In the recent years, DevSecOps has grown exponentially in popularity and has taken the centre stage in the development of cloud native applications. DevSecOps is the practice that enables “software, safer, sooner” by automating the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.
'Shift-left' is a DevSecOps mantra that encourages software engineers to move security from the right (end) to the left (beginning) of the DevSecOps process. In a DevSecOps environment, security is an integral part of the development process from the beginning. Shifting left allows the DevSecOps team to identify security risks and exposures early and ensures that these security threats are addressed immediately. Hence, the development team is not only thinking about building the product efficiently, but they are also implementing security as they build it.
Shift-left applies not just to Security but to Compliance as well.
Along with Security, Compliance to industry standards and regional regulations is another crucial aspect that organizations are spending millions of dollars on. The whole organization counts on the development team to show that they’re producing compliant software and robust compliance testing is a must. Neglecting compliance testing or delaying the remediation of findings can expose the organizations to compliance risk and potential financial, operational, and legal problems.
With the industry moving towards Everything as Code and different types of 'Ops' trending everyday, let's take a look at how some of them enable us to achieve the goal of automated and continuous Security and Compliance checks:
- Pipeline as Code - Allows companies to automate their development pipeline in a cloud-native, service-driven world.
- Infrastructure as Code - Allows to build, change, and manage the infrastructure in a safe, consistent, and repeatable way by defining resource configurations that you can version, reuse, and share.
- GitOps - Uses a Git repository as a single source of truth to deliver infrastructure as code
This session aims to provide an overview of the Shift-left best practices with examples that leverages the industry trends such as Pipeline as Code, Infrastructure as Code (IaC) and GitOps. With an understanding of these concepts, I'll show an example of functional Tekton CI/CD pipelines that applies these best practices and demonstrates how the security and compliance posture of a cloud application is automated, monitored and maintained continuously. You will also learn about the various opensource tools that are available to help you in this journey for example,Tekton, which is one of the most popular emerging cloud-native solutions for CI/CD pipelines.