Get My Score

DevSecOps

Automated DevOps Security for Hybrid Environments

DevSecOps challenges

The Challenges

  • Software development teams (DevOps) want to move quickly to write and implement code while security teams (SecOps) are seen as slowing down the process in order to try and prevent breaches.
  • Infrastructure planning inefficiencies resulting in over-provisioning, counter to demands of agility and cost optimization.
  • Security reviews occur late in the DevOps pipeline stages as groups operate in silos, creating friction, rework, and potential for error.
  • A CI/CD pipeline is deployed and security is an afterthought.

The Requirements

  • Application developers (DevOps engineers) must follow secure coding practices and have a visible and automated way of assuring that by textual code analysis, code-level vulnerabilities are identified early in the development process. While InfoSec professionals need to enable the developers to easily utilize “security hardened”, and “fully patched” platforms with mandatory security baselines on which to build the applications.
  • Developers must realize that application security concerns must be “left-shifted”, and be a non-negotiable acceptance criterion before promoting applications through the stages of the SDLC pipeline such as Design, Development, QA, Staging, and Production.
  • The challenge is to ensure that this is possible to go through the DevOps security process without hindering the speed of application development as desired by the developers, particularly with the availability of infrastructure automation/DevOps platforms at their disposal.

 

DevSecOps requirements
DevSecOps

The Solution

  • Developers provision and manage data center resources through software, effectively an extension of coding that integrates version control and satisfies security concerns.
  • IT administrators have better visibility into software engineering (e.g. Docker DevOps or DevOps on AWS) providing increased flexibility.
  • Security is seamlessly integrated into this DevOps process via programmable security controls, automating the security definition, assessment, and enforcement before and after applications become live and throughout their operational lifecycle = DevSecOps.
  • The Cavirin Jenkins pipeline plugin can be used as a security gate for an image build. The plugin connects to the Cavirin Platform and orchestrates security assessments for Docker images. The user provides the docker image name and the policy pack used to assess the image. 
  • API enabled architecture for DevOps Security Orchestration connecting security tools for centralized protection.

 

The Benefits

  • Visibility at every stage of the Continuous Integration/Continuous Delivery (CI/CD) pipeline.
  • Security as a fundamental, and non-negotiable acceptance criterion early in the development process.
  • Ability to inspect everything, including code, configurations, artifacts, and infrastructure, and establish security assessment as a requirement for progress through the pipeline.
  • Utilizing the Jenkins plug-in, the user receives an overall score for assessment and a list of failed policies. Based on this information, Jenkins can automatically pass or fail the security gate.
  • Security automation, automation, automation.

 

DevSecOps Benefits
DevSecOps tools

Resources

  • 3 Key Ingredients to DevSecOps (Read Blog)
  • Full Stack Container Security - A Unified Approach (Read Blog)
  • The Container Ecosystem (Download eGuide)
  • 15 Ways To Build Security Into Your Development Process, Forbes 2018 (Read Article)
  • Continuously secure Docker/Kubernetes Ecosystem (Learn More
  • With DevSecOps, Security Is No Longer An Afterthought, Forbes 2018 (Read Article)
  • Automating DevOps – The Technology Missing Link, JaxEnter 2018 (Read Article)

eGuide

Container security extends into all aspects of the building blocks that make up the container ecosystem, and not just to the well-known registries like Docker or those offered within the cloud service providers. Securing a container deployment may include best practices for companies supporting: the developer workspace, continuous integration, build automation, testing frameworks, release automation, and operations tools. And, container security is critical, now more than ever, as greater numbers are deployed in production environments.

At Cavirin, borrowing a term from software development, we call our approach ‘full-stack’ container security. This implies that you need to look at all layers of the container environment (cloud, virtualization, operating system, container runtime, and orchestration), taking both a vertical and horizontal security approach. However, containers can’t be secured in isolation. The overall security posture of the hybrid cloud is critical, and this includes both the workloads as well as the cloud account and services. Get all the details in this newest eGuide on why Full Stack Container Security makes sense.

 

Download eGuide

© 2018 Cavirin Systems, Inc. All rights reserved.