Security in the DevOps Cycle

security DevOps cycleSecurity in the DevOps Cycle

A new Age for software

The transition from products to services (SaaS) is impacting software delivery (build and deployment), but security must not be forgotten.

However, DevOps becomes of great importance to the young modern enterprise. Old-school security guys must now ask themselves what they can learn from this culture shift.

Keys to Understand The DevOps Paradigm

DevOps Goal is to improve IT service delivery agility. DevOps essentially extends the continuous development goals of the Agile movement to continuous integration and release.

Companies that embrace the DevOps have more frequent deploys, which allows them to introduce new features more often in a more stable environment. Rather than the traditional waterfall method with software development, testing and deployment, DevOps encourages a more rapid release cycle with a continuous introduction of new features, continuous testing and continuous deployment. Development and Operations are bound together so that configuration of the infrastructure is part of the code itself.  It is obvious that DevOps use the power of the cloud and containers to deploy their application.

Organizations are adopting this new model to streamline the development process by combining multiple steps into a single, automated process.

DevOps have to integrate security as a part of the chain with the goal to increase the security of the code before reaching production. In a perfect DevOps world, the process from code to ship and run, does not exceed few hours. So security must be embedded in this process.

 

Steps to integrate security in the DevOps cycle

  1. Embedding security into the DevOps framework. The DevOps framework drive the operational process of integrating and delivering code using API-Driven tools.
  1. Putting in place a new approach. We do not patch software, we rebuild the solution with the software fix and deploy a new instance to replace the faulty one.

 

Elastic Workload Protector is DevOps Ready

You will no more publish your application with Security Flaws to the cloud or in an unsecured environment. We can easily be part of your build chain, to strengthen your process to deliver secure application as fast as possible:

Through the use of:

  1. Our API Driven solution

Integrating our solution in your DevOps framework or BuildChain is easy.

Our Solution can be driven by external tools, each step of a security analysis done by Elastic Workload Protector can be automated through an HTTP RestFull API.

From high to low-level functionality, you can manage User, Scanning Process, Policies Creation, Report and Risk export, Tags.

As example, in your BuildChain, you can setup our solution to be in charge to deliver a security seal to package or image that meet a risk level compliance requirements:

⇒ Do not validate/publish image with risk DATA INTEGRITY higher than 2.0

As easy it is to add a ‘vulnerability assessment process’ into you build chain, our experts can help you to facilitate integration into your build chain: Docker, AWS or another image build.

  1. Our Security Analysers

That ensure your Images are built with Best Practices in place, from Compliance (CIS, OWASP, PCI-DSS) to specific application (Hadoop) or Use cases (Big Data) and are free of Vulnerability Flaw (CVE).

For each analysis, a report with remediation steps will let you easily and quickly fix issue to run the build process as fast as possible.

 

With these simple steps, it is possible to streamline security in the DevOps Cycle.

Do you want more information on our DevOps approach?

Don’t wait the next WannaCry cyber attack to react… Contact us now and meet our security team at AWS Summit Paris 27th June 2017.

CVE – Common Vulnerabilities and Exposures
CIS – Center for Internet Security
OWASP – Open Web Application Security Project
PCI-DSS – Payment Card Industry Data Security Standard

Leave a Reply