DevSecOps enables small projects to move fast, some times too fast. In the early stages of implementing a DevSecOps project, engineers get used to moving fast and getting the job done. The truth is that DevSecOps is challenging because it requires an engineer to think at all levels of an application and often implement each layer; this is what we call a full-stack engineer. Engineers often borrow code from each other, modify it to fit their needs, and move on to the next problem. After all, why reinvent the wheel when someone else already has. The issue with this approach is that one may not take the time to fully understand what the code does.
Copied code often has unused or insecure functionality because the new scope under which this code is now being used differs from its original intent. In addition, any errors that were originally implemented within the code are carried onto the new task. This unused/insecure code can stick around from project to project like a vestigial tail. This pattern of duplicating code with the intent of moving fast and just getting the job done is the anti-patter we call all-you-can-eat copy-pasta.
What to do if your project has fallen victim to the dangers of all-you-can-eat copy-pasta? Well, admitting that you have a problem is the first step. The second step is to allow your project to slow down, not too much, just enough to do some long overdue cleanup. Start reviewing your code and remove any vestigial tails–unused code or code that will expose your software to security flaws or denials-of-service. Reviewing your code will allow you to identify where code has been duplicated. Implement libraries for tasks requiring common functionality where it makes sense. This way, common functionality becomes maintainable and localized. Implementing fixes only require changes in one place instead of in every project that slightly modified the code. Lastly, instill within project engineers that copying code without understanding has many pitfalls and to be on the lookout for areas within in your project that can benefit from having a centralized library or code base.