Weaveworks acquires Magalix to secure Kubernetes

Next Article

INDUSTRY WATCH by David Rubinstein

DEVOPSDEVOPS WATCHWATCH

Weaveworks acquires Magalix to secure Kubernetes

BY JAKUB LEWKOWICZ

Weaveworks acquired the policy-ascode startup Magalix to secure Kubernetes applications by integrating the solution into Weave GitOps.

“Enterprise customers have made it clear that trusted application delivery is critical to the success of their increasingly complex cloud native platforms, ” said Alexis Richardson, the CEO of Weaveworks. “With the acquisition of Magalix, Weaveworks introduces customizable policies, compliance capabilities and comprehensive risk visibility into GitOps workflows, ensuring only authorized applications are deployed and there are no nefarious activities. ”

The addition of Magalix ’ s policy engine will enable DevOps teams to apply consistent policies and best practices across multiple Kubernetes environments. These new developer guardrails will enable Weaveworks customers to bridge the gap between developers, DevOps and security teams.

Also, Magalix ’ s KubeGuard agent detects and remediates runtime drifts.

Magalix simplifies DevSecOps and enables cloud-native environments to be more secure by integrating directly into source, build, and deployment stages of the software lifecycle, according to Weaveworks.

Customers will be able to use the same declarative approach as Kubernetes to scale their applications while maintaining regulatory requirements and security best practices with Magalix ’ s security capabilities.

“We are seeing an increase in customers who run a zero-trust security model turning to GitOps to bring DevOps to cloud-native application development and IT operations, ” said Mohamed Ahmed, the founder and CEO of Magalix. “Similar to how DevOps disrupted infrastructure management, we believe that integrating security into GitOps pipelines brings considerable agility and speed, preventing errors and protecting against attacks that could shut down the entire platform. Imagine securing your platforms 100 times faster with very high confidence while evolving them. Weaveworks and Magalix share that joint mission to make it easy to innovate fast without jeopardizing security and stability. ” z

n Checkmarx KICS

now integrated into GitLab 14.5

Checkmarx’s open-source KICS (Keeping Infrastructure as Code Secure) solution has been integrated into version 14.5 of the GitLab DevOps Platform as an infrastructure-as-code scanning tool.

KICS automatically parses infrastructure-as-code files of any type to detect insecure configurations that could expose applications, data and services to attack.

Users of Ansible, AWS CloudFormation, K8S or Terraform can now scan their IaC and manage IaC vulnerabilities alongside other comprehensive security scan results with GitLab’s vulnerability management capabilities.

“The fact that we now see infrastructure-as-code (IaC) integrated as part of any DevOps pipeline shows that application security must now extend far beyond application source code, ” added Razi Sharir, CPO at Checkmarx. “The world runs on code, and we secure it, from source code to open source to infrastructure-as-code. ” n ZenHub announces

Productivity Insights

ZenHub, the productivity management solution built into GitHub, today announced Productivity Insights, a new solution in its portfolio of productivity management tools. These Productivity Insights offer teams actionable insights of sprint progress and total productivity in real time.

Productivity Insights automates the process of measuring and analyzing a software development team’s performance and immediately shares that data throughout the entire development organization.

In addition, Productivity Insights and the analysis it provides is available at a glance from the standard ZenHub UI view that developers regularly use, giving all team members a clear view of the progress that is being made, what still has to be accomplished, and how to work through existing obstacles. n DevOps Institute:

Events, new certifications

The new certifications include DevOps Practitioner and DevOps Engineering Foundation. Also, SKILup Days, SKILup Hours, and SKILup Festival 2022: A Live DevOps Educational Experience will provide insights and education needed by DevOps professionals in a wide variety of disciplines.

“As we ramp up our education and certification programs, we aim to empower the global member community with the skills and knowledge they need to further their careers and advance the DevOps initiatives at their organizations, ” said Jayne Groll, CEO of DevOps Institute.

The DevOps Institute also announced the availability of its new Continuing Education Program. The program works to provide certified members with the skills, knowledge, and learning needed in order to remain relevant, optimize rising trends, and meet professional goals.

This program benefits individuals and organizations, both in different ways. For individuals, the program provides greater value to certifications through continuing education credits, supports continuous upskilling, increases work productivity and efficiency, and more. On the organizational side, the Continuing Education Program enhances employee recruitment and retention, assists with crosstraining and coverage, and increases team productivity and efficiency. z

RPA:

Handling mundane tasks, freeing up developers

BY KATIE DEE

Robotic Process Automation (RPA) has been a useful tool for many organizations. Despite the initial fear that it would grow to take over the jobs of developers, many have come to see that RPA and automation only function well when they work in tandem with developers.

According to Yishai Beeri, growth technologies lead at LinearB, the best way for organizations to utilize RPA is to implement it with the purpose of eliminating the mundane tasks that would usually fall to developers.

He also explained how this technology works to ensure consistency across a development team. Beeri said, “Developers have their own skills, they can automate basically whatever they like if they put their time into it, but sometimes, you want a more organized or central solution for automating these things instead of every developer just scripting away, ” he said. “Maybe it's not important enough for a single developer but if you look at 100 developers… the small time wasters are things that you can automate away with a more centralized solution. ”

Carlos Melendez, COO and cofounder of Wovenware, echoed Beeri’ s sentiments by explaining that organizations would much rather have their developers working on tasks that bring value to the company rather than spending the majority of their time on duties that could easily be automated with something like RPA.

Melendez also explained that when implementing RPA, this is the message that can fight off the employee resistance that may come from the fear of losing their jobs to automation technology. “A lot of the time it’ s not about replacing employees, it’ s about augmenting their capabilities. So, if half of your time is spent kind of preparing a file or preparing an integration or moving data from one point to another or doing data entry, then you want that person to spend more time on their analysis and verifying what is happening instead of the actual data entry part, ” he said.

RPA still new, and evolving

Jon Knisley, principal consultant, automation, and process excellence at FortressIQ, said that RPA and other automation technologies are still relatively new and, therefore, rapidly evolving. He said, “Among companies that have deployed RPA, a majority have less than 10 bots in production and just 10% have launched more than 100 bots, according to a recent report from Automation Anywhere. ” With this, he added that he believes that the full breadth of what RPA and automation in general can do is still undiscovered.

“Only 11% of business executives surveyed by McKinsey believe their current business models will be economically viable through 2023. Given the potential disruption, organizations continue to invest in complex change programs despite dismal success rates of less than 30%. Automation is the new transformation, ” Knisley said. He also noted that RPA has been the fastest growing segment for the enterprise software market for three consecutive years beginning in 2019. “Grand View Research estimates the global market for RPA will surpass $2 billion in 2022 and continue to grow annually at 40%, ” he said.

Arthur Villa, an analyst at Gartner, said that his company ’ s research has yielded the same results, saying that he has seen no evidence that RPA has been slowing down, even in the midst of newer technology. “[As far as] the state of RPA implementation, I would say that it is still in the relatively early days. If we look at it as a four quarter game we ’ re probably only in the second quarter... I think that there's still a lot of adaptations that have been made in the last couple of years, ” he said.

With this, Villa pointed out that RPA has only been growing in popularity as larger and more well-known organizations introduce this technology. “A lot of these new vendors are coming into the RPA market and shaking things up. There ’ s a lot happening within the market especially from the customer and buyer perspective… Many companies start small with RPA and then they rapidly expand those programs so I think we ’ re still early on in new customers buying RPA and beginning to experiment with the technology, ” he said.

Villa believes that the reason RPA has been so widely accepted and implemented is because it offers organizations simplicity and overall convenience. According to Villa, when compared to other artificial intelligences, RPA is lower in cost, easy to understand, and companies will usually see a quick return on investment.

Humans and robots...working together

On an SD Times-led discussion of RPA on the Discord Dev Interrupted channel, participants had a lot to say. One of the respondents, Dr. Don Wilcox, talked about a robot used at his organization, which they named Marvin. “We have automation that completes a Task (the most-specific sort of ticket) when a PR associated with that Task is completed, " Wilcox explained. "Then Marvin takes over and changes the state of the parent story based on whether the dev tasks, qa tasks, demo tasks, etc, are complete. Marvin has his own row on the board, and you can get him to perform certain automation tasks (such as adding the standard stories and tasks to a new sprint) just by giving him an appropriately named task in that sprint. ”

This is a good example of the way that automation and human employees have to work together. There's no doubt that the addition of the robot makes things run more smoothly but the robot cannot function without the direction of the human, which was the overall consensus from the discussion. The idea that RPA or another form of automation will be the end of human labor is far from the truth.

In further support of this, Wilcox said, “Once you build a robot, someone needs to maintain, enhance, QA, replace. That robot assumes it's own product lifecycle, which will likely require humans. For the foreseeable future, it is going to be humans building the robots, even if the robots help. ” z —Katie Dee

A lot of the time it’s not about replacing employees, it’s about augmenting their capabilities.

Data, change management challenges

In spite of this, though, it is not uncommon for organizations to face some challenges when introducing RPA into their business processes. According to Melendez, these challenges often fall into two categories: data driven and change management. Melendez explained that the data aspect of these challenges has to do with the quality of the data itself as well as overcoming the different types of roadblocks that arise when you try to automate using bad data. The change management sentric challenges have more to do with employees being worried about what RPA is going to do and how it will change their own jobs.

When working to remediate these challenges, Melendez said, “Technology is moving so fast that you really need a good set of technology partners that you can trust, that you can go to when you need certain technology solutions. You have your AI partner, your RPA partner, and other partners that will help you navigate the complexities and the changes in those technologies. ”

< continued from page 19

Even with RPA’ s rapid growth, it is noteworthy that it has fallen out of the spotlight somewhat in recent years. According to Brett Geenstein, data and analytics partner at PwC, this is the result of newer technologies being introduced. He said, “First, there is the screen scraping and click automation that allows RPA to execute the same steps a person would execute in any application. Second, there is the scripting for bots that identifies a sequence of actions with basic logic to decide what action to execute next. As APIs and microservices become more and more available, especially as applications modernize on the cloud, the need for screen scraping and click automation goes away. ”

Along the same lines, Beeri said that he feels RPA is not as widely talked about because, at its inception, it was overhyped and now it is failing to live up to all of the original promises. “I think when you start to look at how to deploy [RPA], and what tasks need to be removed, you ’ re finding that you can change the actual task, you don ’t stop at just putting a robot in to automate data entry… The solution for the problem at that point might not be RPA, it might just be automating something using no-code or low-code methods, ” he said.

However, Melendez credits this lack of discussion to something different. He said that rather than RPA being at the center of the discussion, people have shifted to speaking more generally about automation. “RPA as well as AI is becoming so prevalent that the conversation is no longer about deploying RPA, it’ s about the solution that we are going to deploy [using RPA], ” he said. Melendez explained that because these tools and technologies are so advanced, not only is it assumed that they will be in place, but that it is also assumed that, in most cases, they are going to be able to easily automate whatever is necessary.

RPA as communication tool

Beeri thinks there is a new role that RPA can fill in the face of a more distributed workforce. He said that RPA can be used as a communication tool that can remind developers of when it is time to take the next step.

“A lot of the work that software developers do as a team is a lot of back and forth and communication between people… so coordinating that in an environment where it is mostly asynchronous and we ’ re not in the same room anymore… automation and smart bots can really help in coordinating this ‘dance ’ between people so that people are not interrupted, ” he said.

Beeri said that even though this is not a task that has been done in the past or a role that used to be filled by a separate employee, it has become important with the trend we ’ re seeing towards working remotely. He said, “It really helps to minimize interruptions and maximize speed when working together on things. ”

According to Villa, only a few organizations are currently experiencing the full benefits of RPA that Beeri is referring to. He believes that the majority of companies utilizing this technology are the ones that are generating high volumes of revenue, meaning that small and mid-market organizations have yet to adopt automation technology. He said, “There's still a lot of education that has to happen within mid-market companies that need to understand ‘ what is RPA? How can it be used? And how can I get the most bang for my buck?’”

Knisley also pointed out that education around RPA and automation is essential when trying to implement it in the most effective way possible. However, he also placed an emphasis on the importance of fully understanding and optimizing the company itself before introducing automation. He said, “To achieve the magical future state promised by technology, companies first need to understand their current state. Unfortunately, most companies do not understand how they truly operate especially at a gradual user activity level. To be successful and avoid false starts, companies need to discover, re-engineer and automate — in that order. ” z

From RPA to IPA (not the pale ale)

The conversation around RPA has shifted slightly in recent years in order to cast a wider net, the newer terminology is Intelligent Process Automation (IPA). The lowcode automation company Nintex has been championing it, and according to Terry Simpson, senior solutions engineer at Nintex, “IPA is like the grownup and more mature sibling of RPA. When we say sibling, think about IPA being about 20 years older than its younger sibling RPA, on the maturity scale. ”

Simpson continued, “IPA is actually the combination of several technologies coming together to create a very mature and flexible automation capability. Intelligent workflows, natural language processing, machine learning, and even RPA are all integral parts of an IPA solution. ” He explained that a key difference between RPA and IPA is that while RPA usually runs on a local machine, IPA is a cloudbased virtual environment. “In simple terms, think about IPA sitting right in the middle of all your applications and performing process automation focused on an entire solution, not just tasks. Tasks may make up a piece of the solution, but IPA brings the entire solution or process together, ” he said.

Brett Greenstein, data and analytics partner at PwC said, “RPA is getting less discussion… because automation has expanded well beyond screen scraping and bots, through the use of APIs, Microservices, and AI/ML. Many companies have adapted to this by expanding the term to IPA to include those newer capabilities as well as process mining. ”

Greenstein explained that in the current environment the need for automation is only growing. In the midst of the great resignation and a shortage of skilled developers, automating tasks using a smarter solution is quickly becoming a necessity rather than a luxury. This increased demand for automation has led to the expanding of RPA into IPA in order to introduce fresher technologies into an already reliable method of automation. z —Katie Dee

For a long time, security teams have been able to mostly rely on the safety of a security perimeter, but with things like IoT, embedded development, and now remote and hybrid work, this notion of a defensible perimeter is totally gone.

Having all of these connected devices that don ’t live under one network expands the attack surface that security teams need to worry about. This is especially true when you ’ re talking about remote or hybrid work, explained Ev Kontsevoy, CEO of Teleport, which is a company that provides tooling that enables users to remotely access computing resources.

Kontsevoy explained the perimeters in terms of internet and application security are breaking apart completely, in two major ways. One is the type of perimeter that exists around your data center, where your equipment like servers or computers actually live, and the second type of perimeter is the office itself, which is where all the employees who work there sit and need access to data and applications. This is where technology like firewalls come in, Kontsevoy explained.

“That’ s the traditional approach that now makes no sense whatsoever, ” said Kontsevoy. “And the reason why it doesn ’t make sense is because computers themselves are not in the same data center anymore. So we ’ re now doing computing globally. ”

Kontsevoy used the example of Tesla. What is Tesla ’ s perimeter? Tesla deploys code to each of its charging stations, data centers, and cars. “Tesla deploys into planet Earth … Most organizations, they ’ re moving into the same direction. So computing itself is now becoming more and more global. So the notion of a perimeter makes no sense in a data center, ” said Kontsevoy.

Conversely, no one is sitting in an office anymore. “Now, we have engineers, contractors, auditors, and interns, all sitting in different parts of the world, using computers that might not necessarily be company computers, ” said Kontsevoy. “They can borrow an iPad from their partner to do a production deployment, for example. For that reason, traditional security and access solutions are just no longer applicable. ”

According to Jeff Williams, chief technology officer at application security company Contrast Security, this idea of a perimeter had been dismantled long before COVID. In fact, he says people had a misguided sense of security in a perimeter that didn ’t actually exist.

“Once any one computer inside the perimeter gets compromised then there ’ s what’ s called the soft, chewy center where there ’ s nothing inside to prevent an attacker from moving around and doing whatever they want, ” said Williams. “So the best strategy for a long time — since way before COVID — has been to really sort of consider your internal infrastructure as the same as your external infrastructure and lock it down. ”

According to Williams, development

What perimeter?

Defending your connected devices in traditional ways ‘makes no sense’

BY JENNA SARGENT

machines are traditionally not very locked down and developers generally have the privileges to download any tools they need.

“They ’ re running, honestly, thousands of pieces of software that come from anywhere on their machines, all the libraries that they use run locally, all the tools that they use run locally, typically with privilege, and any of that code could potentially compromise the security of that company ’ s applications. So it’ s something that DevSecOps programs really need to focus on, ” said Williams. ”

Williams also believes the current speed at which DevOps teams want to move isn ’t really compatible with the old way of doing security. For example, scanning tools, which have been around for over a decade, aren ’t very accurate, don ’t run very quickly, and don ’t really work well with modern applications because they don ’t work on things like APIs or serverless.

In order to move fast, companies will need to abandon these older tools and move on to the new ones, if they haven ’t already. Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP) are two newer technologies that work fast and are part of developers ’ normal pipelines.

“As the developers write their code, they can get instant accurate feedback on what they ’ re writing, ” said Williams. “And that allows them to make those fixes very quickly and inexpensively, so that the software that comes at the end of the pipeline is secure, even if they ’ re moving at very high speed. ”

Lack of automation and integration becomes even more problematic

The act of actually working remotely doesn ’t seem to make it harder for DevSecOps teams to work together. According to software supply chain security company Sonatype ’ s CTO Brian Fox, certainly, companies need to get tools that will make collaboration easier in a distributed setting, but he believes the core of DevSecOps remains the same.

However, when a company goes remote, one of the first things that happens is the touch points that could cover up a lack of automation no longer exist, Sandy Carielli, principal analyst at Forrester explained.

“You don ’t have those situations where you can walk to the next cube over and get a sign off from someone on the security or legal team … So as you started to have more people forced to go remote, the importance of having better integration of security tools into the CI/CD pipeline had better automation and better handoffs so that everything was integrated, and you could have sign offs in tool stage gates, all of that becomes a lot more important, ” she said.

According to Carielli, implementing tools that enable automation and integration between different security tools is a high priority.

Asynchronous DevSecOps

A new thing that has sprung up for remote teams is the notion of asynchronous communication, where individuals are not necessarily communicating in real time with their coworkers. They might send someone a message and then have to wait a little bit for a response.

DevSecOps is also becoming a bit asynchronous, according to Guy Eisenkot, VP of product and co-founder of Bridgecrew by Prisma Cloud, which provides security automation.

“I think three years ago, we may have not even had the tooling, but now we can just ping each other on Slack, ” said Eisenkot. You know, ask the developer, ‘Hey, did you intentionally commit this password? Or this access key into your code repository? Was that intentional?’ And the response can come in in a conversational manner and come in at any hour of the day. So I think the position for security has changed pretty drastically with how well connected we are and how we ’ re much better at async communication. ”

Now there ’ s a much stronger emphasis on when you should be available and when you ’ re expected to be responsive.

Remote-first mindset tooling helps developers think about security

The tooling that companies have had to invest in to stay successful when remote has also had benefits for security, according to Eisenkot.

Employers and managers have been much more deliberate about the type of tooling they put on developers ’ machines, allowing for more control of the linting and securing tooling they have locally, Eisenkot explained.

“Not only are we kind of protecting them with remote endpoint detection, but we can also now force them to use or enforce the usage of security tooling directly on the employees endpoint, which is something that I think was expedited by the fact that we ’ re no longer in the office and everybody had to now apply to the same type of corporate policy on their on their work computers, ” said Eisenkot.

Buyers Guide

Embedding security into development tooling is now easier than ever

In addition to the fact that remote tooling is making it easier to enforce security, there ’ s also something to be said about the fact that it’ s getting easier and easier to embed controls into the development pipeline.

As an example, Eisenkot explained that both its source control management and shipping pipelines are more accessible than they used to be and are controlled remotely using publicly accessible APIs.

He believes development organizations should now find it much easier to incorporate things like secret scanning, open source package scanning, image scanning, and code scanning directly into the developer ’ s initial commit review process.

“Some of these in the past were just not accessible. So the fact that this tooling was much cheaper, most of it is actually open source, but much more accessible through those public APIs. I think that’ s where I would start by scanning either directly on developers ’ individual workstations, that would be through extensions and IDs, and then implement stronger and stricter controls on source control management, ” said Eisenkot.

The fact that it’ s easier than ever to place security controls on developers ’

Because software supply chain security should feel like a no-brainer.

Continuously monitor open source risk at every stage of the development life cycle within the pipeline and development tools you’re already using.

Lifecycle is made for developers.

You make hundreds of decisions every day to harden your supply chain. You expect interruptions. They’re part of your work. The problem is when they get in the way of your work. We tell you what you need to know to build safely and e ciently — and we tell you when you need to know it. Then we quietly continue our work, and allow you to do the same.

With Nexus Lifecycle, devs can:

Control open source risk without switching tools. Inform your decisions with the best intelligence database out there. Get instant feedback in Source Code Management. Automatically generate a Software Bill of Materials. Enforce open source policies without sacrificing speed.

machines is extra important these days, since supply chain attacks are becoming more and more common. According to Sonatype ’ s Fox, attackers no longer want to get their malware into a shipped product, they want to get it into part of the development infrastructure.

“And once you understand that, you can ’t look at perimeter defense in terms of application security the same way anymore because it moves all the way left into development, ” said Fox.

Security as coaches to developers rather than ultimate authority

Another interesting thing that’ s been happening in DevSecOps is that the role of security is changing. In the past security was more like a bottleneck, something that stood in the way of developers writing and pushing out code fast, but now they ’ re more like coaches that are empowering the developers to build code and do security themselves, said Contrast Security ’ s Williams.

It used to be that the Sec part of DevSecOps was like the central authority, or the judge. If they determined code wasn ’t secure, it got sent back to the development team to fix.

“DevSecOps, when you do it right, is bringing development and security together so that they can have a common goal. They can work and they can sort of agree on what the definition of done is. And then they can work together on achieving that goal together, ” said Williams.

When DevSecOps is done wrong, it’ s more like trying to fit a square peg into a round hole, Williams said. Companies try to take their existing tools, like scanners that take a long time to run, and put them into their already existing DevOps pipelines, and it just doesn ’t work.

“Usually, it doesn ’t produce very good results. It’ s trying to take your existing scanners that take a long time to run and don ’t have very good results, and just kind of wedge them in or maybe automate them a little bit. But it’ s not really DevSecOps; it’ s really just trying to shove traditional security into a deficit DevOps pipeline, ” said Williams.

According to Williams, there are three key processes that companies need to have in place in order to have a successful DevSecOps organization. First, they need a process around code hygiene to make sure that the code the developers are writing is actually secure. Second, they need a process around the software supply chain in order to make sure that the libraries and frameworks that are being used are secure. Third, they need a process to detect and respond to attacks in production.

“If development and security can come together on those three processes and say ‘hey, let’ s figure out how we can work together on those things. Let’ s get some tools that are a little more compatible with the way that we build software, ’ that will help get them moving quickly in development, ” said Williams. “And then in the production environment get some monitoring, that’ s a little more up to date than just something like a WAF, which is a kind of firewall that you have to keep tailoring and tuning all the time. ”

Traditional challenges to DevSecOps remain

comes to DevSecOps is understanding the components in their software. Log4j is a great example of this, since if you look at the download statistics from Maven Central, around 40% of the downloads are still of the vulnerable version.

“And that can ’t be explained, ” said Fox.

“A lot of times, you can explain why people are not upgrading or doing things because well, the vulnerability doesn ’t apply to them. Maybe they have mitigation controls in place, maybe they didn ’t know about it otherwise, and so they didn ’t know they needed to upgrade. For the most part, none of those things apply to the Log4j situation. And yet, we still see companies continuing to consume the vulnerable versions. The only explanation for that is they don ’t even know they ’ re using it. ”

This proves that many companies are still struggling with the basics of understanding what components are in their software.

According to Fox, automation is important in providing this understanding.

“You need a set of tools, a platform that can help you precisely understand what’ s inside your software and can pro-

< continued from page 23 Executive Order on improving Cybersecurity in the U.S.

Last spring, President Biden signed an executive order related to improving cybersecurity. As part of this order, the government will solicit input from the private sector, academia, and others to “develop new standards, tools, best practices, and other guidelines to enhance software supply chain security, ” according to the National Institute of Standards and Technology (NIST).

These guidelines will include criteria for evaluating software security, criteria for evaluating security practices of developers and software suppliers, and tools and methods for demonstrating that products are following secure practices.

“They’ve demanded that organizations be more transparent, ” said Contrast Security’s Williams. “They put out minimum testing guidelines, and NIST is implementing these standards. They’re even investigating the idea of having software labels, so that when you go to your bank, or you buy software from somewhere, you’ll see a label that says, hey, here’s the details about security that you need to know. Kind of like everything else in this world has labels, like Energy Star and your car and your drugs and your Cheerios box has a label and your movies and your records. Everything has labels because they work. They fix economic problems in the market. And that’s going to happen to software over the next few years, which I think is exciting. It’ll make it much better for consumers to know that the software they’re using is trustworthy. ” z

How does your solution help organizations to do DevSecOps?

Guy Eisenkot, VP of product and co-founder of Bridgecrew by Prisma Cloud

As hybrid work environments and cloud infrastructure environments become the norm, organizations’ attack surfaces are only getting larger and more complex. With less cohesive visibility into the multitude of tools and frameworks used across software supply chains, it’s hard for organizations to keep up with security risks and best practices. To mitigate those risks brought about by cloud complexity and remote work, many organizations are embracing DevSecOps.

For engineering, Bridgecrew makes it easier to prevent infrastructure misconfigurations and vulnerabilities from progressing into build pipelines and production environments by surfacing feedback in developer tools. Via command lines and integrated development environments (IDE), Bridgecrew provides fixes as code so developers can adhere to secure coding practices.

For DevOps, Bridgecrew enables speed and agility by automating security guardrails throughout the development lifecycle. Bridgecrew also comes equipped with the tools DevOps need to keep their software supply chain secure — from the individual components to the version control systems (VCS) and continuous integration (CI) pipelines that deliver them.

Lastly, for security and compliance, Bridgecrew provides unified visibility into the security posture of all cloud resources and real-time notifications and ticketing to enable cross-functional collaboration.

Jeff Williams, chief technology officer at Contrast Security

Contrast is a platform of products that tries to enable teams to do their own security. So in a remote kind of environment, it’s really important to empower the developers to have the ability to test their software locally, as part of every time they change the code, they’ll get instant results. And our philosophy is sort of, they shouldn’t have to change anything about the way that they build, or test or deploy their code, they should just do their normal process. And the security tooling should be the thing that does the work, and then alerts them if there’s ever a problem. But we don’t want the developers to have to take extra steps. Because what ends up happening is they get frustrated with those extra steps. If there’s false positives, they have to go do extra work for no reason to investigate those things. So we want to just empower them to just deal with the things that actually matter, make those changes themselves and check and clean code. And we want to do that really early in the development process. So that’s the role that Contrast plays — we’re just in the background doing our job. And if anything goes outside the guardrails a little bit, we help steer the developers back on track. Now, the security team can participate. They serve as managing the policy, they watch the metrics, they can go help projects that aren’t doing very well. But by monitoring all of their applications continuously, it gives you a very different viewpoint than if you’re just running tools, running scanners, kind of serially, one by one through your entire application portfolio.

Ev Kontsevoy, CEO of Teleport

Hybrid is the new normal. Hybrid work arrangements have put pressure on the corporate network, and employees at different levels of seniority need to be able to connect to corporate infrastructure from anywhere. Additionally, that infrastructure is increasingly complex. A typical customer environment is itself hybrid with Linux and Windows servers, Kubernetes clusters, databases, and internal applications like CI/CD systems and version control systems like GitLab. In this environment, protecting modern applications requires the consolidation of all aspects of infrastructure access into a platform built for a hybrid world. That platform is the Teleport Access Plane, the easiest, most secure way to access all an organization’s infrastructure.

The open-source Teleport Access Plane consolidates the four essential infrastructure access capabilities every security-conscious organization needs: connectivity, authentication, authorization, and audit. By consolidating all aspects of infrastructure access into a single platform, Teleport reduces attack surface area, cuts operational overhead, easily enforces compliance, and improves productivity. The Teleport Access Plane replaces VPNs, shared credentials, and legacy privileged access management technologies, improving security and engineering productivity.

With Teleport, organizations can easily shift to remote work and increase their use of hybrid cloud environments without impacting security or productivity. Teleport enables teams to securely connect to your global infrastructure regardless of network boundaries and provides identity-based access for humans, machines, and services, including finegrained access controls. z

A guide to DevSecOps tools

n FEATURED PROVIDERS n

n Bridgecrew by Prisma Cloud automates security from code to cloud. By embedding earlier in the DevOps lifecycle, Bridgecrew enables developers to write secure code without slowing them down. In addition to its DevSecOps tools and integrations, Bridgecrew’s platform gives security teams instant visibility into their security posture across their entire software supply chain. Join Brex, Databricks, and Robinhood in bridging the gap between security and engineering by trying Bridgecrew's all-in-one DevSecOps platform for free.

n Contrast Security secures the code that global business relies on. It is the industry's most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprise developers to write and release secure application code faster. The Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides howto-fix guidance for easy and fast vulnerability remediation. Security and development teams can then collaborate and innovate faster while accelerating digital transformation initiatives.

n Sonatype: Sonatype’s software supply chain platform allows engineering teams to manage software quality and governance using a single control plane. It solves the problem of how to balance speed, quality, intelligence, and security at scale, equipping engineering teams with the tools they need to continually code smarter, fix faster, and be secure. By using Sonatype, developers can discover and fix security vulnerabilities and code quality issues at the most convenient time during software creation.

n Teleport is the easiest, most secure way to access all your infrastructure. The opensource Teleport Access Plane consolidates connectivity, authentication, authorization, and audit into a single platform. By consolidating all aspects of infrastructure access, Teleport reduces attack surface area, cuts operational overhead, easily enforces compliance and improves engineering productivity. Get started at goteleport.com.

n Aqua Security secures the entire software development lifecycle, including image scanning for known vulnerabilities during the build process, image assurance to enforce policies for production code as it is deployed, and run-time controls for visibility into application activity, allowing organizations to mitigate threats and block attacks in real-time.

n Checkmarx provides application security at the speed of DevOps, enabling organizations to deliver secure software faster. It easily integrates with developers’ existing work environments, allowing them to stay in their comfort zone while still addressing secure coding practices.

n Chef Automate is a continuous delivery platform that allows developers, operations, and security engineers to collaborate effortlessly on delivering application and infrastructure changes at the speed of business. Chef Automate provides actionable insights into the state of your compliance, configurations, with an auditable history of every change that’s been applied to your environments.

n CloudPassage has been a leading innovator in cloud security automation and compliance monitoring for high-performance application development and deployment environments. Its on-demand security solution, Halo, is a workload security automation platform that provides visibility and protection in any combination of data centers, private/public clouds, and containers.

n CodeAI is smart automated secure coding application for DevOps that fixes security vulnerabilities in computer source code to prevent hacking. It’s unique user-centric interface provides developers with a list of solutions to review instead of a list of problems to resolve. Teams that use CodeAI will experience a 30-50% increase in overall development velocity. n CyberArk Conjur is a secrets management solution that secures and manages secrets used by machine identities (including applications, microservices, applications, CI/CD tools and APIs) and users throughout the DevOps pipeline to mitigate risk without impacting velocity. Conjur is the only platform-independent secrets management solution specifically architected for containerized environments.

n IBM provides a set of industry-leading solutions that work with your existing environment. Change is delivered from dev to production with the IBM UrbanCode continuous delivery suite. Changes are tested with Rational Test Workbench, and security tested with IBM AppScan or Application Security on Cloud. IBM helps you build your production safety net with application management, Netcool Operations Insight and IBM QRadar for security intelligence and events.

n Imperva WAF protects against the most critical web application security risks: SQL injection, cross-site scripting, illegal resource access, remote file inclusion, and other OWASP Top 10 and Automated Top 20 threats. Imperva security researchers continually monitor the threat landscape and update Imperva WAF with the latest threat data.

n JFrog Xray is a continuous security and universal artifact analysis tool, providing multilayer analysis of containers and software artifacts for vulnerabilities, license compliance, and quality assurance. Deep recursive scanning provides insight into your components graph and shows the impact that any issue has on all your software artifacts.

n Liquidbase is a database company that allows organizations to deliver error-free application experiences faster. The company’s solutions make database code deployment as simple as application release automation, while still eliminating risks that cause application downtime and data security vulnerabilities.

n NoSprawl is security for DevOps. As DevOps matures and finds broader adoption in enterprises, the scope of DevOps

< continued from page 25 vide policy controls over that, because what is good in one piece of software might be terrible in another piece of software, ” said Fox. “If you think about license implications, something that’ s distributed can trigger copyright clauses and certain types of licenses. Similar things happen with security vulnerabilities. Something run in a bunker doesn ’t have the same connectivity as a consumer app, so policy controls to then have an opinion about whether the components that have been discovered are okay in their given context is important. Being able to provide visibility and feedback to the developer so they can make the right choices up front is even more important. ”

According to Bridgecrew by Prisma Cloud’ s Eisenkot, if you look back on the big supply chain-related security incidents over the last six to eight month, it’ s apparent that companies have not properly configured the correct code ownership or code review process in their source control management.

He explained that those two things would make any source code much more secure, even in small development organizations.

Developer education is key

Eisenkot emphasized that developer education and outreach is still one of the most crucial points of DevSecOps at the end of the day.

Yes, it’ s important to implement controls and checkpoints in the tooling, but he also believes the tooling should be thought-provoking in a way that it will empower developers to go out and educate themselves on security best practices.

“Eventually, lots of tooling can point to a vulnerable package or a potentially exploitable query parameter, ” said Eisenkot. “But not every tool will be able to provide actionable advice, whether that’ s a documentation page or an automatically generated piece of code that will save the developer the time needed to now learn the basic fundamentals of SQL injection as an example. ” z

A guide to DevSecOps tools

< continued from page 29 must be expanded to include all the teams and stakeholders that contribute to application delivery including security. NoSprawl integrates with software development platforms to check for security vulnerabilities throughout the entire software development lifecycle to deliver verified secure software before it gets into production.

n Parasoft: Harden your software with a comprehensive security testing solution, with support for important standards like CERT-C, CWE, and MISRA. To help you understand and prioritize risk, Parasoft’s static analysis violation metadata includes likelihood of exploit, difficulty to exploit/remediate, and inherent risk, so you can focus on what’s most important in your C and C++ code.

n Qualys is a leading provider of information security and compliance cloud solutions, with over 10,300 customers globally. It provides enterprises with greater agility, better business outcomes, and substantial cost savings for digital transformation efforts. The Qualys Cloud Platform and apps integrated with it help businesses simplify security operations and automates the auditing, compliance, and protection for IT systems and web applications.

n Redgate SQL Provision supports database DevSecOps, keeping compliance central to the process. It enables multiple clones of masked databases to be created in seconds, allowing them to be used safely within the development and test process. Each clone takes up just a few MB of storage and sensitive data can be pseudonymized or replaced with realistic data, ensuring protection and compliance.

n Perforce helps thousands of global enterprise customers tackle the hardest and most complex issues in building, connecting, and securing applications. Our Klocwork static code analysis tool helps DevSecOps professionals, from developers to test automation engineers to compliance leaders, create more secure code with on-the-fly security analysis at the desktop and integrated into large-scale continuous integration workflows.

n Signal Sciences secures the most important applications, APIs, and microservices of the world’s leading companies. Our next-gen WAF and RASP help you increase security and maintain site reliability without sacrificing velocity, all at the lowest total cost of ownership. Signal Sciences gets developers and operations involved by providing relevant data, helping them triage issues faster with less effort.

n Sumo Logic is the leading secure, cloudnative, multi-tenant machine data analytics platform that delivers real-time, continuous intelligence across the entire application lifecycle and stack. Sumo Logic simplifies DevSecOps implementation at the code level, enabling customers to build infrastructure to scale securely and quickly. This approach is required to maintain speed, agility and innovation while simultaneously meeting security regulations while staying alert for malicious cyber threats.

n Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior.

n Veracode creates software that fuels modern transformation for companies across the globe. DevSecOps enables the build, test, security and rollout of software quickly and efficiently, providing software that’s more resistant to hacker attacks. Veracode offers a unified platform that enables organizations to implement DevSecOps and address security applications from inception through production.

n WhiteHat Security The WhiteHat Application Security Platform is a cloud service that allows organizations to bridge the gap between security and development to deliver secure applications at the speed of business. Its software security solutions work across departments to provide fast turnaround times for Agile environments, nearzero false positives and precise remediation plans while reducing wasted time verifying vulnerabilities, threats and costs for faster deployment. z