A Simply Brilliant Way to Improve the Security Pipeline
Want to learn more about improving the security pipeline? Click here to find out more about the 2018 Nexus Users' Conference on key security practices in application development.
Join the DZone community and get the full member experience.Join For Free
Sometimes, the simple ideas are the most genius.
Xin Xu presented one such idea at our 2018 Nexus Users' Conference. Xin is an information security principal for Kaiser Permanente, a health care provider in the U.S. with 12.2 million customers and 200,000 employees. So, yes, there is a lot of application development happening at Kaiser, and they use Nexus IQ to manage the repositories.
In a typical build process, the application would query the component repository to ask about a library. The firewall would then ask if the library is secure. If it is, the host repository would provide the applicable, approved code. If it isn't, the firewall would not provide the applicable code and break the build.
This is the typical — but not the ideal — time to tell a developer they can't use a library. They have already written code against it, and now they have to rework it.
Kaiser, on the other hand, built a tool to provide input to architects/developers before they decide which open source libraries to use. That is, they can query Nexus IQ through a simple search tool at the beginning of the design process to ensure it can be used, and, if so, which features are available. The search is set up so that you don't need to be a developer to use it since many of the users don't have any programming background.
The app has a simple interface (note: the screenshots are stripped of any product-specific information).
After hitting the search button, the information is sent to the web application and mimics the Maven process, sending an HTTP request to the component repository. It goes through the Nexus evaluation process and returns it to the application. It then tells the end user if it was found and what details it knows. What is the security status? What are the licensing details?
Kaiser managed to shift the security process fully to the left so that it can be part of the whiteboard part of the design. It has the potential to save a tremendous amount of rework.
It is such a simple idea, yet it is brilliant in its simplicity.
All Day DevOps 2018
The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With five separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations, Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.
And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.
Hope to see you online at the show!
Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.