It would be crazy these days to deny the increasing importance of cloud infrastructure in software. Organizations and individuals alike are building and releasing software faster than ever before, containerizing applications and moving to cloud deployments in droves.
Perhaps less apparent is the growing trend for development teams to move their development pipelines to cloud-build environments. Not surprisingly, the leading supporter of this trend is the world’s largest cloud infrastructure provider, Amazon Web Services (AWS). By providing an ecosystem of developer plugins, native build and CI tools, and container services, AWS allows for an incredibly seamless “develop, build, package, and deploy” pipeline in the cloud. This gives DevOps teams unparalleled speed moving from development to production. But automated development and continuous delivery can complicate the validation of containerized apps — and ultimately risk the security of applications and containers being deployed. Securing applications built in the cloud is a daunting task, exacerbated by several trends:
- Increased use of open source software. While open source software makes developers more productive, it also requires developers to track security and compliance risks as they arise.
- Flexible infrastructure for continuous delivery. The move to decentralize build and continuous integration processes makes it more difficult to govern across all the build toolsets.
- Containerized applications. As organizations break down applications into container-based microservices, it becomes harder to track the contents of the applications inside those containers.
DevOps teams expect to spend less time on security, while updating applications more frequently and adding new open source components as a regular part of their process. As DevOps teams continue this trend, they also need to fully integrate and automate security.
A Fully Secure Continuous Delivery Pipeline in AWS
That’s why Black Duck started working with Amazon to ensure that teams building applications in the cloud can easily manage security at every step of the development process. You can start baking security in early by choosing safe components with the assistance of Black Duck Hub plugins for AWS-supported IDEs like Eclipse and Visual Studio. Identifying security risk for open source components, Black Duck will warn you of vulnerable components or ones that violate your open source policies.
As your code moves on to the build stage, Black Duck now integrates directly with AWS CodeBuild, Amazon’s fully-managed build service, so you can automatically scan applications for open source risks as a post-build step. The integration even works within AWS CodePipeline, so you can incorporate automatic build scans into your continuous integration and delivery pipeline, a key step to maintaining the speed and agility enabled by cloud build environments without sacrificing security.
And when you’re ready to deploy your containers in production, Black Duck’s scan client can scan the container images stored in Amazon EC2 Container Registry (ECR). Image scan results are sent directly to your dedicated Hub instance, providing the same open source vulnerability, license, and operational risk information you’ve come to expect from Black Duck Software.
At Black Duck, we know you don’t just migrate application workloads to the cloud. The cloud is about reinventing how you build cloud-native applications with automated continuous integration tools, microservices and containers. Now you can count on Black Duck for AWS to provide your developers and development teams with open source security and compliance as an integrated part of your continuous integration pipeline. As DevOps teams continue to transform in amazing ways, we’ll be there to make sure that transformation includes security.