The Continuous Delivery Foundation (CDF) is an open source software foundation that seeks to improve the world’s capacity to deliver software with security and speed. The team has this summer said…
Recently, AWS announced the general availability (GA) of its fully-managed application delivery service, AWS Proton, allowing customers to easily provision, deploy, and monitor the microservices that form the basis of modern container and serverless applications.
At WWDC21 Apple announced Xcode Cloud, a continuous integration and delivery (CI/CD) system to help developers build, test, and distribute apps. Still in beta, Xcode Cloud supports both releasing to TestFlight and on the App Store.
It’s impossible to make an organization 100% impenetrable. You may have all the right security policies and tools. But, no matter how quickly you shore up your defenses, cyber criminals just keep getting faster. To avoid becoming the next victim of a cyber attack, you just need to outrun the guy next to you. That’s what Forrester quipped in a recent blog post when commenting on the recent spate of ransomware attacks. Your security posture isn’t only about you, but also your posture relative to other organizations. Because hackers look for the most vulnerable targets, you need to be more secure than others, making you a less appealing target. To be the best on the block, you need to look across your organization to see where the security gaps are. You must check security consistency across functions, business units, geographies, and applications. If some teams are following corporate security policies but others aren’t, you’ve left a window for a cyber criminal to enter. Not bringing DevOps into the security fold means that application development is protected by only a loose patchwork of security practices A dream target area for cyber criminals, one that cannot be overlooked in an enterprise security strategy, is DevOps. Running the risk of not bringing DevOps into the security fold means that application development will be protected by only a loose patchwork of untrackable, unenforceable security practices. Cyber criminals thrive in loose patchworks. In this blog post, you’ll learn common DevOps processes that invite cyber attack, and best practices to reduce DevOps security risk with Privileged Access Management (PAM). What makes DevOps a cyber security target? DevOps (short for development operations) is defined as a set of practices that automates processes between software development and IT teams so they can build, test, and release software faster and more reliably. Industries including Retail and eCommerce, Software, Manufacturing, Financial Services, Healthcare, Telecommunications, and Transportation all leverage DevOps. According to Forrester Research, more than 50% of organizations, like Uber, Starbucks, Verizon, Amazon, BMW, Netflix, and CapitalOne, rely on DevOps techniques. The speed and scale of DevOps requires security to keep pace DevOps has a particularly risky attack surface that includes code, scripts, and tools. DevOps relies on automation, continuous improvement, and utilizing a microservice-based architecture to increase the speed of development. As a result, it involves a lot of non-human assets, application-to-application communication, and interactions with databases. The speed and scale of DevOps requires security to keep pace: secrets must be created instantly, tracked incessantly, and retained securely, while also remaining available to the humans and machines that need them. These requirements don’t always play well with corporate security policies. DevOps often involves bad cyber habits DevOps has unique needs, which often strain security goals. To increase the speed of development, DevOps organizations have adopted many bad habits. DevOps teams have learned how to sidestep security policies, specifically password and privilege management. Centrify’s Tony Goulding has an insightful take on this evolution: “The Sec (Security) in DevSecOps is typically forced into the mix due to corporate policy or industry regulations. Most DevOps teams, however, consider PAM a blot on the landscape because it gets in the way. PAM aims, in part, to simplify and centralize credential management (often referred to as Application-to-Application Password Management or AAPM). DevOps perceives that (PAM) doesn’t fit the DevOps model that strives for speed and agility through automation.” 50% of developers don’t have enough time to spend on security Recent surveys have confirmed what insiders already know: 50% of developers don’t have enough time to spend on security, and 53% of them believe that infosec policies and teams slow their work down. Rather than take the time to implement a security-forward approach to password management, they rely on manual methods which are impossible to scale. DevOps groups may take shortcuts, such as: Hardcoded credentials. Without a tool to automatically generate credentials on demand, DevOps teams may manually generate them, then hardcode them into an app. While this solves the immediate need of granting access, it leaves behind a gaping security hole. Insecure storage of credentials. No centralized password management or central password vault leads to credentials being stored in third-party repositories and spreadsheets (stored in the cloud or locally, and usually not password protected). Recent security breaches, such as Uber accidentally exposing AWS credentials on GitHub, have taught us the danger of relying on unprotected repositories. Pairing autoscaling servers and services with secrets management that can’t keep pace. The beauty of hosted applications is that as more capacity is needed, the applications can be set to scale up automatically. But, if autoscaling is paired with secrets management that can’t scale up at the same rate, then either password management becomes the bottleneck, or the integrity of the system fails. Lack of encryption. Encryption can often slow down development as it requires advanced cryptographic engineering knowledge not all developers have. It’s also difficult for enterprises to test and confirm that encryption is implemented properly. Secrets management tailored to DevOps, but not tied into a centralized IT system. Secrets management works best when it’s universally applied, but some DevOps teams prefer to have their own system in place, one which is finely tuned to their needs, but often incompatible with what IT is using in the rest of the organization, if IT is even aware the other system even exists. Ignoring security in the early stages of the dev lifecycle. Security needs to be considered throughout the software development lifecycle, from early requirements, through initial prototypes and beta releases. Bolting it on after the fact often leads to unintended gaps which sophisticated hackers are only too ready to exploit. Bottom line: PAM is often shunned because it’s complicated to deploy and manage, non-intuitive for modern workflows, and requires lots of manual care and feeding. Use PAM for DevOps to turn a no-no into a yes-yes Modern application security requires taking full ownership of all aspects of code, whether you wrote it or not. IT must balance giving employees and contractors the autonomy to be productive while also implementing and enforcing consistent security policies. IT must retain overall oversight while still accommodating DevOps’ need to access disparate resources and develop new applications in a way that fosters collaboration, encourages speed and continuous delivery yet doesn’t sacrifice security. Integrating automated security solutions into DevOps can have an immediate impact. According to CyberEdge Group’s 2021 Cyberthreat Defense Report, which surveyed over 1,200 DevSecOps practitioners: 8% deploy applications more quickly 2% deploy updates more quickly 5% reduce costs 3% reduce app security vulnerabilities DevOps security solutions centralize and automate access controls to developer toolchains and underlying infrastructure, enhance application security, and enable logging and auditing of privileged activity. When thoughtfully implemented, PAM for DevOps helps: Establish identity assurance. You can consolidate identities to minimize the attack surface, apply multi-factor authentication everywhere and control access through risk-based factors. Limit lateral movement. Security teams can establish access zones, grant access based on use of trusted endpoints, apply conditional access controls, and minimize VPN access. Grant least, just-in-time privilege. In the same way as controlling broad access, you can automate the request for privilege elevation, grant just enough privilege, and move towards just-in-time privilege. Assure automation and agility. It’s critical to avoid manually establishing service accounts for each application. Automated secrets management reduces friction in the DevOps workflow, automatically interacting with platforms and tools such as Jenkins, Kubernetes, Azure DevOps, Puppet, Terraform, CHEF, Ansible, AWS, Azure, and Google Cloud Platform. Pair high-velocity vault with autoscaling services. A high-velocity secrets management vault can support just-in-time access to resources, including toolchain support, integration with code, artifacts, applications, and other essential components. As detailed in the Kuppinger Cole Leadership Compass Report, you can use a DevOps vault to replace hard-coded credentials in apps to access other apps, databases, services, DevOps tools, and robotic process automation. It also supports the critical tasks of just-in-time provisioning and decommissioning. High availability (HA). The system you put in place is only effective if it’s up and running. Ensure it can be configured for high availability and be able to support server and service scalability. Audit everything. Monitor privileged sessions and analyze the risk of access requests in real-time. Receive alerts and notifications on abnormal user access behavior. Use ongoing audits and reporting to ensure compliance with service account governance. Over 50% of organizations using DevOps will adopt PAM-based ‘secrets management’ products by 2021, rising rapidly from less than 10% in 2018, according to Gartner Research. The benefits of one system for enterprise-wide PAM When privilege security solutions designed specifically for DevOps are integrated with centralized PAM solutions, IT security can have visibility over the whole enterprise. DevOps Secrets Vault handles credential management, interfacing with other tools in your DevOps ecosystem via an API call. It alleviates the risk of hard-coded credentials by having a centralized place to control and audit all of the secrets and which applications have access. For added security, it can also generate ephemeral secrets which are policy restricted and time-limited; with this type of secret, even if hackers are able to obtain a credential, it will be of very limited value to them since its access is limited and it is only valid for a short time. The risks to the organization are vastly reduced. DevOps Secrets Vault works best when integrated with an enterprise-wide security solution like Secret Server. Through Secret Server’s cloud discovery, you can uncover what privileged accounts exist in AWS or Azure. Also, centralized management tools provide automated logging, along with consistent, enterprise-wide reports to demonstrate compliance. See for yourself: You can try DevOps Secrets Vault for free.
AWS Auto Scaling has a single user console interface that allows you to configure auto scaling for entire applications or individual resources across different AWS resources and services. In this article, Gilad Mayaan David explains what AWS Auto Scaling is, which types of resources can be scaled and share best practices.
Continuous Delivery Market - Growth, Trends, COVID-19 Impact, and Forecasts (2021 - 2026) The Contin…
CircleCI, the leading continuous integration and continuous delivery (CI/CD) platform, announced it has closed $100 million in Series F financing.
DevOps for Machine Learning, or MLOps, is new on the scene. The differences between MLOps and mainstream DevOps practices are not yet widely understood. We can understand MLOps practices better by looking at the needs that drive them. Let’s consider what we see in advanced MLOps projects and what needs drive that complexity.
Armory is an open source continuous delivery software company. The company has this year introduced Armory Minnaker (rhymes with Spinnaker, for obvious reasons - see more below), a virtual machine…
A recent Software Delivery Leadership Forum panel discussion shared approaches and tactics for creating a successful DevOps culture. The panel stressed the importance of an aligned culture around the DevOps adoption. This includes setting strategic organizational goals, cultivating psychological safety, and treating your culture as a product.
Armory Minnaker uses K3s to make it simpler to deploy its distribution of the open source Spinnaker continuous delivery (CD) platform.
In a recent keynote for The DEVOPS Conference, Cheryl Hung, VP Ecosystem for the Cloud Native Computing Foundation (CNCF) shared her top 10 predictions for cloud native in the upcoming year. This includes improvements in cross cloud support, growth in GitOps and chaos engineering practices, and an increase in the adoption of FinOps.
Continuous test strategies can have a major impact on speeding up lead time for continuous delivery of quality software.
Today’s blog post is about the awesome IBM Garage Cloud Native Toolkit to support continuous integration and continuous delivery (CICD) in today's agile world.
Developers have no shortage of questions about pipelines as code. Continuous delivery or continuous deployment? Should we use Jenkins or a different CI tool? How frequently should we release? The list goes on. Mohamed Labouardy, author of 'Pipeline as Code,' answers these questions and more.
Today, more than ever before, development organizations are focusing their efforts on reducing the amount of time it takes to develop and deliver software applications. While this increase in velocity provides significant benefits for the end users and the business, it does complicate the process for testing and verifying the function and security of a release. The days of long-running, waterfall-style development cycles, wherein security was manually evaluated and bolted on at the end, are gone for good. With the move towards an agile development methodology, security testing and remediation is inherently shifting to the left. And to support this, developers must adopt tools to automate security testing for easy vulnerability identification at the earliest point possible in the development lifecycle. Below, we discuss the why and how of implementing an effective strategy for automated security testing within the development lifecycle. Shifting security testing to the left Through the use of automation, security testing can be executed earlier (or left) in the development pipeline. This is advantageous for a variety of reasons. For one, the earlier vulnerabilities are discovered, the less expensive they are to fix. If a security issue was introduced into the code early in the release cycle, it???s more likely that it???ll be resolved in minutes or hours. Whereas, a vulnerability discovered at the end of the release cycle could face complexity that increases the time required to remediate. Moreover, earlier execution of security tests ensures that vulnerabilities pose less of a threat to the delivery schedule. When security tests are automated as part of the build and integration processes, there is less uncertainty as the release approaches the later stages of the development lifecycle. This reflects well on both development personnel and the organization as a whole. Shifting security left can also help reduce security debt, which piles up over time and can only add to serious risk if left unchecked. Instead of leaving the prioritization and remediation of bugs and vulnerabilities until the very end, shifting security left encourages collaboration between security and development to tackle this issue and determine which security debt is acceptable, and which should be remediated ASAP, reducing lingering risk. Automated security testing for developers So with the intent being to automate and shift security testing to the earliest possible point in the development lifecycle, let???s analyze how this is done in practice. What are we looking for when we test? What does automated security testing involve? Automated security testing for applications is accomplished by scanning code for vulnerabilities. Static code analysis, for instance, scans a codebase while the application is not running. The code is evaluated against a set of policies to ensure that developer implementation is in compliance with the security standards set forth by the organization. Non-compliance with any standard would indicate a vulnerability. These vulnerabilities can include anything from failure to properly protect database calls from SQL injection, to non-compliance with PCI standards for processing, storing, and transmitting credit card information. Furthermore, automated security testing can be leveraged to validate the security of third-party libraries being used by the system. Organizations that wish to shorten their development cycles and enable continuous delivery should utilize security analysis tools early and often, throughout their development lifecycle. This means leveraging IDE integrations that allow developers to scan their code at their convenience and to include security scanning as part of the build and integration processes - just as is done for other forms of automated application testing. Making sense of your automated security testing options There are some specific aspects to consider when evaluating options for automated security testing. Infrastructure considerations When talking about automated security scanning options, one question is the infrastructure required to support it. Should your strategy involve the use of on-premises tools or those that are cloud-based? From an infrastructure perspective, cloud-based automated security testing platforms provide several important advantages. For one, on-premises tools require the organization to assume some overhead. Installation, configuration, and upgrading will come at a cost to the DevOps team in terms of time and resources. With cloud-based options, the complexity of managing a security scanning toolset is simplified. Instead of managing the hardware and software associated with an on-premises tool, development teams can instead leverage a service that is highly scalable and consistently updated ??? ensuring immediate access to the latest features and the highest level of flaw detection accuracy. Cloud-based security scanning tools, like Veracode, provide APIs for use in evaluating the security of an application???s codebase. These APIs equip organizations with easy access to security scan functionality, enabling development teams to test for vulnerabilities early and often throughout the development process. According to the State of Software Security v11, a report based on scan data from 130,000 applications, scanning via API reduces the time to fix 50 percent of flaws by 17.5 days. This is likely the result of an increase in development teams??? ability to identify security problems at the early points in the development lifecycle, when they are less expensive to fix. Pipeline integrations By the time a DevOps team is considering integrating automated security testing into their development process, they are undoubtedly leveraging CI/CD to streamline integration and deployment. With that said, an organization???s continuous integration platform should have an impact on the choice of security scan tooling. Executing security scans on application code as part of CI/CD pipelines is a surefire way in which development teams can improve the level of security within their application releases. Therefore, an organization???s security scanning tool should be able to easily integrate with their CI/CD system. Pipeline scans are immensely valuable from the perspective of secure development. As code is committed and pipelines are kicked off, security scans can be executed as part of the build process. Some vulnerabilities of a lower level of importance can be reported upon, but without impacting the application???s progression through the pipeline. In contrast, vulnerabilities deemed to be of higher severity and unacceptable to the business should be configured to fail the build. This forces development personnel to fix critical security defects immediately, ensuring they aren???t present as the development process comes to a close and the application is released. Testing early and often within your IDE Those tasked with evaluating options for automated security testing should also consider the availability of IDE integrations. These integrations allow developers to scan their code and get fast feedback prior to committing to a shared repository. When used properly, this will prevent many vulnerabilities from being introduced in the first place. Furthermore, providing developers with the ability to scan as they code facilitates developer engagement with secure coding practices. Over time, this helps to instill a culture of developing with security in mind. Automated security testing with Veracode With solutions for static code analysis, dynamic analysis (DAST), software composition analysis (SCA), and more, Veracode provides DevOps teams with the functionality to gain actionable insights for addressing security vulnerabilities in a more time- and cost-efficient manner. Veracode static analysis scanning can be integrated with many of the major CI/CD systems in use today (including GitLab and Jenkins), allowing development teams to continuously evaluate the security of their application throughout the entire SDLC. Furthermore, integrations exist for IDEs such as Eclipse, IntelliJ, and VSCode, helping developers to identify and remediate security shortfalls while they code. Thereby, this enables the development of secure applications without sacrificing velocity or stifling innovation. Wrapping up Automated security analysis, feedback in real-time, and low organizational overhead is the name of the game in modern-day AppSec. The earlier security defects are identified, the less impactful they are to the development process. Cloud-based platforms can help with this, providing fast feedback as part of the development and build processes. This, as a result, equips developers to construct secure applications from the outset.ﾂ?To learn more, read our guide: Fiveﾂ?Principles For Securing DevOps.ﾂ?…
This blog covers the fundamental Jenkins architecture and its related components. If you are a beginner at Jenkins, it will help you gain some idea of how Jenkins components work together and the key configurations involved. What is Jenkins? Jenkins is an easy-to-use open-source CI/CD tool. It has been around for some time, and several organizations are using it for their CI/CD needs. Important Note: It is essential to have an understanding of Continuous integration, continuous delivery, and continuous deployment to understand Jenkins better. It has huge community support and an ocean of plugins that integrate with open-source and enterprise…
Continuous delivery gains momentum as IT seeks to deliver new features and fix defects faster and more consistently.