Skip to main content
The five DevSecOps anti-patterns you must avoid
03 Oct 2024

You might be wondering why we need to talk about anti-patterns when we could discuss the patterns. Think of it this way: Anti-patterns are like the "-5" of the process. If non-DevSecOps practices are a "0," we're not even at neutral yet. Anti-patterns are like taking a wrong turn on a hiking trail. While you may eventually find your way back, you'll waste more time and energy than if you had avoided that detour. We first must stop the bad habits (anti-patterns) before adding real value.

This blog is all about what NOT to do in DevSecOps. Once that's established, we can push forward into good practices (but that's for another blog). Let's start by addressing some of the most prevalent anti-patterns and discuss how to overcome them. Remember, preventing bad habits is just as important as adopting good ones.

Anti-pattern - 5: PUSH RIGHT! Passing the PaaS

This is what happens when teams start playing hot potato with responsibility.

  • Dev: "Security? Nah, that's infra's problem."
  • Infra: "Well, I don't handle all the code. QA should catch this!"
  • QA: "Hey, the functionality works, what else do you want from me?"

Does this sound familiar to you? Everyone is pushing the security issue onto someone else's plate, causing a snowballing effect on the problem. What should happen instead?

  • QA must say: "Hey, functionality is solid, but our pen tests showed vulnerabilities!"
  • Infra must say: "Let me tighten those security gaps, and here's a tool to monitor the rest."
  • Dev must say: "Sure, with this secure infrastructure, I can write code that's as safe as it is functional!"

That's called shifting left. Let's stop pushing responsibility down the line and start taking ownership earlier in the process. Security should be baked in from the start, not slapped on like an afterthought.

Anti-pattern - 4: The blame game

Uh-oh, a vulnerability gets exploited. What happens?

  • Dev: "Hey, I can't fix insecure infrastructure!"
  • Infra: "You want full security? That's going to cost us big time."
  • QA: "Was that even in the sprint? Not my problem."

This finger-pointing game is a disaster. When security issues arise, the right move is collaboration instead of playing defense. What should we see?

  • Dev saying: "Let's identify where code could be tightened up."
  • Infra saying: "I'll figure out how to better secure our resources without skyrocketing costs."
  • QA saying: "Let's ensure security tests are baked into every sprint. We'll catch vulnerabilities next time before they even hit production."

Anti-pattern - 3: Security theatre

This is where teams think they're being secure, but it's all just for show. You've seen it:

  • Running security scans but not reading the reports.
  • Holding security meetings that could have been emails (or just ignored).
  • Using tools that generate tons of data but do nothing with it.

It's all smoke and mirrors. The illusion of security, but nothing real behind the curtain. The fix? Get rid of the theatre and start doing security for real:

  • Be sure to read these scan reports.
  • Ensure security findings are tracked and resolved, not just filed away.
  • Use automation, but don't rely on it 100%. Human oversight is essential.

Anti-pattern - 2: One-and-done mindset

"Oh, we did a security audit last year, we're good."

Wrong. Security isn't a checkbox you tick off once and forget about. It's a continuous process. Attackers evolve, so your security measures need to evolve, too.

Instead of "one and done," adopt the mindset of constant iteration:

Anti-pattern - 1: Tool fatigue

We all love our tools, but here's the trap: You start relying on too many, or worse, you use tools without understanding them. Now you've got tool fatigue—where security teams are overwhelmed by noise and alerts, and no one knows what's important. The solution?

  • Simplify your toolchain. Stick to what you need and understand what each tool does.
  • Set up proper alerting so you only get notified when it matters.
  • Don't overwhelm your team with flashy dashboards. Actionable insights > tons of data.

Break free from anti-patterns

DevSecOps isn't just about adopting new tools and processes; it's about changing the mindset. To get from minus (-5) to zero, we need to eliminate these anti-patterns, stop passing the blame, and take responsibility for security at every stage of the development lifecycle.

From there, we can start moving forward into real DevSecOps maturity (stay tuned for the "plus" side in the next blog). But for now, let's stop digging ourselves deeper into the hole.

So, what anti-patterns are you fixing today?

Subscribe to our feed

select webform