CIO Handbook to Security as Code
Imagine Not Compromising Security or Innovation
Integrate Automated Security Reviews into CI/CD Pipelines to Speed Delivery
Large enterprises have spent years and millions of dollars to automate and transform software development practices into agile workstreams that continuously deliver releases in short sprints. In stark contrast, security predominantly relies on manual processes and reviews that take weeks or months to complete.
Concourse instantiates security and control objectives in code, automating security reviews of Infrastructure-as-Code such as Terraform and CloudFormation files. This shortens the review time to seconds and gives developers specific remediation guidance when violations are found. The result is developers can work largely unimpeded by security teams, confident that they are delivering code that is compliant with enterprise security standards.
Test Terraform Plan changes to prevent risks from being deployed and evaluate deployed resources in Terraform State to detect violations within configured resources and their dependencies.
The vast majority of cloud security breaches are a result of misconfiguration. Developers building cloud applications typically create Infrastructure-as-Code to automate configuration and operations. If there are security flaws in this infrastructure code, the flaws are spread automatically.
Yet most developers are not security experts. How do developers know what security standards to implement? How do they learn how to implement them? How will they know how to remediate problems? And how do they do all this in an environment that is constantly changing? Concourse solves these problems.
Easily assign security policy or policy groups to pipeline definitions with attribute tags. Once Security or DevSecOps teams assign a tag(s), it persistently stays with a resource regardless of where that resource is deployed within a cloud topology, thus ensuring all applicable policies are consistently checked.
Evaluate nested templates as a complete set to speed up security reviews and detect violations that result from interactions between different infrastructure attributes.
Get security feedback directly within existing CI/CD toolsets, including pass/fail results, the exact policies violated and non-compliant resources and what specifically must be changed.
