Build with CircleCI, configure securely with Alcide

DevOps is no longer a new concept. Many companies have integrated DevOps into their software development processes to improve and accelerate software development and to help drive their digital transformation. There are now entire tool ecosystems, methodologies, and transformation models, as well as endless resources, available to guide companies along the DevOps journey.

But DevOps success is sometimes tricky to measure as it isn’t a formal framework; it’s more of a culture and a set of practices. There is limited guidance available to you to ensure that you’re doing it properly or that you are accurately measuring your successes and failures. DevOps also looks different in every organization resulting in no two DevOps pipelines being the same.

One of the most prominent goals of DevOps is to ensure a frictionless, and as automated as possible, CI/CD pipeline. Let’s see what this means from a security perspective.

Continuous Kubernetes deployments

The easiest way to ensure security compliance is to shift-left and resolve security issues in the development stage. Too often, security is applied at the production stage which means it’s not part of the environment’s end-to-end process. Securing applications and networks at the development level will give you more confidence that your applications will interoperate properly at the production level.

After shifting left, make sure that you continuously deploy and monitor your clusters, nodes, and pods in a secure manner. Ideally, you would have a tool that provides a real-time summary of your cluster’s configuration and security status by monitoring at workload security and governance checks, cluster worker node checks, cluster Ingress controllers, and more. The most important feature of this tool is that it fails pipelines on resources that fail to pass policy checks.

The bottom line

DevSecOps either succeeds in increasing your team’s speed, agility, and security, or your organization will suffer. Create your pipelines correctly, and make sure not to let misconfiguration drifts translate into security risks. Your entire application pipeline must be secured by integrating security at each stage.

This post is a part of a series we produced covering DevSecOps. To read more posts from this series, click one of the links below.

• CI/CD, meet CAS: Continuous Application Security
• Pull in your stored sensitive data with the CryptoMove orb
• Three rules for turning DevOps into DevSecOps
• Security with Snyk in the CircleCI workflow
• WhiteSource launches free open source vulnerability checker orb for all CircleCI users