The following is a summary of the information covered in the webinar: Building DevSecOps Into Your CI/CD Pipelines, which can be accessed here.
The Shifting IT Landscape
As you are probably aware, the IT landscape is rapidly shifting from traditional waterfall to agile processes, from a silo culture to a collaborative culture, from infrequent delivery to continuous delivery, and from limited automation to pervasive automation.
One solution to increasing demands from IT is DevOps, which incorporates processes such as build automation, deployment automation, and release orchestration.
Security is an integral aspect of this shift in the IT landscape. As a result, DevSecOps has arisen as a way to build security into end-to-end processes and shifting left wherever possible. In this webinar, we’ll review four ways FlexDeploy helps users implement DevSecOps in their teams.
Four Ways FlexDeploy Supports DevSecOps
- Role based segregation of responsibilities
- Secrets and credential management tool integration
- Vulnerability scanning tool integration
- Single Sign On (SSO) and Multi/Two Factor Authentication (MFA/2FA)
Role Based Segregation of Responsibilities
There are many roles contributing to the technology of an organization, including administrators, release managers, executives, and end-users. Members of each role should have the ability to do the tasks they are responsible for and be restricted from doing the tasks they should not do. This is often called segregation of duties.
Afterall, as is the DevOps-way, all roles are coming together to achieve a goal as quickly as possible and with the highest degree of quality and security.
FlexDeploy, a DevOps platform, allows you to configure access to various components, including projects, releases, and pipelines. You can define permission through features such as roles and security groups. For example, the administrator group has access to nearly all information in FlexDeploy.
For the developer group, a best practice would be to allow deployment to the Dev environment but restrict deployment from the Prod environment.
Secrets and Credential Management Tool Integration
Throughout the process of execution, such as build and deploy, credentials are necessary. It’s important to have both an internal system in your DevOps platform to ensure credentials are secure, as well as the ability to integrate with external secrets or credential management tools.
FlexDeploy comes with a local credential store where you can create a credential and name it. This could include a password for an application server, database, or another product. That password is then secured in FlexDeploy’s local credential store.
Vulnerability Scanning Tool Integration
One step of the execution process is Quality Assurance, which includes tests such as vulnerability scanning. The environment, such as a website, is scanned by a tool and if major problems are found, the scan will ‘fail’ and the process will not continue to the next step of the lifecycle (e.g., production). After a failure, the respective individuals will be notified and can then make the proper code or configuration changes to circumvent that vulnerability.
FlexDeploy has a plugin for Acunetix, a popular vulnerability scanning tool. The plugin allows you to schedule Acunetix scans and to retrieve results of past scans. Other similar tools can be integrated with FlexDeploy as well.
There is also a plugin for SonarQube, which is a static code analysis tool. This allows you to execute SonarQube scans on source code which generates reports for bugs, code smells, vulnerabilities, and more.
Single Sign On (SSO) and Multi/Two Factor Authentication (MFA/2FA)
Single Sign On means once you use one password to log into the first application of the day, you do not have to log in to subsequent applications. Ultimately, this allows for a better user experience. It is also secure in the sense that you’re less likely to write down your password because you have only one password, instead of 10 or more!
Multi/Two Factor Authentication allows for a more secure experience. In addition to a password, some organizations or applications require a one-time code, biometrics, or soft tokens.
When combined, SSO and MFA/2FA bring comfort and security to a new level!
FlexDeploy has integrations with both SSO and MFA/2FA tools, including Okta and Microsoft Azure AD. In general, integration works with OpenID Connect, SAML, and OAuth protocols, so any tools supporting them can be integrated with FlexDeploy!
Want to see DevSecOps in action?
Watch the full webinar for more in-depth information and demonstrations of these 4 topics!
Want to keep learning? Check out our other on-demand and upcoming webinars.
Please comment or contact [email protected] with any questions.