Making Automatic Assessment an Integral Part of the CI/CD Process

The concept of Continuous Delivery (CD) has evolved alongside the public cloud. It’s only natural: the cloud brings flexibility and allows you to create highly complex environments with minimal effort, while CD grants the ability to get changes into production safely and quickly. The process usually begins with Continuous Integration (CI). This allows users to automatically merge outputs from developers into a single environment.

Automation and speed are key elements in the CI/CD process. Continuously introducing new features or configurations into production, sometimes multiple times a day, requires lowering human intervention to a minimum.

In this article we will explore the integration of security and compliance into the CI/CD process, and see how Dome9 allows to easily test the security and the compliance from early stages to production.

Dome9 CloudFormation Template Assessment

AWS CloudFormation Templates (CFT) are designed to simplify deployment and management on AWS. Dome9 offers CloudFormation Template (CFT) simulation and assessment capabilities. When this capability was announced, we explained how it could be used to evaluate the CFT even before the environment was built. By feeding the CFT to the Dome9 system, we can provide visualization of the VPC by using Dome9 Clarity to understand which elements would be exposed to the wider internet and examine the specific security configurations.

Dome9s’ compliance engine runs not only on live environments but can also run on CFT. Running our engine provides endless possibilities for customers to evaluate the CFT before it is ever launched. With our products you can:

  • Run compliance bundles, making sure that the newly launched environment complies with regulations or standards (such as HIPAA or PCI-DSS).
  • Make sure that the new environment meets the best practices that are recommended by AWS and Dome9.
  • Force new environments to comply with organizational policies by writing customized security rules with the Dome9 engine.
  • Apply automatic remediation to fix the elements that do not comply with the policies.

These capabilities can be automated and easily integrated into the release process. This ensures that your organization is continuously secured and complies with regulations.

Integrating into the CI/CD process

Dome9 provides a wide variety of APIs for all the features supported by our system including APIs for running assessments.

These APIs allow users to run specific rule bundles on an already created (“live”) environment and on a provided CFT payload at the same time. For CFT assessments, the API simulates the environment that would be created by running the CFT with the CloudFormation service.

The next phase is running the Compliance Engine on the environments. The engine will produce a report with all the findings including a list of entities that failed the tests that are defined within the executed bundle.

By calling the assessment APIs our customers can integrate both security and compliance into their CI/CD process.

This will let you run assessment on test environments and allow you to find the security and compliance issues before development is completed. Detecting these problems early can sometimes reduce the effort required for fixing them in later stages.

Integration into the CI/CD allows you to decide what would happen when a security problem is detected – for example, breaking the process until the issue is solved.

Another option is to apply automatic remediation, like stopping a rogue instance that does not comply with the policy. The remediation is achieved by using an open source project maintained by Dome9, called CloudSupervisor.

Despite the large changes it can bring, breaking the CI/CD process to sure up compliance should not be considered something that is extreme or radical. Instead, it should be viewed simply as the new standard and best practice. These aren’t suggestions. They’re requirements. Ignoring them means risking non-compliance and significant development delays.

DevSecOps has never been easier

Dome9 is striving to  empower security and compliance engineers. We understand that they need to become part of the DevSecOps movement, or else become irrelevant.

Dome9 allows customers to fully automate their release process while maintaining a very high level of security regulatory compliance.

Our customers can choose the right place in the process to run the compliance engine. It could be right at the beginning, when the environment is only described by a JSON file; when the environment build is completed; or on the live production environment. They can also decide what would happen when issues are discovered.

Dome9 wants to give you the tools you need to release products quickly, correctly and safely. All while balancing your business needs with  security and compliance requirements.


Related Resources 


 The Top 12 Threats to Cloud Security 


 The Definitive Guide to Robust Security


Building a Cloud First Deployment Model – DevSecOps Guide