This article is for engineering leaders who are just getting started with their AppSec and DevSecOps journey. Alternatively, for those who intend to extend DevOps to DevSecOps.
The approach mentioned below not only helps the beginners to catch up with the business pace but also helps early starters to up the game and maturity level with advanced capabilities to comply with regulatory compliance requirements and audit readiness.
How To Get Started With SecOps
The most common set of questions I get asked by them even before they get started is:
- How do we protect Personally Identifiable Information (PII)?
- How do we ensure that every code that goes to production is security-tested?
- How do I automate this practice and not rely on engineers for manual checks?
- How do I automatically categorize the security issues as low, high, and critical?
- How can I put a process in place that helps me fasttrack compliance certifications?
- Which tools do I use without tool sprawl or overlap?
All of this basically translates into addressing one thing – how to determine the security posture of your entire process of software delivery as part of an automated workflow that aligns with your process (of course, we suggest best practices and recommend optimizing the process if needed).
Have a look into this 8min video clip from Bob Boule, VP Products, to understand how you can achieve automated application security posture management along with the tools needed – What Drives Guardrails!
What OpsMx does is, it brings in the tool combined with a set of practices to align with your process and existing tools, if any. It doesn’t matter if you do not have requisite tools in place, OpsMx ships those components / capabilities along with the product. The tool then goes through each stage (code, build, artifact, deployment) of the process and understands the security posture and provides detailed insights into the security posture for an application or a microservice. This helps you to understand the current security state.
While vulnerability scanning is important, take a quick look into our approach to get you started as explained in this 2 min video – Beyond vulnerability scanning and getting started with SecOps taking small steps.
Application Security Posture
The other set of questions that follow along on the security aspect is:
- We know the vulnerability; How do my engineers know what and how it is to be fixed?
- How do we know which services are getting affected?
- How do I isolate a vulnerability?
- How do I manage a zero-day vulnerability similar to Log4j?
A lot of the time the current tools provide alerts or generate reports on the vulnerabilities found and leave it to the expert to determine what needs to be fixed in order to get rid of that vulnerability. OpsMx converts the information or data into actionable intelligence and suggests how to remediate or fix a specific issue with recommendation. You do not need to rely on experts and can rather shift-left security and empower your engineers with sufficient insights into what action needs to be taken in an automated way.
Let’s look into how we categorize issues in terms of low, medium and high risk, visually represent them on a dashboard and then start triaging them for an individual application – Low, Medium High Risk and Triaging Them For Individual Applications or Services. These issues could be related to code, vulnerabilities or could be deployment issues.
OpsMx presents you not just the vulnerability details but also provides you with suggestions on how to fix it.
Simplifying SecOps Workflow with OpsMx
The below video walks you through the SecOps Workflow. How actionable intelligence is provided to the engineer after a scan, alert, trigger activities. Also covered is insights into managing Zero Day vulnerabilities, how to fix it and additional information.
Automating Compliance By Enforcing Rules
I covered this topic in multiple blogs but at a high level, you may want to refer to this blog where I have shared insights into integrating compliance management with your CI/CD pipelines.
As A Beginner What Do You Get From OpsMx
You get a package that includes:
- Security scanning capabilities
- Compliance automation capabilities
- Automated Multi-cloud / K8s deployment and rollback capabilities
- Core Orchestration with code-to-cloud automation and custom stages
- Out of the box audit reports
- Dashboards for real-time insights
- Pipeline as code
- Policy as code
- Infrastructure as code
- Pre-built integrations with DevOps / DevSecOps tool chain
- GitOps
Now, you don’t need all of this to get started. It’s a modular offering and you can begin with small steps and expand as needed.
The idea is to integrate application security in your DevOps process and that’s where the SecureCD offering from OpsMx come into play.
This 2min video provides a walkthrough of the OpsMx Secure Software Delivery approach / architecture – OpsMx Secure Software Delivery Architecture
Again, this was just for the starters, in case you have a platform or tools in place, OpsMx Deploy Shield can coexist with any tool and can take your SecOps to the next level.
To learn more, you may want to speak to one of our top Secure Software Delivery experts.
0 Comments