Categories: BlogsDevSecOpsNews

CircleCI Adds Security Orbs to CI/CD Platform

CircleCI has extended the reach of its automated package manager, known as orbs, to cybersecurity software that can be integrated into a pipeline constructed within the company’s namesake continuous integration/continuous deployment (CI/CD) platform.

Mike Stahnke, vice president of engineering for CircleCI, said extending orbs into the realm of cybersecurity will make it much easier for organizations to embrace best DevSecOps processes.

Designed to run on Amazon Web Services (AWS) and Google Cloud, the first set of orbs are being created by seven third-party cybersecurity vendors, including, NeuVector, Snyk, WhiteSource, Aqua Security, Anchore, Contrast Security, Probely and Twistlock, which is now part of Palo Alto Networks.

CircleCI has been making use of orb package managers to make it easier to integrate a wide variety of functions within a CI/CD pipeline. Thus far, approximately 900 orbs have been developed for the CircleCI platform. Stahnke said the goal is to give DevOps teams the option of employing orbs instead of having to manually implement tasks such as secrets management, vulnerability scanning or policy enforcement into DevOps workflows.

Stahnke said CircleCI doesn’t envision every element of a pipeline will become an orb; there will be instances where DevOps teams will want to exercise more granular control over some aspect of the pipeline. There are, however, going to be many situations in which DevOps teams won’t want to integrate the same functions manually over and over again.

CircleCI expects orbs will prove especially useful in advancing the adoption of best DevSecOps processes because many of the controls that need to be implemented are the same across multiple pipelines, said Stahnke. By making it easier to incorporate cybersecurity software within a pipeline, DevOps teams will not have to sacrifice speed and agility to ensure security.

Most organizations today are just starting down the DevSecOps path. Adoption of DevOps processes in many cases has been uneven at best. Trying to incorporate cybersecurity teams within those processes to ensure higher levels of security is the next great challenge. However, given the chronic shortage of cybersecurity professionals, cybersecurity functions within a DevOps pipeline somehow must be included automatically. In most cases, cybersecurity teams will continue to define policies and controls that increasingly are implemented by developers. Cybersecurity teams, however, still will need to validate that those controls have been implemented and tested before an application gets deployed in a production environment. Cybersecurity teams will then make developers aware of any vulnerabilities they’ve discovered and teams can decide to address them at whatever next stage of the development process they deem appropriate.

Of course, DevSecOps also means cybersecurity teams will have to learn to trust developers. Historically, that’s been problematic because many cybersecurity professionals have tended to view developers as the primary source of the cybersecurity problem. Nevertheless, the more vulnerabilities that get addressed before an application is deployed in a production environment, the better off everyone involved in building, deploying and securing that application will be.

Mike Vizard

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Recent Posts

CloudBolt Acquires SovLabs to Advance Hybrid Cloud Strategy

CloudBolt Software this week announced it has acquired SovLabs, a provider of a framework that extends the reach of automation…

7 hours ago

AWS Looks to Accelerate Windows Migrations to the Cloud

Amazon Web Services (AWS) is ratcheting up pressure on Microsoft by devoting more resources to enable IT organizations to migrate…

14 hours ago

An Open Letter From MediaOps

On behalf of all of us at MediaOps, we are so deeply troubled by what is going on in the…

17 hours ago

Working with SAFe and Microservices: Learnings from Developers

As developers, the prospect of working for a big company might bring about feelings of oppression, rather than opportunity. Envisaging…

21 hours ago

Quality at Speed During the COVID-19 Pandemic

Think back to 2015. The U.S. economy was in the early phases of a growth spurt that would continue for…

21 hours ago

AppOmni Supports Remote Workers with Release of Enterprise Essentials for SaaS

New Solution Enables Enterprises to Securely Return to Business Operations  AppOmni, the world’s leading provider of Cloud Security Posture Management (CSPM)…

1 day ago