your workflow, you’ll already be aware that security is a whole-team responsibility. Salesforce’s shared responsibility model means that while Salesforce maintains the platform infrastructure, it’s your responsibility to keep your org’s data and metadata secure day to day.
Along with benefiting the business as usual operation of your organization, adopting DevSecOps can also play a pivotal role in preparing for an IPO or demonstrating compliance such as SOX compliance.
Implementing DevSecOps for Salesforce: Challenges and best practices
If you’re thinking about implementing DevSecOps or enhancing the security focus of your development process, there are various factors that can influence your success. Let’s take a look at some of the common hurdles Salesforce teams face when implementing DevSecOps and best practice tips to help you overcome them.
Building a security-focused culture
- Challenge: To truly embrace a DevSecOps approach, security needs to be embedded throughout both your workflow and team. Even one person straying from the agreed security measures can bring the process crashing down.
- Fix: Employee enablement and training are key to getting everyone bought into the value of embracing DevSecOps, while ensuring they know what’s expected of them and the processes they need to follow.
Managing a DevSecOps tech stack
- Challenge: While it’s easier and more consistent to adopt the security tech stack used by the wider business, it can sometimes make workflow management harder because security processes are split across platforms.
- Fix: Find a Salesforce DevOps platform that integrates with your existing tooling, so you can control and have oversight of your security processes all from a single platform. This saves the headache of logging in and out of different apps and streamlines maintenance.
Integrating security in the development pipeline
- Challenge: It can be tempting to leave testing and quality control until closer to release. But the later testing happens, the more time is being wasted on development that is later found to be faulty.
- Fix: Shifting left involves testing as early as possible in your DevOps workflow. By scanning code and configuration for bugs or vulnerabilities while it’s still being developed, you’re shortening the feedback loop and avoiding wasted time.
Maintaining delivery speed
- Challenge: Teams can often over-complicate security and get weighed down with cumbersome manual testing and security checks. This can slow down delivery timelines and seriously impact the wider business.
- Fix: Backups and automated testing are essential to balancing speed and security. With robust security in place, you confidently deliver quickly knowing your changes have been thoroughly tested and can easily be reverted if issues arise.
Enabling adoption across mixed teams
- Challenge: Typical DevOps processes can be code-heavy and require extensive technical experience. This can cause teams to split their DevOps process according to role, with devs and admins using different tools and processes. This slows teams down, undermines collaboration, and leaves gaps in your DevSecOps processes that can introduce vulnerabilities.
- Fix: Identify and implement declarative DevOps tooling that can be used by everyone across your Salesforce team, regardless of their technical experience.
Key DevSecOps tools to include in your workflow
Now you know some common issues and how to make sure you’re avoiding them, let’s look at the key tools you’ll need in your DevSecOps tech stack.
- Version control: Adopting version control is an essential part of any DevOps process, and it also brings significant security benefits. Instead of production being a single point of failure, your main branch becomes the single source of truth for your team. With teammates reviewing each other’s pull requests, errors and vulnerabilities are more likely to be caught during development.
- CI/CD: By continuously integrating development work into the main branch and automatically deploying to environments such as staging, QA, or UAT, your team can be sure their work is deployable and get to work on testing.
- Test automation: Automated testing comes in different forms, but the goal for each is the same — automatically catch issues as early as possible and reduce the chance of bugs slipping through due to human error.
- Data masking: The more realistic the test data is in your sandbox, the more reliable your testing will be. But deploying data from production to a sandbox environment isn’t great for security — data masking enables you to insert obfuscated data that matches the format in your production org while also maintaining complex data relationships.
- Data backup Having backups as part of your DevOps process is the best way to secure your org’s data and metadata. If mistakes are made during development, or if data is lost in any other way, a backup and incident response plan provide a fallback so you can restore your org.
- Change monitoring: It’s great that the Salesforce platform is so easily configurable, but this does mean someone can change or add customizations directly in your company’s production environment without you noticing. Many Salesforce teams are in the dark about these changes, which can introduce vulnerabilities. Having a tool not only for incident monitoring but also sense checking day-to-day changes helps minimize the vulnerabilities introduced in your Salesforce environments.
- Archiving. Competing business needs can leave companies choosing between the data retention requirements of their compliance frameworks and streamlining their bloated Salesforce orgs. Archiving unused data means you’re minimizing storage costs and improving the performance of your orgs, all while ensuring compliance with retention windows and avoiding accidental exposure of customer data to folks who shouldn’t have access to it.
DevSecOps made easy with Gearset
Here at Gearset, security underpins everything we do — just take a look at our trust page — and we’re helping our users put security at the heart of their DevOps lifecycle too. Using Gearset, teams are keeping their orgs secure with an all-in-one DevOps solution for Salesforce. Here are some of the DevSecOps best practices Gearset can help you achieve.
Get your whole team using version control
Gearset makes committing to branches and opening PRs entirely declarative, so you can enable all team members to adopt version control and embrace DevSecOps best practices regardless of their experience. In fact, it’s the same workflow as an org-to-org deployment in Gearset, so there’s nothing new to learn.
Rapidly progress changes with easy CI/CD
Standard CI/CD tools can come with a lengthy and technical initial setup and costly ongoing maintenance requirements. Gearset Pipelines was built specifically for the unique setup of the Salesforce platform, while also making sure setup is quick and declarative with pain-free maintenance. Easily back propagate changes with a click, automatic testing, and branch isolation for long-term projects.
Shift left with accelerated code reviews
Automated code reviews scan for and fix bugs or vulnerabilities during development, not release. With gating for non-compliant code, you can ensure only secure and good quality code is being shipped. So you can focus time on building what your end-users need, not troubleshooting faulty releases.
Catch dropping code coverage early
Automated daily unit testing means you can track the code coverage in your org and ensure yours never drops below the required 75% coverage. You’ll be notified if coverage drops below your specified threshold with an overview of which tests are failing with a stack trace for easy identification of issues.
Ensure realistic test data without compromising security
Gearset’s data masking lets you use complex and realistic production data safely. During data deployments in Gearset, you can choose to substitute your sensitive records for fictitious records with the same format. This keeps the complexity of the data for testing, but prevents sensitive information getting out of production and into developer orgs.
Already have sensitive data in your testing environment and want to anonymize it? Masking in-place with Gearset means you can obfuscate sensitive data that’s already in your org too.
Protect your orgs from data and metadata loss
Gearset’s Salesforce backup solution automatically runs daily backups of both data and metadata with customisable notifications for unexpected changes to your orgs data and metadata. Backup data is stored securely, with enterprise-grade encryption in transit and at rest. With a variety of restoration flows, you can confidently restore your data — whatever type of data loss incident you experience.
High-frequency backups can also be set up for your most critical objects with high data turnover, so you’re backing up your key objects multiple times a day.
Gearset’s change monitoring notifies you of changes made to your org’s metadata, so you can be sure nothing happens without you knowing about it and can quickly roll back if needed. You can also explore your org’s permissions from the monitoring history page in Gearset. This makes it much easier to keep track of who has access to what data, based on the Profiles and Permission Sets your company uses.
Revitalise org performance and free up space
Customize your archiving rules and retention policies to remove irrelevant data from your orgs while still keeping it securely archived for future reference or compliance purposes. Quickly restore the data in bulk or individually with just a few clicks.
Streamline permission management
Role-based access controls (RBAC) are a key way to enforce the principle of least privilege and avoid security issues, by reducing access to only what a user needs to do their job.
Create and assign roles within the Gearset app, to easily apply the principle of least privilege and define access levels to different areas of app functionality as well as specific orgs, pipelines, and CI jobs. Automatically generate permissions reports for a quick security audit of your permissions structure.
Embrace DevSecOps in your workflow
Gearset offers the most complete DevOps lifecycle specifically for Salesforce teams, helping you adopt DevOps in a security-focused way. To begin implementing a more secure release process today, book a consultation with one of our experts to see how Gearset can help secure your orgs.
If you want to understand more about DevSecOps, including the tools, people, and processes you need, download our ebook Deciphering DevSecOps for Salesforce Teams or catch up on our DevSecOps webinar.
