Tromzo Voted Audience Winner of the First Black Hat Innovation Spotlight Competition! Read More
Product

Legit Automated Security Guardrails for AppSec

Harshil Parikh | 17 May, 2022

Overview

It is a tale as old as time, or in this case, a tale as old as code. Since the inception of applications, Security and Development teams have struggled to find a good balance between delivery/deployment speed and implementing security. This tale was only exasperated by the digital transformation where DevOps propelled applications and infrastructure and created a self-service culture. This movement has enabled developers to go from code-to-cloud in hours, which has been a phenomenal advancement for organizations. Where AppSec teams are struggling is that legacy AppSec systems and processes are known to impede security teams from being able to scale at the speed of their development counterparts. This has led to a lack of visibility or control over security risks and AppSec teams are completely unprepared to govern and secure the modern SDLC.

Additionally, we cannot expect developers to be security experts on top of their core goals. Organizations should however empower their developers by giving them access to secure frameworks, libraries, and defaults, making the most secure option the easiest choice. Security guardrails are designed to help organizations do exactly that.

What are security guardrails?

In its simplest form, security guardrails are controls that prevent deviations from expected behavior. The concept of security guardrails has existed for years in AppSec. But, it has only been attainable for a few organizations that have had very well staffed teams and a laser focus on AppSec. Teams like Netflix, Chime and Microsoft are at the forefront of creating this cultural shift.

At the core of all AppSec heartache, we find applications built with vulnerabilities and majority of these pitfalls can be avoided if we introduce security guardrails as a fundamental part of the modern SDLC.

Why do we need them?

Since legacy AppSec systems and processes historically impeded security teams and prevented them from scaling at the speed of DevOps, the need for context-specific security policies and controls that AppSec teams define and apply within developer workflows has become acute. That need is at the root of security guardrails for AppSec.

How does it work for teams not like Netflix, Chime or Microsoft?

When we launched out of Stealth in late 2021, we created the industry’s first context-aware software artifact and asset inventory with powerful workflow automation to eliminate manual processes for AppSec teams. We know a lot of vendors say “industry first”, but we truly mean it. Don’t believe us, just ask the 25+ CISOs that backed our company because they saw great potential and a true first.

Well, we have expanded on centralized visibility and workflow automation to bring another industry first when it comes to leveraging this rich context to automate controls and make real-time policy decisions across the modern SDLC.

We are thrilled that our customers have access to out-of-the-box Security Guardrails to solve for these challenges that have plagued AppSec teams for years:

  • Secure Defaults – incentivize developers in CI/CD to use secure defaults in code, cloud configuration and CI/CD pipelines.
  • Vulnerability Management – ensure code is being tested by the right scanners (e.g. SAST, SCA), issues are triaged automatically and important issues are resolved in a timely manner before being pushed into production.
  • Code & Artifact Ownership – associate ​​proper owners to codebases and software artifacts ensuring applications are not pushed into production without proper ownership.
  • Code Change Reviews – require reviewers before merging code or automate exception workflows for code review violations.
  • and plenty more we just don’t want to overwhelm you with all the awesomeness…

However, we know that one size doesn’t fit all, so you can easily customize existing policies or create new ones from scratch in 3 simple steps:

  1. Identify the policy: define what you want to be true as developers build and maintain software.
  2. Define the scope: not all code is created equal, so you can define differing expectations from code and artifacts that represent a higher business risk vs low risk software artifacts.
  3. Automate action: define the actions and notifications to be automated when these policies and controls are violated. These can be informational notifications that raise security awareness in developers, or can be more stringent gating functions in PR checks, build and deployment pipelines, etc.

Tromzo Security Guardrails

We’d love to get your team up and running so your developers can start deploying secure applications.

Upcoming LinkedIn Live

Automated Security Guardrails for AppSec

The adoption of cloud-native applications and infrastructure has propelled DevOps and a self-service culture where developers go from code-to-cloud in a matter of hours. Meanwhile legacy AppSec systems and processes have impeded security teams from being able to scale at the speed of DevOps with very little visibility or control over security risks. In this agile world, security teams are completely unprepared to govern and secure the modern SDLC.

Hear from Nir Valtman and Harshil Parikh on how organizations are leveraging security guardrails in CI/CD as the ultimate security shift-left by enabling developers to go from code-to-cloud, securely.

1:00 – 1:45 p.m. PDT on Thursday, May 19
https://www.linkedin.com/video/event/urn:li:ugcPost:6930675301832171521/

Blog Series Around Security Guardrails:

https://www.tromzo.com/blog/security-guardrails-series 

TL;DR
Tromzo now provides pre-built and customizable security policies, defined by security teams and applied within developer workflows. Enabling developers to go from code-to-cloud, securely.

We know there are a lot of blogs out there, so we want to say, thank you for reading ours!