CircleCI has extended the reach of its automated package manager, known as orbs, to cybersecurity software that can be integrated into a pipeline constructed within the company’s namesake continuous integration/continuous deployment (CI/CD) platform.
Mike Stahnke, vice president of engineering for CircleCI, said extending orbs into the realm of cybersecurity will make it much easier for organizations to embrace best DevSecOps processes.
Designed to run on Amazon Web Services (AWS) and Google Cloud, the first set of orbs are being created by seven third-party cybersecurity vendors, including Alcide.io, NeuVector, Snyk, WhiteSource, Aqua Security, Anchore, Contrast Security, Probely and Twistlock, which is now part of Palo Alto Networks.
CircleCI has been making use of orb package managers to make it easier to integrate a wide variety of functions within a CI/CD pipeline. Thus far, approximately 900 orbs have been developed for the CircleCI platform. Stahnke said the goal is to give DevOps teams the option of employing orbs instead of having to manually implement tasks such as secrets management, vulnerability scanning or policy enforcement into DevOps workflows.
Stahnke said CircleCI doesn’t envision every element of a pipeline will become an orb; there will be instances where DevOps teams will want to exercise more granular control over some aspect of the pipeline. There are, however, going to be many situations in which DevOps teams won’t want to integrate the same functions manually over and over again.
CircleCI expects orbs will prove especially useful in advancing the adoption of best DevSecOps processes because many of the controls that need to be implemented are the same across multiple pipelines, said Stahnke. By making it easier to incorporate cybersecurity software within a pipeline, DevOps teams will not have to sacrifice speed and agility to ensure security.
Most organizations today are just starting down the DevSecOps path. Adoption of DevOps processes in many cases has been uneven at best. Trying to incorporate cybersecurity teams within those processes to ensure higher levels of security is the next great challenge. However, given the chronic shortage of cybersecurity professionals, cybersecurity functions within a DevOps pipeline somehow must be included automatically. In most cases, cybersecurity teams will continue to define policies and controls that increasingly are implemented by developers. Cybersecurity teams, however, still will need to validate that those controls have been implemented and tested before an application gets deployed in a production environment. Cybersecurity teams will then make developers aware of any vulnerabilities they’ve discovered and teams can decide to address them at whatever next stage of the development process they deem appropriate.
Of course, DevSecOps also means cybersecurity teams will have to learn to trust developers. Historically, that’s been problematic because many cybersecurity professionals have tended to view developers as the primary source of the cybersecurity problem. Nevertheless, the more vulnerabilities that get addressed before an application is deployed in a production environment, the better off everyone involved in building, deploying and securing that application will be.