21 Elements We Evaluate When Performing a GA4 Audit

Google Analytics 4 (GA4) is an incredibly powerful analytics platform: it builds on Google’s already-sound foundation (Universal Analytics) while it also reimagines what’s possible in analytics, thanks to an entirely new event architecture.

GA4 has far more in terms of capabilities and configurability, but of course this comes with a cost: greater complexity. Many organizations are already using GA4, but aren’t operating efficiently enough or achieving the results they could be getting.

A GA4 audit is an ideal way to shore up an organization’s GA4 implementation. These are 21 of the most important elements that we evaluate when performing this kind of audit for our clients.

GA4 Tag Implementation

The first area we evaluate during an audit is how an organization has implemented the GA4 tag. The way you work with GA4 will vary depending on whether you’re using Google Tag Manager, a CMS integration, a plugin, or via source code. In most cases, the best approach is to stick to one implementation architecture wherever possible, which will keep your GA4 efforts neat and efficient.

If we identify issues with implementation architecture, we’ll start by cleaning those up so that your conversion tracking and event configuration can run cleanly.

Event Configuration in GA4

Events are the building blocks that organizations use within GA4. Every user interaction is an individual event, and these aren’t grouped together by session like they were in Universal Analytics (UA). The old session-based data model in UA was simpler to use and understand, but it was more limited. In contrast, GA4’s event-based data model is far more powerful — but all that power comes with a configuration cost.

Configured properly, GA4 events can tell you nearly everything an individual user did — across multiple devices on the user’s end and multiple assets (websites, applications) on your organization’s end. 

GA4 will automatically collect certain events, including page views, scrolling data, and session starts. Other enhanced measurement events can be set up quickly and without changing site code. GA4 can also recommend other events for you to track, such as eCommerce related events like adding items to cart or completing a purchase. 

Last, if none of the events we just described will accomplish exactly what you need, you can set up highly detailed custom events to monitor specific elements or features within your property.

Needless to say, the tradeoff for all this power and configurability is the potential to configure things inefficiently or even to create an event configuration that doesn’t work in the ways you need it to. That’s why a big part of our audit process is analyzing and optimizing event configuration.

Key Conversion Events

Conversions are one of the most important types of events, so organizations should take special care to mark the right events as conversions. Doing so helps businesses understand how well their site or app is leading to the most important customer behaviors — be it a product purchase, form submission or signup, or any other measurable change in behavior. 

Once you’ve identified the types of events that your organization considers to be key conversion events, set them up appropriately using these steps:

  1. Go to Admin, then Events.
  2. Find the events that qualify as conversions, then toggle them accordingly.

By tracking key conversion events, you’ll get a better sense of which digital efforts and assets are leading to those desired outcomes.

Audience Setup

GA4 allows organizations to define groups of users that have one or more elements in common, such as taking specific actions or hitting certain triggers. These groups are called Audiences, and they are a powerful way to segment your users. 

For example, an eCommerce brand might create an Audience of VIPs or high-value customers by grouping together users that spend over a certain threshold. Or a SaaS startup might create an Audience including only those who submitted a particular form. (This is different from list building, which could be the direct purpose of the form: here the organization is interested in what users who submitted that form do on the site, how they interact with elements, and so on.)

Setting up Audiences is under Admin, then Audiences. Start by choosing “New Audience”, then select the conditions that define the audience you want to track.

As part of our audit, we evaluate whether and how an organization is using Audiences for segmentation and analytics.

GA4 Property Settings

Each property within GA4 carries a wide range of property settings, and here again proper configuration is key. Our GA4 audits cover all property settings, including these major areas.

Reporting Time Zone

The internet is global, which means your properties can receive traffic from just about anywhere (and any time). But for reporting to make any sense, it has to be bound within days and hours. 

Most businesses have a primary operating time zone and/or a time zone from which the majority of their users are operating. Set your reporting time zone to match so that all your reporting information is framed properly. 

Google Signals activation

GA4’s ability to track users across their devices relies on Google Signals, so you’ll want to make sure your GA4 account has this activated. With it, you’ll get better demographic data, more accurate tracking, and the ability to remarket across devices.

To activate Google Signals, navigate to Data Collection under Admin, then toggle the button until the blue checkmark appears.  According to Google, “When Google signals is turned on, Google Analytics will collect visitation information and associate it with Google’s information from accounts of signed-in users who have consented to this association for the purpose of ads personalization. Google’s information may include end-user location, search history, YouTube history, and data from sites that partner with Google. “

Quick note: before you do, make sure you review the data sharing settings to ensure compliance with applicable regulations. These vary depending on where your business is located, where you do business, and the industry you’re in, so don’t assume the default settings are right for your specific situation.

Data retention period

GA4 has a default data retention period of two months. After this period, aggregated reports are still available, but detailed exploration reports will be deleted.

Many organizations want access to richer data for longer. We recommend setting this to the maximum, which is 14 months (presuming doing so is compliant within your industry).

Options for data retention are found under Data Settings: Data Retention.

Note that it is no longer possible to retain data indefinitely within GA4. If you need detailed reports for longer than 14 months, you’ll need to export to BigQuery or similar services.

Reporting attribution model

Before GA4, tracking happened per session, so conversions were always attributed to the last-clicked ad or element. A user may have clicked multiple ads across different channels, but that information didn’t make it into the attribution model.

Now it can, to a degree. 

GA4 offers several reporting attribution models to choose from. One of the available options will fit the contours of your properties (and your customer journeys) better than others. 

As we audit customers’ GA4 implementations, we consider whether their selected reporting attribution model is the most accurate, most informative choice. If not, we advise on appropriate changes in this area.

Enhanced measurements enabled

GA4’s enhanced measurements can be incredibly powerful, delivering major insights without any code changes — but they are toggled off by default. Unless your business is just getting started in analytics, you’ll very likely want this on. 

During our audits, we ensure these are toggled on for clients (and that our clients are set up properly to benefit from them).

Account management and roles

GA4 allows organizations to set up numerous roles with differing permission and restrictions. These include:

  • Administrator (manages users, data, settings)
  • Editor (manages data and settings)
  • Analyst (creates and edits assets but cannot edit data)
  • Viewer 
  • None 

It’s important to evaluate who has which level of access, providing what’s necessary to operate efficiently without exposing the organization to unnecessary risk. 

Our audit process includes this evaluation.

Correctly Organizing Data Flow in GA4

With events configured, conversions and audiences defined, and properties set, an organization is well on its way to achieving real value from GA4. 

But even with these elements set up correctly, there’s still the question of data flow. So that’s where we turn next in our audit process.

Filters in use

Your business runs on data — but there is such a thing as bad data, or at least unhelpful data. 

In other words, not all the data you collect is good for analytics. Specifically, you may want to filter out traffic that’s coming from inside the organization or that’s coming from developer devices. Your own employees (and especially your developers) will certainly interact with your properties in ways that your typical customer will not, and especially early in the life of a property, internal traffic will make up a disproportionate amount of overall traffic. 

If you don’t want this data affecting decision-making, then filter it out.

GA4 includes prebuilt filters for developer traffic and internal traffic. You can find these under Data Settings: Data Filters.

Unwanted referrals identified and excluded

For similar reasons, you may want to exclude certain referral sources that don’t help you understand where traffic is coming from.

For example, an eCommerce website isn’t really receiving new traffic from its third-party payment processor. All those “referrals” are just an artifact of transactions occurring. They don’t help the store analyze where customers are coming from.

Doing this is a little more complex than turning on filters. You’ll find this under Data Streams, then More Tagging Settings. From there, look for Tag Configuration, then List Unwanted Referrals. Here you’ll want to manually enter criteria for unwanted referrals that GA4 should ignore. (For example, you might select “Referral domain contains” and then the name of your payment processor.)

Custom dimensions and metrics configured properly (if needed)

GA4 makes it possible to set up custom dimensions and metrics for those situations where your analytics needs aren’t being met. Of course, anything custom requires extra care and has a higher likelihood of developing problems. We’ll evaluate your use of custom dimensions and metrics or, if needed, advise on where these elements could improve your outcomes. 

Default reporting identity set

GA4 allows organizations to identify users by anonymized user ID and device (Blended), or by device only (Observed). We generally recommend the former as it yields richer, more accurate data. That said, this is one of the many significant changes between Universal Analytics and GA4, so you’ll need to make sure your systems are configured in a way that allows you first to track users in this way and then to organize your data accordingly.

Event (conversion) parameters established and confirmed

Knowing what qualifies as a conversion is one key. But ensuring your analytics agree and can properly track those conversions is even more important. We help make sure your conversion parameters make sense for tracking the types of conversions you’re looking for.

For eCommerce businesses: eCommerce tracking implemented

If you sell products or services in an eCommerce store, tracking transactions consistently and accurately is key to understanding revenue and sales. All the major eCommerce platforms can integrate with GA4, but it can still take work and technical expertise to get to a state of seamless data flow.

Channel grouping / content grouping implemented

Channel grouping is sorting incoming traffic according to channel (organic search, social media, paid advertising, etc.). Content grouping is sorting specific content types (landing pages, product pages, blog posts) into logical buckets. With both implemented properly, you’ll greatly increase the usefulness of the data you’re collecting.

Product Links in GA4

Numerous SaaS products link well with GA4. As a part of the audit process, we’ll evaluate the product links and integrations you’re using and possibly identify others that could further extend your capabilities.

These are just a few examples.

  • BigQuery: beneficial for keeping data beyond GA4’s 14-month limit
  • Google Ads: supercharges your Google Ads account with the data and insights you’ve gleaned in GA4
  • Search Console: provides deeper insights into organic search traffic

Debug View Setup

Last, as a part of our audits we will ensure an organization has enabled and is properly using Debug View in GA4. This powerful tool provides real-time verification of whether your GA4 implementation is behaving how you expect: that events are being triggered properly and that users are interacting with your site or app in the way you intend.

Debug View is found under Admin, then DebugView. Enable it there, and then you’re ready to start troubleshooting and viewing events in real time.

DebugView works either within Google Tag Manager’s preview mode or directly in your Chrome browser (there you’ll need to install the GA Debugger extension).

Don’t Go It Alone: Rely on Pumex for World-Class GA4 Audits

GA4 is a powerful platform capable of delivering some results almost instantly. But maximizing the value of your GA4 efforts and making data analytics more efficient will take significant configuration and fine-tuning. 

Pumex offers world-class GA4 audits among its many other services. We’ll identify the strategic changes that your organization can make to truly transform your GA4 results.

User Explorer in GA4: Exploring the Basics

Web analytics are incredibly powerful: they can reveal stunning amounts of information about your audience, its behavior, how effective your digital properties are, and ultimately how well your digital marketing strategies are achieving their intended goals.

But getting the most out of your website and application analytics isn’t easy. And if you’re new to the world of analytics, the learning curve can be steep. It’s easy to feel like you’re drowning in data but still coming up short on insights.

Google Analytics is a large part of most organizations’ analytics strategies. Google recently killed off its previous generation of analytics tools, called Universal Analytics (UA), pushing all users to the new standard, Google Analytics 4 (GA4).

Now that GA4 is the only game in town, all businesses who rely on analytics to understand website traffic, performance, and user behavior need to know the differences and learn how to adapt to the way GA4 operates.

Let’s get started with some basic definitions.

What is the GA4 User Explorer tool?

One big piece of analytics is understanding user behavior in the aggregate: what are the ways that most people interact with a website?

Another equally valuable analytics element is understanding specific user behavior: how are particular users interacting with the website?

(Of course, privacy laws restrict businesses from, say, recording an entire user session and tying it to a specific person, but there are compliant ways to glean information on specific users without identifying who those users are.)

GA4 User Explorer helps you navigate both of these elements and is especially effective at the individual user level. The tool and its reports fully anonymize user data without aggregating that data first, so you retain the full picture of what user did on your website. That data is tied to a client ID that is not itself tied to a specific, identifiable person. Those client IDs are also aggregated, allowing you to analyze information across an entire group of users that match certain characteristics.

What can the GA4 User Explorer report do for a business?

GA4 User Explorer reports can clarify the user journey, both with specific (anonymized) users and in the aggregate (analyzing user behavior as a group or multiple groups). And it does so at a level of specificity that blows away previous models.

What might that look like in execution? Here are a few ways businesses are turning User Explorer reports into insights and action.

UI/UX troubleshooting

You can test, retest, and test some more, but when your new website or page or app or online store goes live, users will find new and exciting ways to break what you built (or at least find the weakest points and get stuck on them).

With GA4’s User Explorer reports, you can examine user actions to identify how they get stuck, where they encounter errors, what they do afterward, and more. If the issue you’re troubleshooting often results in the same action, you may also be able to look at this data in the aggregate by pooling all users who have taken that action.

Conversion optimization

Conversion optimization is an entire discipline or specialty requiring tools and knowledge outside of Google Analytics. Still, the ability to analyze specific user behavior (say, during an A/B test) can help you narrow down your options and optimize your properties faster according to which elements performed better.

Retention and retargeting

Identifying specific patterns of actions can help you with both customer retention and audience retargeting. Of course, you can’t tie GA4 user reports to specific users. But you can figure out when and why customers purchase, then adjust your marketing efforts accordingly. You may also identify audience attributes for the types of users that abandon their carts or otherwise fall off, then retarget those general audiences.

What are the biggest changes, advantages, and limitations?

GA4 delivers a ton of power and capability, but there are downsides as well. If you already have some experience using UA’s User Explorer, then the easiest approach is to compare the two. Here are the biggest differences you’ll find in GA4’s User Explorer, both positive and negative.

Advantages

One big advantage is tied to the change in structure between the two systems. GA4 looks at users across devices: it has the ability to identify that visits from User X’s smartphone browser, mobile app, and desktop browser are all in fact from User X.

This is a huge benefit: what might look like a lost user could actually be that same user moving to their desktop to complete a transaction. What looks like a single desktop visit with no repeat traffic could in fact be a user who left your website to download your app and now uses your service consistently.

In UA, you didn’t have an effective way to know. But in GA4, you do.

Limitations

The biggest limitation is ease of use.

If you read our article on GA4 pros and cons, you probably picked up on a theme: GA4 is more powerful, but it’s also more complicated — even to the degree that it makes things that were simple in UA harder to do. That’s the case here as well, as many users discover they can’t (immediately) identify some elements that feel like basic ones, like which page was opened or which link was clicked.

Of course, you can still do click tracking but not until you manually enable enhanced measurement and take several other actions.

So GA4 comes with a learning curve, and many elements won’t “just work” if they’re still set up the way that made sense in UA. There may also be a heavier resource requirement to operating with GA4 because of all that added capability and complexity.

There’s also a pretty big limitation to user reports: you’re limited to two dimensions. Given the sheer number of options and possible data points in GA4, you might find it frustrating that you can only surface two in any specific user explorer report.

How to access User Explorer in GA4

User Explorer is a powerful feature area, but it isn’t exactly obvious where to find it.

Start by navigating to the Explorations tab on the left (Explore / an arrow in a magnifying glass). Then all the way over on the right-hand side, click Template Gallery.

This template gallery contains numerous exploration reports, called Techniques. One of these is the User Explorer. (The others are worth exploring, too, but we won’t review them for this article.)

Front and center you’ll find users’ Effective user IDs, which are the identifiers GA4 uses to link together various sessions and devices all connected to a single user. You can change the Effective user ID in your settings as well. You may see other default metrics like event count and sessions. In this view you can start applying filters and segmenting your audience, though you might want to wait until the next section to do this.

If it’s your first time in User Explorer, the default view may be a bit underwhelming until you customize it. So let’s do that next!

Customizing your User Explorer reports

User Explorer gives you plenty of options for customizing your reports. These work differently for aggregate vs. individual reports.

All users

When running User Explorer reports on aggregate audiences, it’s possible to segment your audience using both the Settings and Variables columns in the tool. There are more than 150 metrics available, giving you tons of flexibility here.

Where you don’t get flexibility is in the maximum number of dimensions applied. This is locked at two, unfortunately: Effective user ID and Stream name.

When you toggle on variables in the Variables column, you can then find those under the Settings column, allowing you to add those segments to your report. Here you can also specify the start row and how many total rows you want to see.

User Explorer reports can be viewed several different ways:

  • Bar chart
  • Plain text
  • Heat map

You’ll also find more levels of filtering in the settings bar, allowing you to narrow down results to certain device types, for example.

Note that your results and metrics will not match those from UA. Parameters and ways of calculating and categorizing have all changed, sometimes in significant ways. So comparing old UA metrics to your current GA4 metrics is like comparing apples and oranges. You shouldn’t assume a one-to-one correlation.

Individual users

GA4 also allows you to explore individual users by clicking on their effective user ID (which you’ll see in the all users report). Clicking this will bring up information about their first visit to your property, where they’re located, and their data stream.

Many vital metrics are automatically displayed, including:

  • Top events (views, engagements, sessions, errors, etc.)
  • Event count
  • Purchase revenue
  • Number of transactions
  • Time spent (engagement)

Down below you can expand or collapse individual sessions to see which actions occurred in which sessions. Within these, you’ll see specific event names and which audiences the user qualifies for based on their actions.

You can also use filters to narrow down to specific events you want to see, and from there you can create segments (the button should be in the top right) based on selected events.

You also have the ability to delete individual user entries. This could be helpful if you want to remove testing data or edge cases you’ve already solved, for example.

Dive Deeper into Advanced Analytics with Pumex

GA4 unlocks new levels of analytics compared to Google’s own previous set of tools. But as your business grows, you may encounter the need to go even deeper than what GA4 allows.

That’s where we can help.

Pumex is the experienced voice and partner you need for solving software development and technology integration problems at any scale. We’ll help you maximize your analytics and business intelligence results so you can grow conversions, improve decision making, and maximize revenue. 

What is Dev Sec Ops?

As the world of Cybersecurity starts to become more complex and dynamic to levels never seen before, there is now paramount pressure that is placed upon the IT Security teams across Corporate America to increase their vigilance. It is not just from the standpoint of thwarting off the bad guys that are trying to break in, but it is also trying to predict what future variants could potentially look like down the horizon, so that lines of defenses can be beefed up accordingly.

But now, everybody has a stake in this proposition – all the way from the C-Suite to the administrative assistant. There was one group that has stayed relatively immune from falling under the microscopic eyes of Cybersecurity, but this is now no longer the case.

This group is the software development teams. Since folks started developing software their job has been to develop and compile the source code for the Web application that they have been tasked to create, and ship it off to the customer, under budget and on time.

Because of this, implementing security testing solutions has long been an issue which has remain largely ignored. As a result, Cyber-attackers are finding ways to covertly sneak into the backdoors that are left behind, and stay in for extended periods of time, very often going unnoticed.

Then once they feel comfortable in the environment they have infiltrated, they move in a lateral fashion, deploying malicious payloads along the way which even the traditional antivirus and antimalware packages cannot capture.

Or they could start a data exfiltration process, in which small bits of the PII (Personally Identifying Information) datasets are slowly extracted, once again going unnoticed. Because of recent attacks (most notably that of the Solar Winds hack), software developers are now feeling the heat to make sure that the source code they compile is secure in every aspect possible.

Thus, this is where the acronym “DevSecOps” is starting to come into play. It stands for “Development, Security, & Operations.” The primary goal of this is to introduce and deploy automated security mechanisms into the entire lifecycle of the software development process.

If security was ever a concern in the past, it was done at the very end, in a very haphazard fashion. One of the primary goals of DevSecOps is to introduce it at every level of development, so that each software module is thoroughly tested before moving onto the next one. Thus, the cascading effect of un-remediated vulnerabilities and gaps is greatly mitigated.

Another key strength of DevSecOps is that it integrates not only the software development teams, but also the IT Security and Operations teams as well into one cohesive unit. This brings an extra set of eyes to help make sure that the nothing in the security process gets overlooked.

In other words, the siloed approach is now fully eradicated, and it has now become a shared responsibility, which leads credence to the DevSecOps motto: “Software, Sooner, Safer.”

This allows for robust and secure code to be delivered without slowing down the software development cycle. Put another way: “DevSecOps helps enterprises to innovate securely at speed and scale.

 

How To Implement Security into DevSecOps

 

It is important to note that implementing a Cybersecurity mindset into your software development process is not something that can be deployed anywhere at any time. It must start early on, preferably even before the application project has even started.

But most importantly, this kind of thinking must be adopted by all the departments in your business. It is not just the IT Security team that has to believe in this framework, every employee must, because everybody has a key stake in keeping your business safe and secure.

But as it relates to DevSecOps, this proactive mindset must be formally acknowledged and embraced in the planning stages of the software development cycle. From there, it then transcends in a lateral fashion until the coding is all done, and the project is ready to hand off to the client. For purposes of this article, a hypothetical software development process can be represented as follows:

 

  1. Planning
  2. Defining the Requirements
  3. Designing & Prototyping
  4. Development
  5. Testing
  6. Deployment

 

The above can formally be called the “Secure Software Development Lifecycle,” or “S-SDLC” for short. Each step is reviewed as follows:

 

Planning

 

In this step, you have been assigned a project, and are in the process of assembling your software development together. This phase of the S-SDLC can be viewed as a macro one, as you are taking a holistic view of the kind of application that will be required and defining the overall objectives of what needs to get done.

But most importantly, you are acknowledging the fact that security is going to be a top issue here, and you are laying down the foundations as to how the system of checks and controls will evolve. But also, you are also figuring the roles that the Operations and IT Security team will play in the S-SDLC.

 

Defining the Requirements

 

Obviously in this phase, you are formally defining the needs and wants of the client in the project and mapping out the various software modules that will be needed to meet this objective. But also remember that this is the key stage in which you will formally address the types of security issues that you think could evolve as the development process evolves. It is particularly important that you take your time in this crucial phase, and this is one of the biggest areas in which you will need to involve the IT Security and Ops teams for their input.

This can also be referred to as the security forecasting stage. There will be issues of course that will come up of which your teams did not anticipate here. The goal here is to map out every what-if scenario that you can, so that any items of concern can be addressed quickly and efficiently. To help you in this process, there are various methodologies that are available, and the one that is most widely used is the Open Web Application Security Project, also known as “OWASP.” As its name implies, this is an open-source platform in which the public can get access to the latest Cyber threat variants that are out there, and which are also ranked according to their degree of severity.

The bottom line is that before you can move forward, all the teams must come to a common consensus of the potential vulnerabilities and threats that they need to be on the lookout for as the source code is being developed and compiled.

 

Design & Prototype

 

It at this phase that you will start to implement the security controls into the various software modules, paying attention to these top three design philosophies:

 

1) The Principle of Least Privilege:

This is the minimum rights, privileges, and permissions are established. In other words, end users will gain access to whatever they need to perform their daily job tasks, and nothing more than that. It is important that the source code be flexible and dynamic in this regard, as roles and titles do change among employees.

 

2) The Principle of Separation of Duties:

With this concept, you are never giving away total, 100% control to just any one employee. Rather, it takes a few individuals to complete one large task, in a sequential fashion, based upon the rights, permissions, and privileges that they have granted. The source code that is being developed needs to have this kind of functionality implemented.

 

3) The Principle of Minimizing the Attack Surface Area:

This simply means that that the source code which is being designed is clean and robust in nature, and most importantly it is not bloated in nature. For example, software developers like to use APIs (Application Programming Interfaces) to keep up with the timelines that have been established in the Planning phase. But there can become an over-dependence on using more APIs than are necessary in this regard, which will make the overall application larger than what is necessary. What this translates into is that the Cyber-attacker now has a much larger attack surface to penetrate to spread their malicious payloads. But by having the source as “lean and mean” as possible, the attack surface greatly reduces in proportion.

 

Development

 

As its name implies, this is the part of the S-SDLC in which the actual source code is compiled. The actual development process does not occur in just one huge chunk, but rather, it is done at the modular level, which was pre-established back in the Planning phase. As technology is rapid advancing at a rapid pace, so are the tools which are used to create the source code. In this regard, automation has become important, not only to keep the project moving along, but also to reduce the number of errors that could occur.

Automation can replace many of the mundane and repetitive tasks that are involved, even when it comes to the security perspective. Some examples of this include the following:

 

  • Continuous Integration: This is where the software developers submit each iteration of the source code that they have worked on into a central server and is combined into one unit. It is not just a one-time deal, it can occur several times a day, depending upon the scope and magnitude of the development project. From here, automated builds and testing can then take place, to track down any errors and vulnerabilities that exist in a very quick manner.
 
  • Automated Security Testing: This is where Penetration Testing comes into play. With this, the primary objective is to find and locate any hard-to-find gaps and remediate them quickly. There are many tools out there that can do this, such as Kali Linux or GitLab.
 
  • Secure Code Repositories: This is especially useful for the storing of API Libraries, as reviewed earlier. Here, automated testing tools can double check that any APIs to be used in the S-SDLC are free from any bugs and are updated with the latest patches and upgrades.

 

Testing

 

To ensure the greatest level security in a software development project, each software module should be tested thoroughly tested, both from the standpoint of Penetration Testing and Threat Hunting. However, this does not each module should be tested one at a time. This would simply take too much time to accomplish. Rather, the automated tools as described in the last subsection can be used to test these modules simultaneously, or in parallel. In the world of DevSecOps, this is technically known as “shifting left,” because you are starting the testing process at the very beginning stages, rather than waiting until the end.

This is illustrated in the diagram below:

(Source: https://www.testim.io/blog/shift-left-testing/)

 

Deployment

 

This phase where the hand-off of the project to client actually occurs. In an ideal setting, the client should also test their new Web application for any weaknesses or backdoors that could have still been overlooked in the S-SDLC phases. But many times, they will not, because they simply assume all is good and fine. Therefore, a critical aspect of DevSecOps is to conduct one last Penetration Test before the application is released into the production environment. There really is no need to involve any Blue or Purple teams at this stage, simply the Red Team will suffice. Of course, anything out of the ordinary should be fixed on the spot.

 

Conclusions

 

Overall, this article has examined what DevSecOps is from a holistic point of view. But keep in mind, as it was reviewed before, there are three distinct groups involved, which to summarize are as follows:

The goal here is to bring in all the assets of these three groups so they work in one harmonious fashion to further enhance the overall Cyber posture of your organization. This in turn will lay the groundwork for creating the mindset security is everybody’s concern, all the way from the C-Suite down to the overnight cleaning crew.

There are many other aspects of DevSecOps, one of which is compliance control implementation. This will be examined in a future article.

Pumex Receives Award

Pumex Receives Award for One of Most Recognized Software Development Companies in Washington DC

 

At Pumex Computing, LLC, we provide our clients with the development solutions they need to build customized, process-driven, and end-to-end software solutions. We value our customers’ needs and prioritize the delivery of cost-effective and scalable solutions for their maximum benefit. Today, we’re happy to announce that we were recently recognized among the most reviewed developers on The Manifest!

 

 For context, let’s revisit the beginning moments of Pumex Computing, LLC:
 

In 2015 


Our founders saw an opportunity to share their expertise and bring core values that the software development space was lacking. Antony Marceles, our CEO, and Christopher Scirpoli, our President, work together to fuse the mastery of their respective fields to bring better, more affordable, and scalable software solutions to our clients. Since then, we’ve always put an emphasis on strong communication and collaboration to craft high-quality products for our partners
 

In 2020 

A nonprofit organization engaged with us for a custom software development project. The purpose of our collaboration was to build a new networking portal that the client labeled as a “community connector” to improve networking efficiency during the pandemic. We developed the product using Salesforce and delivered the final build in June 2021. Upon launch, the client saw a 30% increase in user logins to utilize the new feature sets of the portal.
 

“Their involvement by leadership, consistent, thorough communications and the quality of development set Pumex apart.”
 

— Senior Director, Nonprofit Organization 

 

In 2022

The Manifest releases its newest lists of top companies, and we’re proud to be named among the most reviewed software developers in Washington DC! We would like to thank all of our partners, especially those who left their honest feedback about our work!
 

Build distinctive yet functional digital products today. Get in touch and schedule a free consultation with us today!