CloudBees sponsored this post.
CloudBees has expanded its CI/CD platform to include a wider range of security features that the company says offers DevSecOps teams more visibility and control throughout the software production and deployment lifecycle. The announcement also reflects one of CloudBees’ themes, echoed during this week’s DevOps World 2020, about why many organizations need to better integrate all stakeholders that constitute DevOps — including security teams — and why the right tools are required to support that.
As one of the “core tenants of security,” the idea is “to be secure in every single part of the toolchain: secure in development, secure in delivery and secure in production,” CloudBees’ Buffi Gresh, vice president, product business teams, said during her DevOps World keynote this week.
CloudBees’ Buffi Gresh during her keynote, asked rhetorically: “Would you consider canary testing or feature flags security strategies? Think about a world where every single feature release is behind a flag…” @DevOpsWorld @CloudBees @thenewstack @BuffiGresh pic.twitter.com/v6r2cfQn0D
— BC Gain (@bcamerongain) September 22, 2020
Gresh described how the right tools could — and should — offer canary testing or feature flags for DevSecOps. “Think about a world where every single feature release is behind a flag: The ability to pull back anything and everything in a millisecond,” Gresh said. “This is an important addition to your production security story, and one that I would argue is the most powerful: instantly mitigate effective code in production, without having to redeploy the power of a feature kill switch.”
CloudBees communicated the following new SecOps-related features for its CI/CD platform:
- “Audit-ready” pipelines: to help ensure only immutable and approved components and environments are adopted during the application development and deployment lifecycle, with traceability and audit reports.
- Feature flagging integration: An automated capability that allows specific application components or features to be rolled back at any time through the development process and once the application is deployed if security issues occur, with traceability capabilities.
- Hardening CloudBees CI: for strict government specifications, such as DoD standards.
- Role-based access controls: Teams or designated users have security permissions that extend to the file level to help ensure only authorized users access project components on an as-needed basis.
- Integrations: Integration options with security automation applications from Anchore, Alcide.io, FOSSA, CyberArk, Checkmarx, Contrast Security, Shiftleft.io, Snyk, RunSafe Security, Sonatype, WhiteSource Software, Synopsys and Zimperium.
The audit-ready feature represents an additional example of how automation is increasingly critical for SecOps, as well as for optimizing CI/CD and DevOps in general, said Avantika Mathur, senior product manager, for CloudBees. When pipelines are audit-ready — and automated — they also “become the audit trail,” she said. With CloudBees’ DevSecOps audit-ready capability, for example, “there is automation across the entire process with one release pipeline that builds the audit data right into it,” Mathur said. For those organizations without automated audit trails, often enormous amounts of data must be manually parsed through in the event of an audit.
CloudBees’ Avan Mathur said audit-ready pipelines are critical for today’s DevSecOps. Forget manual and painful data searches — the pipeline itself “becomes the audit trail,” thanks to automation. #DevOpsWorld https://t.co/ePE2tjGGtx @thenewstack @CloudBees pic.twitter.com/3F23A2ggVn
— BC Gain (@bcamerongain) September 23, 2020
Audit-ready pipelines help to maintain tighter security controls for application code by having a “progressive delivery style to your features so that once you put a feature out into the market you also have the ability to shut it down,” CloudBees’ Shawn Ahmed, senior vice president and general manager, Software Delivery Automation Group (SDA), said during a live stream broadcast at DevOps World hosted by Alex Williams, founder and publisher of The New Stack, and co-hosted by this writer. Ahmed also described how if, “God forbid, something bad happens,” audit-ready pipelines allow DevOps and DevSecOps “to look at everything that happened.”
CloudBees’ Shawn Ahmed: “God forbid something bad happens. Do I have audit-ready pipelines..so each stage of software was tested and secure”? @AlexWilliams @bcamerongain @Shawn_Ahmed @DevOpsWorld @CloudBees @Broadridge @thenewstack https://t.co/zBpzByWehT #CICD #spon pic.twitter.com/HnHdj4yxFK
— BC Gain (@bcamerongain) September 22, 2020
In this way, the traceability features throughout the pipeline play a key role, Ahmed said. “You can look at everything that happened in between to ensure that each stage of software was tested and secure as it went along the way — that disposition is, to me, DevSecOps,” Ahmed said.
As mentioned above, CloudBees’ new DevSecOps capabilities are part of the CI/CD platform provider’s push to help all DevOps teams have better access and participation in all DevOps processes. The new security layers CloudBees provides, besides helping to remove manual checks from processes that can potentially bog down DevSecOps teams’ productivity, offer security teams more direct control and visibility into application code throughout the entire production and deployment lifecycle. “DevSecOps is pervasive in that Sec is part of everything,” Ahmed said. “You can think about it in how every state, every tool and every app is for the delivery process — it’s not just about a task that you’re looking after security once software has been delivered.”
This year’s free-to-attend DevOpsWorld is one not to miss. Register today to watch more than 100 technical and business sessions, led by industry thought leaders. Take part in over 40 training and workshop opportunities and keynotes.
Feature image on Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Checkmarx.