GitOps: The Compliance Tool that’s already in your DevOps Cycle
StackShare Editors
With major hacks like the recent Log4j and a new cybersecurity executive order hitting headlines over the past year, enterprises, government entities, and development teams are increasingly concerned with the security of applications.
As a community resource for over one million developers, CTOs, and enterprise architects, all of us at StackShare have this worldwide shift towards better cybersecurity on our minds too.
Our solution serves an overall purpose as a for development teams, with the goal of giving organizations a way to see all of their technology stacks and developers in a single location. While GitOps isn’t a facet of technology typically associated with compliance and security, we’ve actually seen a recent, industry-wide paradigm:
GitOps, an idea first imagined by WeaveWorks (an enterprise Kubernetes management firm), is commonly seen throughout the DevOps community. According to Atlassian, it’s “using Git pull requests to verify and automatically deploy system infrastructure modifications.” The live syncing pull request workflow of GitOps enables developers to keep track of each other’s changes.
Why GitOps Matters to Security
Warren Buffett once said, “Risk comes from not knowing what you’re doing.”
And along the same lines, compliance can boil down to one general question: do you know what your organization is doing?
Breaking this down, do you know which users enter your system and what they’re doing inside it? Do you understand which components are included in your applications? Do you know which teams are using which technologies?
When these questions are answered, it’s much easier to mitigate risk. GitOps was originally created without security-related use cases in mind. But since it answers these types of questions, it can actually double as a compliance tool.
For instance, with a GitOps solution like Private StackShare for Teams, seeing where a vulnerable component (such as Log4j) is located throughout your applications and which teams used it would be a quick and simple process because of the centralized view of all program elements. Program visibility and successful compliance go hand-in-hand.
3 Challenges in Building Out Compliance
In general, as an organization builds out better compliance, whether it be for informing auditors or following internal policies, there are a few key pieces of knowledge that need to be collected:
1. Permissions Observability
Who’s entering your system and making changes to records or infrastructure? According to RedMonk, answering this question can often be a complicated process: “If you are providing information to auditors, or just trying to meet internally defined standards, historically you’re often running around after the fact with a spreadsheet trying to build a record or audit trail.”
How do you store data on changes in one place? With so many moving parts within development teams, it’s challenging to first figure out who’s making infrastructure changes or SSHing into servers or containers, and then to actually record this data in one place.
With a shift left mindset becoming prevalent, companies need to take the load off of their security teams by focusing on problem prevention over problem detection. Essentially, developers need to take shared responsibility over security as they’re building out software, otherwise it won’t succeed. Development teams themselves will benefit from shifting left as well, because teams that build security into their work also do better at continuous delivery.
So although a shift left mentality helps all aspects of the Software Development Life Cycle, it goes up against a commonly-held belief amongst developers that “security is someone else's job.”
Using GitHub or GitLab means identity and access management are already incorporated into how you work. Permissions are baked in with pull requests or merge requests, showing who signed off on a change and when.
Within Private StackShare for Teams, you can take the GitOps tools that you already use and optimize them for compliance. PSS essentially elevates your current tools by creating more clear and user-friendly documentation of changes, through pull request integration.
2. Centralized Data
GitOps originally sought to meet one of Martin Fowler’s Continuous Integration tenets:“Everyone can see what's happening”. He wrote, “Continuous Integration is all about communication, so you want to ensure that everyone can easily see the state of the system and the changes that have been made to it.”
Compliance can be a collaborative effort, in a similar way. If you use your source code management system as a source of truth, it becomes a central location to pull any data needed to answer compliance questions.
Private StackShare for Teams takes the data already stored in your systems and makes it much easier to browse which technologies your organization uses. This makes it easier to see what tech adoption looks like in the day-to-day of your teams as well. PSS displays all tech and the people using it in a single dashboard view. Plus, alerts can keep you in the loop on which tech stack modifications are happening in real-time.
3. Development Ownership of Security
It’s important to make compliance an equal marriage between new compliance policies and pre-existing development processes, rather than a complete overhaul of what developers are already doing. If developers get faster feedback from a tool, or it takes less time to use than fixing the vulnerabilities later in the pipeline, we’re far more apt to use it.
Or in other words, when “shifting left”, compliance tool adoption is much easier when already part of a developer’s processes or adjacent to them. As a developer-centric tool, Private StackShare for Teams makes it simple for developers to organize their projects and collaborate across teams. Because they can already use this tool to simplify their daily tasks, it’s an easy transition for them to also reference PSS when responding to compliance requirements.
Optimize your GitOps for compliance today by scheduling a demo of Private StackShare for Teams. Or try it for free today.
