I mentioned in a previous blog post that I’d take some more of the people pinging me about Jenkins World 2017 and post about them. One of the companies I’ve picked to highlight is CloudCoreo, makers of AWS security controls and auditing.
Disclosure: My company, Ingrained Technology, has a business relationship with CloudCoreo outside of our relationship with DevOps.com. That’s how I know about their attendance. But they’re a cool company for cloud security automation, so I chose to include them in my Jenkins World previews.
CloudCoreo is based on the premise: What if you could automate and audit security settings in AWS without learning security for each of their services? I’ve used their tools, and I’ll be honest, my personal AWS account had a bunch of security violations. Since I use AWS off and on in spurts, this makes perfect sense, and I was able to clean house a bit based upon the tools’ feedback.
CloudCoreo’s presence at Jenkins’ World will be to talk about itsr system, but will also concern its new Jenkins’ plugin. While there are tools that allow you to partially automate security generation in AWS, the cool part of the plugin is that it allows your automated system to audit the actual results of a deployment to check against standard security patterns. And those checks include things that are normally outside the build/deploy process, such as user rights and password change frequency.
One of the directions that cloud is going is putting security configuration directly into templates. But not every template will be designed with the same level of configuration/security. By auditing the results as part of a deploy, weaknesses in templates obtained from external sources easily can be detected early in the development process. This is fully in line with the “shift left” approach currently being used in DevOps, and gives security an edge in automating one more thing. If it is just part of the deployment to kick off this Jenkins plug-in as one of the final steps of deployment, then security can shift from “pawing through tons of config code” to “reviewing results.”
Right now, security is one of a few items (NetOps being the other) that is on the critical path for DevOps to be both responsive and controlled. Companies such as CloudCoreo are helping make certain that not only does it go out quickly, but it goes out secure.
I haven’t tried its Jenkins plug-in yet, and don’t currently have any complex AWS projects going on, but the thought intrigues me. Someone should go stop by (the company will be giving a demo of stopping a release for violations at table T1) and see it in action, then report back what you learn. Having used CloudCoreo’s web interface, I expect the results of the Jenkins plugin will be both thorough and definitive, but verification of those suspicions would be nice.