GitSecure
Code Risk Analyzer
I was part of the team at research when we built first-of its kind, security scanner for container images and running containers. It is part of IBM Cloud as Vulnerability Advisor offering. Later as I was leading some security and compliance solution extensions, I realized the need for building these solutions close to the developer’s workflow. And at the same time DevSecOps was becoming the “thing”. So I started designing and building this solution called “GitSecure” in 2017. The objective was to embed security analytic into the developer workflow. GitSecure was the first instance, where I had implemented Docker CIS evaluations from static deployment definitions for cloud-native workloads.
This project is now available on IBM Cloud under Code Risk Analyzer (CRA) offering. This was one of the foundational compliance control for IBM Financial Cloud.
GitSecure holds tremendous potential to improve security and compliance automations. I had described a framework around end-to-end automation in my blog Code2Container. The basic idea is simple – just like we have control loop in kubernetes wherein we describe our desire state for application through spec and controllers and then responsible to ensure that state is satisfied. We describe our compliance state as “desire-state” and build automated engine that monitors any discrepency (e.g. new vulnerability, runtime intrusion etc.) and drives concilor loop to fix the state (e.g. create a PR to upgrade vulnerable package).
Our DevSecOps should also include “smart updates” that would notify users about newer versions of their dependencies. ( yes, like existing solutions like Whitesource renovate). But, it should also give “reasons” for developers to upgrade their dependencies. Would it improve performance ? Does it fix any bugs ?