Implementing automated security measures has become a necessity for companies with large-scale cloud software deployments. A better understanding of this phenomenon helps to make better security decisions at all levels.
While large cloud companies can perform thousands of deployments per day and hundreds of thousands of code changes, having hundreds of developers can make tracking activity difficult. Thus, operations that involve checking and testing each code before it is deployed by the security team is impossible for this pace and volume of operations. So it is necessary to enter the DevSecOps era now. Using this approach, security teams enable developers to build code on secure foundations and securely configured cloud environments.
The DevSecOps approach requires a bit more work, especially when you know that only 20% of the typical cloud application code is for the application itself, and the rest is made up of Linux operating system files, open source libraries, their dependencies, and more. old components. Developers need help identifying vulnerabilities in applications, their broader code base, and their configurations. So sophisticated security tools must be backed by automation.
Diverse feedback on safety automation
The choice of automation implementation process depends on the company integrating it. The first step in this implementation is to make sure that the application and its components are automatically scanned at regular intervals for vulnerabilities. : ” Automation is key to security at scale because it eliminates human error. As we enjoy automation, we discover more vulnerabilities, says Vlad Perlmutter, principal security engineer at Twilio. Teams should check and Check for security holes. This represents a potential weakness in the case of oversight and additional work that would not have to be done in the case of automation.
In the cloud communications platform Twilio, automation goes further. The company has built an app on GitHub to monitor changes and Withdrawal requests In the main branch of the code. So when the pull request goes to the master branch, the project is automatically scanned to notify developers of any potential vulnerabilities. In addition, the application also reacts when projects are created, deleted, or renamed, and runs appropriate security measures.
Next to Skyscanner, the emergence of unpatched vulnerabilities has been a major concern. The company showed symptoms of rapid and large-scale development and therefore needed to create automated support. Manually reviewing code and configurations at this scale would be a nightmare for us,” said Olivier Crawford, software engineer at Skyscanner. By creating its own dashboard app, Flight Comparison now gives its developers the insight needed to better understand the security needs of all projects.
Another case is media outlet Red Ventures, whose need to support streaming pipelines led them to create their own in-house application, Flare. The latter discovers new container images via Cloudtrail and then analyzes them to identify vulnerabilities. Once the results are obtained, it automatically generates Jira issues for the respective teams and developers. Alfonso Cabrera, director of platform engineering at Red Ventures, explains that his company works with thousands of container images and as many as 7,000 code projects. By automating the workflow, risks are systematically identified and addressed.
When companies turn to automation, they should focus on two main points. first and foremostThe ability to adapt to the tools they wish to automate, which then determines the choice of security tools. Its robust and well-documented API enables the creation of enterprise-grade security automation tools. For small teams, it is necessary to use the original Software Development Kit (SDK) for the programming language.
The second is to carefully examine the results of automation. While scanning can find thousands of vulnerabilities, creating tickets for each can quickly lead to a backlog of low-value tasks. To prevent this, the automation system filters out vulnerabilities that cannot be patched or exploited, and prioritizes tasks based on their impact on application security. The system also facilitates developers’ work by notifying them of the availability of patches as well as links to documentation describing the nature of the vulnerability.
The goal of automation projects is to make it easier for teams to work. Creating new processes and tools to use can be a hindrance to this goal. So it’s best to use tools that developers already work with, whether through an integrated development environment (IDE), projects, or ticketing systems. Thus, automation helps to ensure safety without increasing friction.