Avoid Risk: Separate Security and Feature Releases

In software development, it is crucial to maintain a clear distinction between security releases and feature releases. Combining these two types of updates can lead to increased complexity, making it harder to isolate issues. New features may introduce bugs or regressions, complicating the verification of security fixes. Security patches should always be prioritized and released promptly, but merging them with feature updates can cause delays.

Here are my main reasons for doing this:

  • Increased Complexity: Merging new features with security patches increases the complexity of the release, making it harder to isolate issues.
  • Higher Risk of Bugs: New features might introduce new bugs or regressions, complicating the verification of security fixes.
  • Security Over Features: Security patches should be prioritized and released as soon as possible. Combining them with feature releases might delay critical security updates.
  • Focused Testing: Security patches require rigorous testing to ensure they effectively address vulnerabilities without introducing new ones. Adding new features can dilute the focus of testing efforts.
  • Regression Testing: New features might necessitate extensive regression testing, potentially delaying the release of crucial security fixes.
  • Simplified Rollback: If a security patch is released separately, it can be rolled back quickly if an issue arises. Combining it with new features complicates this process.
  • Clear Deployment Path: Separate releases ensure a clear and straightforward deployment process, minimizing the risk of deployment errors.
  • Clear Communication: Separate releases allow for clear communication to users about the nature of the updates (security vs. features). Users can better understand the importance of security updates.
  • Reduced User Disruption: Security updates often need to be applied quickly, whereas new features might require user training or adjustments. Separate releases minimize user disruption.
  • Mitigating Risks: By isolating security patches from feature updates, organizations can better manage and mitigate risks associated with each type of change.
  • Focused Issue Resolution: If issues arise, it's easier to determine whether they are related to the security patch or the new features, facilitating faster resolution.
  • Security Mindset: Treating security patches as distinct and critical reinforces a security-first mindset within the development team.
  • Avoiding Oversights: The urgency of security patches demands a focused approach to avoid oversight and ensure thorough implementation.
  • Building Trust: Regular, separate security updates build user trust in the commitment to maintaining a secure platform.
  • User Confidence: Users can have more confidence in the stability of feature releases when they are not coupled with urgent security patches.

Prevention

Feature flags are not allowed on Security Merge Requests

Implement a bot that automatically rejects any changes to the security repository if they contain feature flags.

Reasoning

Feature flags are commonly used in regular development to mitigate risks and enable controlled testing. While engineering teams might consider using them in security merge requests, this approach has significant drawbacks:

  1. Your application will remain vulnerable if the fix does not perform as intended.
    1. If this occurs in your application, it will likely require a hot patch, increasing the workload for both the infrastructure and development teams.
  2. There likely isn't a process for managing feature flags in back-ported code. If a feature flag is back-ported, it is less likely to be removed once it is no longer needed.
  3. Feature flags should be short-lived: they should be removed from the codebase after testing. Security releases are time-sensitive, and security merge requests need to be deployed quickly, leaving insufficient time to introduce, test, and remove a feature flag.