DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations

Trending

  • Does the OCP Exam Still Make Sense?
  • CDNs: Speed Up Performance by Reducing Latency
  • Mainframe Development for the "No Mainframe" Generation
  • Implementing a Serverless DevOps Pipeline With AWS Lambda and CodePipeline
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. A Simply Brilliant Way to Improve the Security Pipeline

A Simply Brilliant Way to Improve the Security Pipeline

Want to learn more about improving the security pipeline? Click here to find out more about the 2018 Nexus Users' Conference on key security practices in application development.

Derek Weeks user avatar by
Derek Weeks
·
Sep. 20, 18 · Presentation
Like (1)
Save
Tweet
Share
2.51K Views

Join the DZone community and get the full member experience.

Join For Free

Sometimes, the simple ideas are the most genius.

Xin Xu presented one such idea at our 2018 Nexus Users' Conference. Xin is an information security principal for Kaiser Permanente, a health care provider in the U.S. with 12.2 million customers and 200,000 employees. So, yes, there is a lot of application development happening at Kaiser, and they use Nexus IQ to manage the repositories.

In a typical build process, the application would query the component repository to ask about a library. The firewall would then ask if the library is secure. If it is, the host repository would provide the applicable, approved code. If it isn't, the firewall would not provide the applicable code and break the build.

This is the typical — but not the ideal — time to tell a developer they can't use a library. They have already written code against it, and now they have to rework it.

Kaiser, on the other hand, built a tool to provide input to architects/developers before they decide which open source libraries to use. That is, they can query Nexus IQ through a simple search tool at the beginning of the design process to ensure it can be used, and, if so, which features are available. The search is set up so that you don't need to be a developer to use it since many of the users don't have any programming background.

The app has a simple interface (note: the screenshots are stripped of any product-specific information).

After hitting the search button, the information is sent to the web application and mimics the Maven process, sending an HTTP request to the component repository. It goes through the Nexus evaluation process and returns it to the application. It then tells the end user if it was found and what details it knows. What is the security status? What are the licensing details?

Kaiser managed to shift the security process fully to the left so that it can be part of the whiteboard part of the design. It has the potential to save a tremendous amount of rework.

It is such a simple idea, yet it is brilliant in its simplicity.

The 2018 Nexus Users' Conference was held in June. You can watch Xin's full presentation here and all of the sessions here.

All Day DevOps 2018

Speaking of conferences, All Day DevOps 2018 is just around the corner! Registration is available here.

The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With five separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations,  Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.

And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.

Hope to see you online at the show!

Information security Pipeline (software)

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • Does the OCP Exam Still Make Sense?
  • CDNs: Speed Up Performance by Reducing Latency
  • Mainframe Development for the "No Mainframe" Generation
  • Implementing a Serverless DevOps Pipeline With AWS Lambda and CodePipeline

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: