Today’s development and devops teams are using containers to build and deploy software faster than ever before. In a recent 2018 DZone Guide to Containers: Development and Management, 77 percent of respondents cited faster development as a top benefit of leveraging containers at their organization.
With this ability to implement faster development, also comes a need to properly configure, manage, and secure containers and microservices. At Twistlock, we’re proud to partner with leaders like Weaveworks who are pioneers in helping organizations navigate the cloud native ecosystem. Today, I’ll share how DevSecOps along with a Weaveworks GitOps approach for continuous delivery can ensure you are deploying more secure containers.
Note: Twistlock uses Weaveworks sock-shop application as a demo microservice app every day. We’re huge fans!
Implementing DevSecOps as part of the CI process
DevSecOps refers to the practice of integrating security into the devops process. While there are many best practices, I want to highlight a few ways enterprises are using Twistlock as part of their CI process:
- Vulnerability and compliance scans as part of the build: By scanning each image as it is built, developers and devops teams can gather quick, deep analysis on the vulnerability and compliance status of an image. Additionally, they can see data about specific vulnerability or compliance issues and related vendor fix status.
- Block a build from progressing through the development pipeline: In many circumstances, enterprises may want to fail a build that doesn’t meet there vulnerability standards. For example, an organization might want to block a critical vulnerability with a known vendor fix. This quality gate requires the developer to fix that critical image in order for the image to be pushed to the registry.
- Continuously monitoring the registry before deploying to production: Twistlock integrates with any Docker v2 registry to continuously monitor that registry for vulnerabilities and compliance issues. When it comes time to deploy an application, enterprises know that they have insight into any risk present in their images. Additionally, they can set quality gates on what can be deployed in different environments.
In the screenshot above, you can see an image that Twistlock has scanned, along with corresponding vulnerability status. In this example, I’ve expanded a Critical vulnerability with several vendor fixes that can be implemented.
After implementing a standardized continuous integration workflow, we arrive at a pivotal point — deploying and managing applications in a modern way at scale.
GitOps with Weaveworks
GitOps allows developers to manage both infrastructure provisioning and software deployments and rollbacks through pull requests. With GitOps, developers use Git as the source of truth for the desired state of their entire application. When the source of truth differs from what’s running in the cluster, the cluster gets automatically synchronized with what’s kept in Git. Weaveworks has put together a tremendous set of resources called GitOps: What You Need to Know if you are interested in learning more.
In our recent webinar, we discussed the benefits of using Weave Cloud to simplify deployment, monitoring and management for containers and microservices:
- Enable faster application deployment: Deploy applications either automatically or manually. Users can use a version control system, like Github, as the source of truth for application configuration, improving reliability, and allowing for automated alerts in case of divergence.
- Gather powerful performance insights: Weaveworks allows users to monitor and observe all aspects of your application and cluster and to query across hosts, workloads and metrics.
- Quickly and easily troubleshoot issues: Monitor all the aspects of your application, and cluster and query across hosts, services and metrics to visualize the emergent structure of your application in a consistent way in real-time, whether it’s running in development or production. You can map and uncover the structure of an application, including microservices, containers, instances and networks. View logs, scale up or down services, or diagnose issues in real-time.
Weave Cloud’s deployment agent runs inside the cluster. This means that credentials for container image registries, and the cluster API never leave the cluster’s domain.
By using Git as the source of truth, the desired state and the current state can be compared and alerted on. This not only ensures that the cluster is kept up-to-date, but it also provides a way to quickly recover from disaster if the cluster melts down.
If you’re interested in learning more about GitOps, and how this benefits continuous delivery as well as security, check out the blog: GitOps 101: What Is GitOps, and Why Would You Use It?
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How to Lock Down the Kernel to Secure the Container HostRead the Blog
One Chapter Ends, Another BeginsRead the Blog
The Greatest Security Risks Lurking in Your CI/CD PipelineRead the Blog
Cloud Platform Radar: Powerful Cloud Asset IdentificationRead the Blog
Securing Serverless Functions: Visibility with Serverless RadarRead the Blog