Securing fast-and-frequent releases requires careful automation of quality and security gating practices. The increased threats from inside and outside the enterprise require a constant vigil and ongoing continuous improvement. Advanced automation of the delivery pipeline must include a secure software supply chain and an ever-present sentry for monitoring workloads in production.
Scanning and vulnerability monitoring allows high-performing organizations to automatically detect and respond to malware and other defects. Build-and-deploy solutions enable ongoing remediation to ensure effective best practices for cybersecurity. With increased threats, and increased liability from data breaches, traceability and documentation in the pipeline is critical.

DEVSECOPS INTEGRATED CONTINUOUS DELIVERY




DevSecOps tooling such as Sonatype’s Nexus Lifecycle Manager allows Agile development teams to respond to and remediate vulnerabilities as part of a Continuous Integration practice. Nexus’s Common Vulnerability Scoring System (CVSS) alerts developers via an IQ Server. Remediation recommendations are made at build-time based on policies defined for each application profile.

SECURITY AND GOVERNANCE

Security best practices require that enterprise policies for each application workload are defined in advance of deployment. These policies are then applied using automated build tools that scan and monitor the use of third-party component libraries when compiling applications. When known
vulnerabilities are found, severity levels are evaluated against policy definitions to determine appropriate remediation. Machine learning analytics uses vulnerability identifiers to suggest hardening steps that may be taken immediately.

ATLASSIAN FOR DEVSECOPS

Atlassian tools help to define of workflows to automate review processes in the Continuous Deployment pipeline. Multiple opportunities exist to integrate Jira, Confluence, Bitbucket and Bamboo with other deployment tooling to provide dashboards for orchestrating release automation and ensuring expedited approvals and governed delivery. Innovative Atlassian technologies such as Jira, Confluence, Stride, Hipchat, Bamboo
and Bitbucket form a suite of tooling to automate a DevSecOps practice and integrate disparate constituents.

USING A SECURE SOFTWARE SUPPLY CHAIN

Third-party libraries and binary components must be carefully onboarded to prevent intrusion by outside actors. Worms, trojans and viruses must not be allowed into secured on-premise repositories. The National Vulnerability Database is enriched by Sonatype’s vulnerability data to provide an IQ Server of known vulnerabilities. An Application Composition Report may then be used by developers to drill down and interrogate potential defects. Typically, alternative sources and versions may then be substituted for the defective component.

PRODUCTION MONITORING ANDORCHESTRATION

As increasing workloads are deployed into hybrid and multi-cloud environments, the entropy of virtualization must be addressed through automated scanning and orchestration. Long after development teams have moved on from prior releases, hygiene requires the management of any
application components used in production. Security orchestration provides an ongoing scanning of containerized and conventional workloads. When threats are detected, an automated remediation process is triggered.

OUR PARTNERS: