Solving cross-platform DevSecOps challenges with Black Duck

What is cross-platform development

Before exploring cross-platform DevSecOps, we must first understand cross-platform development. Cross-platform development is the practice of writing code intended to perform on more than one operating system. An early and well-known example is the Sun Microsystems Java programming language, which enabled programmers to develop software for any device by first compiling human-readable source code into standard byte code that could be run on any hardware (device) that supported the Java Virtual Machine. This led to the slogan write once, run anywhere (or sometimes write once, run everywhere) back in 1995—and subsequently to the insider quip write once, debug everywhere.

Of course, cross-platform development comes with its fair share of challenges (subtle bugs stemming from varying hardware, security flaws, and code complexity among others), but it also offers considerable advantages, such as significantly lower development costs owing to reusable code, faster prototyping, easier maintenance, and general uniformity across devices, which benefit developers, organizations, and end users alike.

Cross-Platform DevOps

With the rapid growth of software (estimates project the industry to reach $650 billion in 2023), DevOps has become an integral methodology in the software development life cycle, as it enables faster development while facilitating easier maintenance and deployments. The term DevOps refers to the development (Dev) and operations (Ops) teams that work together to unify and automate processes.

DevOps is based on continuous integration (CI) of source code commits from developers, leading to continuous delivery and continuous deployment (CD)—assembling the software into a testing or production environment and releasing software updates to the end user. Developers are now required to build and deploy tools and services on a variety of platforms; the days of using a single environment and a single platform are long gone. And this means that DevOps teams work on integration, delivery, and deployment of codebases across multiple platforms and environments.

DevSecOps workflow and challenges

DevSecOps teams generally work with an assortment of hardware that is provisioned for them. Traditionally, they have had to create a separate set of build scripts for each platform used for continuous integration, delivery, and security testing. This approach is inefficient as the initial effort and cost of developing a set has to be essentially duplicated for each current or future platform that the DevSecOps teams use. Developing platform-specific build scripts and DevSecOps processes also has its own challenges, which include

• Any change made to one—readability updates, bug or security fixes, and build/security enhancements—must be replicated carefully on the others. When done conscientiously, this should not pose a problem, but it does add to the maintenance overhead.
• Whenever a new platform is made available to the DevSecOps teams, they must rewrite the build and security operations all over again. For proprietary platforms, this can also bring the risk of vendor lock-in.
• Platform-specific code and build scripts tend to create platform-specific subject matter experts (SMEs). If the SME for a particular platform leaves the organization, it could create a burden on other platform SMEs to continue the DevSecOps upkeep for that platform in addition to the ones they are already responsible for.

The write once, run anywhere ethos can provide DevSecOps teams with the same benefits that programmers get when writing cross-platform code. Cross-platform software development entails the need to perform security testing on multiple platforms as an essential part of DevSecOps.

In a typical DevSecOps workflow, the script downloads the source code, runs the appropriate compilation operations to ensure that the code produces a valid build, and runs tests against the source code (unit, integration, functional, etc.). Then a series of security testing is performed, which can include static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), image and container security vulnerability scanning, manual secure source code reviews, and penetration testing. Assuming everything passes these tests, the last step is the deployment of the software either into a testing domain for quality assurance testing or user-acceptance verification, or into a central repository for future deployments.

This workflow will be the same regardless of the platform that it is run on, so a cross-platform security solution is truly the ideal approach here. It enables the DevSecOps team to focus on the content of the workflow and deliver value faster because they can focus on the development, security, and operations process(es), rather than spending time in (re)writing the same logic for different platforms.

Cross-platform DevSecOps

There are several programming languages and frameworks for cross-platform development. While these are not typically a good fit for general DevSecOps work, there are some great scripting languages that don’t usually compile to an executable binary, but rather depend on interpreters. Scripting languages are preferred by DevOps and DevSecOps teams because of the speed with which they can create workflows and automations without having to rely on compilation, build frameworks, specific environments, and platform-specific requirements. There are several options available. These three are among the most widely used and loved.

• Several benchmarks show Lua as the fastest interpreted scripting language. It is efficient; it is distributed in a small package and builds out-of-the-box on all platforms that have a standard C compiler. It is a lightweight, embeddable scripting language that includes simple and well-documented APIs that allow integration with code written in other languages. And it supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.
• An interpreted, object-oriented, high-level programming language with dynamic semantics and an extensive standard library available in source or binary form, Python ships on most Linux distributions and is available for most UNIX-like systems as well as for Windows. A major contributing factor to the language’s popularity is its ease of use, both when learning as well as in practice. Unlike most programming languages, Python code tends to read like English, making it easy for most people to pick up.
• PowerShell. Originally known as Windows PowerShell, it is a combination of a command-line shell and the associated scripting language. Recently, it has been open sourced and made cross-platform by Microsoft. It is built on the open source .NET Core software framework for Windows, Linux, and macOS. It ships by default on Windows, and it is also available for install on Linux as well as macOS. PowerShell has several features for improving the security in scripting environments such as group execution policies, module/script block logging, Windows Anti-Malware Scan Interface, a constrained language mode, and application control. For anyone already familiar with Linux ecosystem, a switch to PowerShell Core makes the most sense as it supports all the commonly known commands from Linux.

Solving cross-platform DevSecOps challenges with Black Duck

Black Duck Bridge is a cross-platform module distributed as a binary executable, a key functionality within the Black Duck Polaris™ Platform. It has built-in knowledge of how to run all major Black Duck security testing solutions, plus common workflows for platforms like GitHub.

The most common way to set up Black Duck Bridge is to configure your DevOps CI/CD script to download the CLI utility that is automatically run at the right stage of your pipeline. The latest version of Black Duck Bridge will be downloaded by default as a ready-to-run binary/executable, and no separate installation is required. You can simply plug in the binary on any agent/node that it is required on, as the distribution makes the executable available for the three major platforms (Windows, Linux, and macOS). It can then be run the exact same way across all the applicable platforms.

Bridge acts as an intermediary that accepts information (repository details, source code management details, issue/bug tracker details, etc.) and then orchestrates all configured security activities. Under the hood, it is built with the Go programming language, an open source programming language originally developed by Google (with many contributions from the open source community over the years). Go comes ready with cross-compilation support, so native binaries can be built for your platform of choice.

Using this Golang feature, Bridge can develop and use a single source codebase and deploy native executables for all the major platforms. This flexibility allows DevOps and DevSecOps teams to use Bridge without having to worry about compatibility with any of the platforms that their CI/CD tools and services are running on. DevSecOps teams often need to run multiple application security testing tools, which often have a platform that they are optimized to run on. With a cross-platform approach, DevSecOps teams can focus on security rather than spending time with platform integrations. Other benefits also include maintainable and scalable heterogeneous build and security testing environments, and overall reduced developmental effort on the security and operations end. This also makes any migrations across vendors and operating systems trivial, while allowing DevSecOps teams to keep their established processes and workflows consistent across multiple platforms.