When creating its platform, Seattle-based Refactr focused on how to incorporate a wider swath of people into the DevSecOps process and how to add security automation to DevOps in a visual way.
“Most automation organizations around DevOps is tightly controlled by a very small team. And if you talk to that team, almost every single one of them will tell you, like, ‘Yeah, we’re the bottleneck.’ We need ways to be able to take what we build and be able to make it accessible to more people, technical folks, and the organization,” said Michael Fraser, co-founder and CEO.
At the same time, cybersecurity folks want to provide value in existing DevOps workflows, but remain very siloed in most enterprises. So the question becomes how can they be a part of that process when they might or might not understand it all?
“They have to have a way to be able to be a part of where everybody is trying to go with digital transformation, which is really around increasing the agility of the organization. [That] requires that everybody on both the business and technical side have a way to be a part of an agile type of process that’s not just about software delivery anymore. It’s about increasing the overall agility of any outcome that the company is trying to achieve, that leveraging the technology they need to be able to realize the business outcomes,” he said.
He points to the ongoing shortage of cybersecurity talent and the need within organizations to build skills with within their teams among the reasons for making security tools visual in the vein of software-building tools that developers use.
Building Security Visually
Automation has long been considered key to addressing cybersecurity gaps, as well as bringing security into the software-development process earlier.
“If security is your most important job, you should look at automating those tasks and stories first, before anything else.”
And more organizations are bringing security into the DevOps process, according to a GitLab report on the DevSecOps landscape. Sixty-five percent of security pros in its survey reported their organization is bringing security into the process earlier, and nearly 28% said they were part of a cross-functional team focused on security. Yet only 20% rated their organization’s security efforts as “strong.”
“So we really found that there was a need in the space to create something that is a combination between something like SOAR (Security Orchestration, Automation and Response), where somebody can come in and build visually, just like open source does for playbooks. But to be more proactive instead of reactive in a process much more like CI/CD (continuous integration, continuous delivery),” Fraser said.
The issue essentially brought the ability for cybersecurity teams to be able to create automation content that the DevOps folks would also want to be able to use.
The company originally built a platform for building cloud security solutions in the public cloud. It found from customer feedback that users really wanted to use tools they already used, and while many were deploying to public clouds, that wasn’t the sole environment in which they wanted to operate.
The company launched the current Refactr Platform in November 2019. It runs as a layer on top of supported third-party tools such as Ansible, Terraform, Git, Kubernetes API, Shell, PowerShell, Python, Node.js scripts and more.
Everything is software-defined, whether that’s infrastructure-as-code in the cloud, configuration-as-code, or security-as-code around policy. It’s all mapped similar to that of the CI/CD world. Bringing the capabilities of the different tools together provides a way to centralize and standardize pipelines in one place.
“So that it’s not just about a small little DevOps team, being able to create this type of content, but being able to enroll the cybersecurity and the ops folks in as well so that everybody can have, whatever skill level they’re at, be able to at least run the content but also start upskilling themselves so that they can also start modernizing the skills they need to be able to move into this modern approach where everything becomes code,” Fraser said.
“We’re using Refactr to build testing pipelines for our security automation product, Lockdown Enterprise,” said Justin Nemmers, director at cybersecurity solutions firm MindPoint Group. “While we had automated test processes before Refactr, they were quite brittle and required a lot of effort to maintain. We were able to easily integrate Refactr into our existing tooling and, now that it’s implemented, we have significantly reduced the time required to develop new test pipelines. Because we’re spending more time developing our product and less time juggling testing tooling and processes, we can deliver more features to customers in shorter amounts of time.”
Refactr uses a low-/no-code graphical, drag-and-drop builder for creating pipelines, which determine the execution order of the tools. Its built-in expression engine facilitates the passing of data from one step to another
The underlying content can be uploaded directly to the application or pulled from version control. Pipelines also can be modified directly from the API or from the built-in YAML editor. Multiple tools can be chained together, passing the output of one tool into the input of subsequent tools. Pipeline steps can be executed in parallel.
Individual containers on the back end offer isolation for each run and the ability to run any
Linux-based tools such as automated security scanning and compliance benchmarking tools.
In April, the company was awarded a Phase I Small Business Innovation Research (SBIR) contract from the Air Force. The joint program with the Navy and Army enables innovative small businesses to demonstrate their technology potential within the Department of Defense. It has submitted its bid for Phase II, which promises $750,000, as well as an additional fund match for venture capital raised, for building requested new features applicable for both government and commercial use.
Customers include New York-based IT service provider RFA, MindPoint Group, Netskope and the Center for Internet Security.
The latest release adds several open source security and compliance tools and capabilities. They include the Center for Internet Security’s CIS-CAT compliance assessment tool that can be introduced directly into pipelines for remote scanning and reporting functionality; support for OpenSCAP, an open source compliance assessment tool; and Kubectl to control Kubernetes clusters.
It also includes runners to automate pipelines running on custom infrastructure or inside private networks.
With that release in July, the company announced it integrates with 13 tools: AWS Cloud Formation, Azure Resource Manager, Git, Google Deployment Manager, Hashicorp Terraform, Kubernetes API, Node, Powershell, Python and Shell Scripts, Red Hat Ansible, OpenSCAP, and CIS-CAT. Another 35 tools are on the roadmap, including HashiCorp Vault, OWASP Zed Attack Proxy, SonarQube and others.
It’s also working with CI/CD platforms like Github and Gitlab; cloud management platforms like Morpheus Data and cybersecurity vendors CIS, Fortinet, Checkmarx, Aqua Security, Netskope, Tufin and others.
Amazon Web Services and GitLab are sponsors of The New Stack.
Feature image via Pixabay.