Understanding the target architecture of the DevSecOps pipeline – Implementing DevSecOps with AWS

Posted on


A pipeline definition in AWS CodePipeline consists of at least two stages, and corresponding actions within each stage. We covered the constructs of AWS CodePipeline in detail in Chapter 5, Rolling Out a CI/CD Pipeline. Typical stages that come to our mind when we think of the entire life cycle of software delivery are source, […]

Test strategies for your AWS workloads – Implementing DevSecOps with AWS

Posted on


Code is no longer restricted to the business application that your end users consume. Your infrastructure, CI/CD pipelines, and all the automations that you build to support your application’s delivery are equally good candidates for risking your security posture. Assuming most (if not all) components of your architecture are deployed via pipelines, there are two […]

Enable developers to identify and fix security issues – Implementing DevSecOps with AWS

Posted on


The shared responsibility approach means that developers and operators should feel equally responsible and capable of identifying and fixing security issues. This can only happen whenthe security professionals invest time and effort in making other team members aware of the security risks, identifying the right solutions, and enabling them to leverage those solutions. Automation goes […]

Early identification of issues – Implementing DevSecOps with AWS

Posted on


DevSecOps tooling automations can kick off as early as when the developer commits code to their local git repositories. By leveraging git’s pre-commit hooks, they can benefit from the feedback of these code scans even before they push the changes to a remote repository. Tip Trufflehog is one such tool that stops you from accidentally […]

Understanding the security responsibilities in the cloud – Implementing DevSecOps with AWS

Posted on


The first thing we need to understand is where exactly the cloud provider’s responsibilities end, and yours, as a customer, begin. These responsibilities can further vary depending on the type of cloud service tier ( IaaS, PaaS, or SaaS) you are using. We discussed all three tiers in detail in Chapter 2, Choosing the Right […]

Leverage incident detection and monitoring – Implementing DevSecOps with AWS

Posted on


Amazon Macie is a threat detection service that uses machine learning and pattern-matching capabilities to identify sensitive data being stored in S3. Customers can also define custom patterns that are used by the service to identify risks and raise security findings in AWS Security Hub, a threat detection, aggregation, and remediation service. All your pipeline […]

Important tools for security assessments – Implementing DevSecOps with AWS

Posted on


The following table provides a list of some open source scanners that help mitigate a variety of security risks: Secrets Scanner git-secrets This utility prevents you from accidentally committing secrets and credentials into git repositories. Ideally, it should be invoked as part of a pre-commit hook. Vulnerability Scanners for Third-Party Libraries         […]

The rapid evolution of application architectures – Implementing DevSecOps with AWS

Posted on


An important dimension that we cannot overlook is the evolution of application architectures over the past years, which, in a way, has added an additional burden to security investigations and sign-offs. These days, monolith applications are broken down into microservices, resulting in hundreds or thousands of APIs. Previously, you just needed to safeguard countable entry […]

Instrumenting application metrics with Amazon Managed Prometheus – Enabling the Observability of Your Workloads

Posted on


As discussed previously, instantiating the Prometheus client inside our Flask application additionally enabled a /metrics endpoint that exposed application metrics to scrapers – in our case, the OTEL collector. You can also look at these raw metrics by hitting the application load balancer URL, with the /metrics suffix at the end. In my case, accessing […]

Insights and operational visibility – Enabling the Observability of Your Workloads

Posted on


This category of offeringsis a huge differentiator when it comes to providing ready- made solutions that extract data from multiple sources and deriving insights out of those to provide actionable next steps to the user. Container insights When working with AWS services in the container landscape, you can use CloudWatch container insights to summarize metrics […]