November 22, 2022

Last Updated on January 15, 2024

Validating Security Within Your DevOps Pipeline
Building and deploying apps securely to the public cloud demands a security view across multiple layers of the software lifecycle—including your DevOps build/deploy pipeline. How can you ensure security at the speed of DevOps? And what are the top threats/concerns?

To share uncommon insights on public cloud application security, a recent episode of The Virtual CISO Podcast features Jeff Schlauder, Founder at Catalina Worldwide LLC. Pivot Point Security CISO and Managing Partner, John Verry, is the host.


Everybody has an opinion

Acknowledging that there are many paths to the top of the mountain, Jeff explains what his team does to secure their DevOps pipeline.

“There’s a lot of opinions; everybody has their favorite tools,” says Jeff. “We use GitLab for our repository. And we’ve used other tools along the way. GitLab does some really great things. But it does have some challenges as well. So, we start layering on what it does well and then trying to fill some of what we think are complimentary services or holes where an additional tool would be beneficial.”

With a laser focus on security and code quality, Jeff’s team spends considerable time ensuring that their code is secure from code generation time through deployment. They also use automated tooling to identify “typical OWASP code quality” vulnerabilities on developers’ local machines before they are introduced into the application’s code repository. The goal is to leverage automation to identify vulnerabilities as far “left”/earlier in the process as possible.


High confidence in security

It’s fair to say that if your team does a good job with security across the DevOps pipeline, you can have a high degree of confidence that you’ve caught the major issues and the application you’re deploying is highly secure.

At Catalina Worldwide, this starts with automated code validation on developers’ machines, followed by an automated scan of the code repository.

“We get a lot of visibility from the time the code is committed through the rest of the process,” confirms Jeff. “We’re talking minutes not hours to have a reasonable assurance that at least the code and the image itself is passing those checks.”


What’s next?

To hear this best-practice briefing podcast with Jeff Schlauder, click here.

Have you heard about continuous API scanning? This blog post will catch you up: What is Continuous API Scanning and Why Should We (as App Developers) Care?

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!