August 2019 Summaries
6 posts from CircleCI
Filter
Month:
Year:
Post Summaries
Back to Blog
Continuous Application Security (CAS) is a methodology designed to integrate security into the rapid development environments of Agile and DevOps by transforming traditional security practices into "security as code." It addresses the challenges of delivering secure applications without slowing down development processes, using instrumentation-based security enforcement to enable development, security, and operations teams to collaborate effectively. CAS emphasizes continuous, automated, and real-time security measures to tackle the persistent vulnerability issues in applications, which remain a leading cause of data breaches. Key components of CAS include Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP), which provide real-time feedback and defense against attacks while allowing organizations to deploy new defenses without needing to rewrite code. By embedding smart sensors directly into applications, CAS facilitates seamless vulnerability analysis during the software development lifecycle, ensuring security is both proactive and integrated.
Aug 22, 2019
937 words in the original blog post.
DevSecOps integrates security into the traditional DevOps framework, emphasizing the importance of maintaining robust security practices alongside rapid software development. While DevOps has streamlined the software development lifecycle through practices like continuous integration and continuous deployment (CI/CD), security is often neglected, leading to vulnerabilities such as improper handling of application secrets. To address this, third-party solutions like CircleCI and CryptoMove offer secure CI/CD pipelines that mitigate risks by managing build-and-deploy servers and employing moving target defense for sensitive data protection. These tools can be deployed on-premises to enhance security and ensure that sensitive information is not compromised during ephemeral build processes. The adoption of a DevSecOps approach demonstrates that integrating security measures does not impede development speed but rather complements it, safeguarding both software and data.
Aug 21, 2019
629 words in the original blog post.
As the integration of development and operations through DevOps has accelerated the release of functional applications, security concerns have often been sidelined, prompting the emergence of DevSecOps to address this gap. The DevSecOps approach emphasizes incorporating security early in the Software Development Life Cycle (SDLC) to mitigate vulnerabilities without significantly hindering development speed. Dynamic Application Security Testing (DAST) tools, such as Probely, play a crucial role by automating security checks and providing actionable insights, thus facilitating a smoother transition to DevSecOps by making security an integral and less disruptive part of the development process. The adoption of DevSecOps requires a cultural shift in organizations, prioritizing education and awareness of security risks among both technical and non-technical staff, while allowing flexibility in adapting security practices to suit specific organizational needs.
Aug 20, 2019
1,728 words in the original blog post.
DevOps has become an integral part of many companies' software development processes, driving digital transformation through improved and accelerated development. Despite its widespread adoption, measuring DevOps success is challenging due to its nature as a culture and set of practices rather than a formal framework, with each organization implementing it differently. A key DevOps goal is to create an automated, frictionless CI/CD pipeline, and integrating security early in the development stage—known as shifting left—is crucial for compliance and confidence in production interoperability. This approach, known as DevSecOps, enhances team speed, agility, and security, requiring continuous deployment, monitoring, and the use of tools that ensure policy compliance by failing pipelines with non-compliant resources. The text is part of a series that explores various aspects of DevSecOps and provides additional resources for further reading.
Aug 18, 2019
470 words in the original blog post.
Open source vulnerabilities pose significant threats to software security, as hackers can exploit them when they remain unpatched, exemplified by the 2017 Equifax breach. Identifying and tracking these vulnerabilities is challenging due to the vast amount of open source software in use, and the complexities of dependencies that might harbor hidden risks. To address this, WhiteSource has partnered with CircleCI to provide a free tool for users that automatically scans for the top 50 open source vulnerabilities, offering real-time alerts and remediation suggestions. This tool aims to integrate effortlessly into development workflows, allowing organizations to improve security from the earliest stages of the software development lifecycle (SDLC). The partnership emphasizes a shift towards automated security solutions to keep pace with rapid software development, suggesting that developers take proactive ownership of security management without needing to sign up for the service.
Aug 14, 2019
854 words in the original blog post.
Modern applications leveraging cloud-native technologies require a shift in application security, emphasizing the need for developers to take the lead in security practices. The Snyk orb facilitates the integration of security testing into CircleCI workflows, allowing DevSecOps teams to prevent vulnerabilities by running automated tests during the build process. The tutorial guides users through setting up Snyk tests to ensure the security of open-source components, container images, and Terraform configurations, demonstrating how to address vulnerabilities without disrupting the pipeline. The integration of Snyk into development environments, like IDEs and source control, enhances developer productivity by making security insights easily accessible and actionable. This approach fosters collaboration between security, operations, and development teams, promoting a culture focused on proactive security management.
Aug 14, 2019
1,514 words in the original blog post.