Scalable pipelines to accelerate innovation
How we do DevSecOps?
Our DevSecOps journey has been an evolution of architecting automated CI/CD pipelines to integrating security into the platform operations so systems are least trust by default.
Developer FocusedOur DevSecOps pipelines are focused on the productivity of the developers while at the same time ensuring the security is ensured. As developers embrace cloud native platforms such as Kubernetes, our team builds pipelines that provide the developers a direct view into the security so that security isn’t an after-thought.
Zero TrustOur team utilizes Istio to enable a zero trust model where all communications are encrypted between microservices, centrally authorized, and continually validated against a service mesh policy. Our team achieves this by pushing a centralized policy configuration into the Envoy sidecar proxies for each pod.
Pipeline DrivenWe believe in a cloud native environment most things should be automated. Whether that would be finding CVEs at the time of building container images, static/dynamic code analysis, runtime security, testing, or deploying, our team prepares pipelines that trigger all these things at the time of merge into master branch
Continuous MonitoringReceiving Authority To Operate (ATO) shouldn’t be-all and end-all for the solution. Rather than spending man hours to periodically manually go through the compliance of the security controls, our team believes in continuous monitoring that is triggered at the time of any change to the system.
ImmutableNull Pointer Exceptions and Buffer Overflows are a thing of the past when using Immutable structures and pattern matching. At the core of our team's approach to immutability is automation. We automate every part of the deployment down to the lowest level so that any change in a deployed system requires deploying a new system.
GitOpsOur team maintains the codebase of the infrastructure in Git so that the entire infrastructure can be re-deployed from the code with the least amount of human intervention. GitOps is the basis for our team to use automated monitoring to alert our engineers when the configuration running in our cloud native environment doesn’t match the configuration in code.
KubernetesOpen source ecosystem for orchestration, managing and customizing application specific workflows, and automating at scale is the key to launching a stable and secure product quickly. , Our team utilizes its revolutionary capacity to design, deploy and manage cluster based containers systems, and K8s Admission Control, and RBAC to ensure the public facing clusters are secure.
Service MeshScaling and Securing microservices as they grows in size and complexity can become difficult to manage and understand. Using Service Mesh, our team addresses these challenges where cross-cutting concerns, such as service discovery, service-to-service and origin-to-service security, observability and resiliency, are configured as code Our team uses both Edge Routing (using Ambassador - Envoy) and Ingress (using Istio - Envoy) to secure network communication down to the pod level. Using Istio as a sidecar, our team provides authentication, observability, relillience, and traffic management.
Securing etcdEtcd (the brain behind K8s) is a prized component for attackers to get access to. Our team uses authentication and firewalls to restrict access to etcd as well as encrypt the data in etcd (at rest).
FalcoKubernetes runtime security in production environments is critical and necessary to avoid any operational and reputational costs of security breaches. Our team participates with the open source Falco project for container native runtime security. Working at the most basic layer, the kernel, our team can detect anomalous activity at both application and infrastructure level.
© Raft 2020