While IaaS and PaaS environments provide customers with choice and flexibility, they also potentially increase the organization’s surface area for security risks. With the new features in Skyhigh Security Cloud for Microsoft Azure, security groups can integrate policy natively into DevOps processes and toolsets to discover security issues before systems are deployed.
What is DevOps?
DevOps is the practice of operations and development engineers working together in an agile relationship to deliver applications and services at high velocity.
DevSecOps is the philosophy of integrating security practices within the DevOps process.
Let's look at how Skyhigh Security Cloud simplifies the development process by introducing the Shift-Left concept.
Traditional Software Development vs. Shift Left
In the traditional software development model, the planning and designing requirements are kept on the left side of the project, while the development and testing requirements are on the right side. Issues arise when these practices are unable to handle changing expectations and requirements, as new resources are deployed through DevOps templates.
As a DevSecOps admin, it is almost impossible to keep up with the number of non-compliant issues.
The problem with the traditional testing process is that security is validated only after the deployment goes live on systems.
Generally speaking, Shift Left is a practice that intends to find and prevent defects early in the software delivery process. The idea is to improve quality by moving tasks to the left as early in the life-cycle as possible.
Shift Left testing means testing earlier in the software development process.
Shift left shifts the step of scanning templates and container artifacts to earlier in the software development process. Skyhigh Security Cloud provides a security solution for customers to evaluate the DevOps templates in both, offline and inline mode.
Shift Left implies:
- You can perform a DevOps scan in the UI (also referred to as Shift Left monitoring).
- You have the ability to integrate with code build tools like Jenkins, Bitbucket pipelines, AWS CodeBuild, etc.
Offline and Inline Modes
Skyhigh Security Cloud provides a security solution for customers to evaluate the DevOps templates in both offline and inline mode.
Using the Offline mode, Skyhigh Security Cloud can enforce configuration policy checks for 'Infrastructure as Code' earlier in the DevOps cycle.
Using inline mode, you can ensure secure code is checked in and fully tested. This enables risk detection before it’s real. Security teams can define policies centrally and delegate enforcement to DevOps seamlessly.
Applying Shift-Left to Jenkins Code
Jenkins is an open-source automation tool written in Java with plugins built for Continuous Integration purposes. Jenkins is used to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build.
Skyhigh Security Cloud plugin for Jenkins helps intercept security misconfigurations during the code build. The following is an architectural representation of a scenario where a developer uses Shift Left.