DevSecOps Articles
Kubernetes CI/CD Best Practices
With all of the benefits that Kubernetes has, having good CI/CD practices is key. Kubernetes did not magically erase the discipline that your CI/CD journey has taken you on before Kubernetes. Leverage Kubernetes’s strengths to further your CI/CD journey. Click Here to Learn more.
TOP 10 CI/CD SECURITY RISKS
This open sourced guidance available here helps defenders identify focus areas for securing their CI/CD ecosystem. It is the result of extensive research into attack vectors associated with CI/CD, and the analysis of high profile breaches and security flaws.
WHAT DEVSECOPS IN AZURE MEANS?
Published: 8/15/2021
DevSecOps involves the following:
Utilizing security best practices from the beginning of development.
Shifting the focus on security away from auditing at the end and towards development.
Using a shift-left strategy (as far as the scenario allows)
The data flow and security perspective start with Azure AD, GitHub security scanning, container image scanning, and Continuous monitoring with Azure Sentinel.
As an addition and final part of a DevSecOps flow, Azure Security Center will be able to do active threat monitoring on the Azure Kubernetes service, on both Node level and internals.
WHAT IS YOUR DEVSECOPS TOOLCHAIN?
Published: 8/15/2021
Gartner addresses strategic planning as a DevSecOps best practice is what in their Integrating Security Into the DevSecOps Toolchain report. Such planning is crucial because it enables enterprises to face the key challenges that DevOps poses to their in-house development, operations, and security teams.
Security and risk management must adapt security tools, processes, and policies to the DevOps toolchain without slowing the development and release process.
DevOps adoption continues to grow as an alternative to the traditional waterfall and agile development methodologies - security and compliance typically remain afterthoughts.
DevOps practices encourage automation to achieve scale - security has traditionally been manual, process-heavy, and gate-driven, the antithesis of automation, transparency, and speed.
Most developers do not know secure coding, including those versed in agile and DevOps.
Traditional application security testing approaches weren’t designed for speed and transparency.
For some applications in specific industries, new versions need to be government-recertified after every production update, making rapid change an issue.