Automating DevSecOps Processes with Security
Welcome to the Makpar Insights Into Federal Agile Transformation content series designed to provide federal IT leaders with all of the strategic tools and insights they need to best leverage Agile development today – and into the future.
In this installment, we speak with Grant Moore, a DevOps Engineer at Makpar, who provides insights into automating the DevSecOps process with security.
The following conversation has been edited for length.
Q: Why is automating the DevSecOps process with security important?
There are plenty of reasons. If you stand up a server on AWS and look at the logs, and if you host any sort of public application, it will get pinged by many bots looking for exploits. Essentially, hackers will code out bots that scan for open ports to hack your applications. It sounds like science fiction, but this is a very common practice.
There are actually entire data centers around the world dedicated to exploiting your AWS accounts. If you are hosting sensitive data, it’s also very likely that malicious actors are trying to access this information.
As such, you need something that will ensure that your application is secure. This can be done manually, but is not feasible for enterprise-level applications. You need automated ways to ensure that your application is up to snuff, and not exposing any unforeseen vulnerabilities. It's all about protection.
Q: How do you automate the DevSecOps process with security?
In terms if our pipeline, we have several things in place. First, it’s good to remember that pipelines are quality gates that prevent your application from deploying if there are security issues.
Our first quality gate is a security scanner for our dependencies, and it essentially scans our libraries for exploits, and recommends upgrades to the code. Our second quality gate is penetration scanning, where we crawl through our website to try to actually implement these exploits.
Q: What makes Makpar’s DevSecOps process special?
Cybersecurity is something that we have been doing in the federal arena for a long time. And, we continually evolve our practices for our government customers. For example, we are currently looking at a solution that looks through your logs and applies a Machine Learning regression model that detects logs that are outside of the usual parameters.
By automating this process, we are also eliminating the delays in terms of putting applications into production.
Stay tuned for our next episode in this series where the team will provide insights into breaking down Agile epics.
Makpar is pioneering pragmatic Agile development for government through methods such as Scrum, Kanban, and Lean development. Our Agile practice minimizes communication gaps between Development and Operations teams by expanding DevOps-based automation to the entire development lifecycle. Please click here to learn more.