DevOps is no longer a new concept. Many companies have integrated DevOps into their software develpoment processes to improve and accelerate software development and to help drive their digital transformation. There are now entire tool ecosystems, methodologies, and transformation models, as well as endless resources, available to guide companies along the DevOps journey.
But DevOps success is sometimes tricky to measure as it isn’t a formal framework; it’s more of a culture and a set of practices. There is limited guidance available to you to ensure that you’re doing it properly or that you are accurately measuring your successes and failures. DevOps also looks different in every organization resulting in no two DevOps pipelines being the same.
One of the most prominent goals of DevOps is to ensure a frictionless, and as automated as possible, CI/CD pipeline. Let’s see what this means from a security perspective.
Continuous Kubernetes deployments: The Alcide way
The easiest way to ensure security compliance is to shift-left and resolve security issues in the development stage. Too often, security is applied at the production stage which means it’s not part of the environment’s end-to-end process. Securing applications and networks at the development level will give you more confidence that your applications will interoperate properly at the production level.
After shifting left, make sure that you continuously deploy and monitor your clusters, nodes, and pods in a secure manner. Ideally, you would have a tool that provides a real-time summary of your cluster’s configuration and security status by looking at workload security and governance checks, cluster worker node checks, cluster Ingress controllers, and much more, but the most important feature of this tool is that it fails pipelines on resources that fail to pass policy checks.
In a recent analysis we conducted here at Alcide that looked at over 5,000 tracked scans, we found that DevOps teams face significant challenges and gaps when following best practices for Kubernetes such as secrets handling and network policies. Specifically, we found that 89% of the deployments scanned showed that companies are not using Kubernetes’ secrets resources, with secrets written in the open. We also found that over 75% of the scanned deployments use workloads which mount high vulnerability host file systems such as
/proc, while none of the surveyed environments showed segmentation implementation using Kubernetes’ network policies.
Alcide’s Kubernetes Advisor does all that and more. Designed to ramp up K8s clusters quickly and securely, teams developing with a DevSecOps strategy can enjoy an automated, hands-free Kubernetes experience, and leave it to Alcide to do all the heavy lifting.
The bottom line
DevSecOps either succeeds in increasing your team’s speed, agility, and security, or your organization will suffer. Create your pipelines correctly, and make sure not to let misconfiguration drifts translate into security risks. Your entire application pipeline must be secured by integrating security at each stage. With CircleCI and Alcide natively integrated, this makes the whole process a lot easier. You can now use Alcide with CircleCI with just a few lines of config by adding Alcide Advisor orb. Orbs are reusable, shareable, open source packages of CircleCI config that enable the immediate integration of services. For a complete list of CircleCI orbs see the Orbs Registry.
This post is a part of a series we produced covering DevSecOps. To read more posts from this series, click one of the links below.