DevSecOps – Compliance & Governance
DevSecOps is short for development, security, and operations, and it is how organizations deliver and make security decisions and actions within their valued deliverables. CI/CD pipelines help organizations with their DevSecOps to continuously integrate security in the software development lifecycle.
What is Security Scanning?
Security scanning, including container and vulnerability scanning, allows you to detect vulnerabilities in deployable artifacts and running applications. Container scanning can refer to scanning the base image or the running container for known vulnerabilities / security exposures. Containers can have several layers all with third party open source powering parts of the container which need to be regularly scanned.
How security scanning works with Harness.
Harness has the ability to call container scanning and vulnerability scanning tools as part of a CI/CD pipeline. Passing a container scan can be a quality gate in a Harness Pipeline Stage before moving on to a deployment. Passing a vulnerability scan can be a quality gate before a build is packaged and deployed.
What is Pipeline Compliance?
Pipeline compliance is the ability for a pipeline to adhere to a certain standard, i.e. conformance, or the ability to have controls in place, i.e. governance.
How Harness addresses pipeline compliance.
Harness can enforce pipeline compliance and also pipeline conformance in several ways. Standardization is a driving factor around compliance providing the guard rails. Harness has the ability to leverage templates and has configuration-as-code which can be managed in a Source Code Management [SCM] solution. With RBAC, controls can support a wide set of users who need to view and users who need edit. Harness can also score conformance to pipeline standards with the Harness Pipeline Governance feature.
Regulatory and operational compliance is critical in software development. Harness’s Pipeline Governance feature will allow you to measure how compliant your pipelines are with your regulatory and operations standards.
In an organization where developers are continuously pushing code to production, managing risks can be difficult. This piece details pipeline compliance under the umbrella of governance, risk management, and compliance (GRC).
What is Secrets Management?
Sensitive properties and passwords should not be stored in plain text. Modern approaches are to store sensitive information as encrypted secrets. To manage the lifecycle of a secret, e.g updates and secret injection, secret management solutions are available.
How Harness manages Secrets.
Harness includes a built-in secrets management feature that enables the storing of encrypted secrets. With Harness, you can also use third-party secrets managers such as HashiCorp Vault, Azure Key Vault, CyberArk, or AWS Secrets Manager.
What is Auditing?
Auditing in a technology-sense is the examination of evidence and controls. Having systematic record of why and where a pipeline ran is crucial in an audit.
How Harness addresses Auditing.
Audits provide us with answers to who, what, when, and where. Harness helps you with your audit and compliance needs. The audit trails feature provides records of all events and changes to your services and accounts.