Integrate Security Observability into CI Pipelines
What’s the big news?
DeepFactor launches Observability-as-Code with it’s latest product release v1.5. Similar to how ‘Infrastructure-as-Code’ enables DevOps engineers to orchestrate infrastructure using scripts, DeepFactor’s Observability-as-Code API enables DevSecOps engineers to leverage observability functionality in their CI pipeline and gate builds based on the security and compliance insights gathered by DeepFactor’s Continuous Observability platform.
This blog talks about observability, why it is important for security and compliance, and how teams can use observability—integrated seamlessly into the CI pipeline—by employing DeepFactor's new Observability-as-Code API.
The world of today: modern apps, release processes, attackers, compliance needs.
Today’s apps are extremely complex – multiple languages, multiple 3rd party components, 3rd party libraries, cloud services, and multiple deployment modes (traditional, containers, Kubernetes, serverless, etc.). With DevOps, these apps are being released more frequently than ever before. The result? Let's do the math: Complexity of apps + High velocity of releases = Ever-changing and ever-increasing attack surfaces.
To make matters worse, while the attack surface area is rapidly expanding, the sophistication of attacks is increasing at an alarming pace. And to add insult to injury, compliance needs are exploding with GDPR, CCPA, HIPAA, etc... So once again, let's look at the math: Increasingly sophisticated attack(er)s + Growing compliance needs = Severe consequences!
As you can see, the possibility of not detecting a security and compliance risk is higher than ever before. And the consequence for not addressing these risks before production is higher than ever before. Security and compliance risks in production can cause downtime, reputational damage, security breaches, revenue loss, and compliance penalties. Nobody wants to be 'that guy/gal' who puts the business in jeopardy!
All that being said, it’s humanly impossible for the AppSec/DevSecOps Jedi to address every risk. They need visibility into every build and to set up the framework and the right tools to ensure the Dev Teams get access to insights before the app gets widely deployed to prod.
Why is observability essential for security & compliance?
Static code scanners and other tools look at the code, but they aren’t looking at what the app is ACTUALLY DOING when it is running. That’s where DeepFactor’s Continuous Observability platform comes in. The technology observes the millions of live events occurring in every thread/process/container/service of your app across various layers—system call/library call/network/Web/API, etc...—to detect anomalies and identify security and compliance risks that are lurking in your app while it's running. It detects risks that could be laying in your code, your 3rd party’s code, or even your interpreter.
What is Observability-as-Code?
Similar to how 'Infrastructure-as-Code' enables DevOps engineers to orchestrate infrastructure using scripts, DeepFactor’s Observability-as-Code API enables DevSecOps engineers to leverage observability functionality in their CI pipeline and gate builds based on the security and compliance insights gathered by DeepFactor’s Continuous Observability platform. With release v1.5, DeepFactor’s Observability-as-Code API is now available as a Swagger doc. It enables customers to do the following:
- Run your app with DeepFactor using the dfctl command
- Observe any app with zero code changes
- Language agnostic
- Bring any workload: non-container apps, Docker, containers, or Kubernetes apps
- Get the list of insights determined by DeepFactor
- Get alerts
- Sort alerts based on priorities
- Get evidence information in these alerts
- Compare releases for unexpected behavior changes
- Gate releases based on DeepFactor’s insights. For example, you can gate your release deployment if DeepFactor detects a P1 that didn’t exist in your previous release.
- Trigger headless OWASP ZAP scans
- Start/Stop ZAP scans
- Get results with alert evidence
Key learnings from DeepFactor's latest release v1.5 with Observability-as-Code
If you are thinking of enabling your engineering team to detect security and compliance risks hidden deep down in your applications—without adding more work for them—simply bake in observability into your CI pipeline. While code scanning tools identify risks in your static code, DeepFactor’s Continuous Observability platform identifies risks that show up at RUNTIME. And this Observability-as-Code API makes it super easy to effortlessly integrate it into your CI pipeline.
DeepFactor gives you peace-of-mind knowing that you’ve created a framework for the AppSec teams and dev teams to work together in harmony. Engineering teams will be shipping faster with decreased alert fatigue and fewer security risks; across the board, productivity will skyrocket.
DeepFactor enables your organization to have a ‘security at the source’ mindset by allowing application security to START left. You no longer need to choose between shipping fast versus secure to production—DeepFactor empowers you to deliver both with confidence.