Security as Code: Accurics Explores DevSecOps at GitLab Commit 2021
We had a great time at GitLab Commit Virtual this year, with lots of interesting conversations. The theme of “Innovate Together” really resonated with us, because Accurics is all about bringing development and security teams together to accelerate innovation. We’re clearly not the only ones excited about what GitLab is doing; we congratulate them on their position on the 2021 Forbes Cloud 100 list!
What is Security as Code?
One of the biggest challenges facing security teams is the widening gap between the development and security worlds. That gap does not seem to be rooted in animus or conflict; it has emerged mostly out of misunderstandings and communication gaps. Security teams aren’t typically involved in the development process and their tools do not provide the information needed by developers to fix security problems. Developers need to balance the needs of delivering innovation to market in support of the business, with the effort required to address security concerns. They need prioritized, actionable information to support those decisions, and existing security approaches require too much manual effort.
Our co-founder, CTO, and CISO, Om Moolchandani, took to the DevSecOps stage to explore these dynamics and present a codified security approach which addresses this challenge. Security as Code is not a new concept, but we feel it holds a lot of promise. Defining security, compliance, and policies as code helps developers understand the goals, and enables programmatic guardrails inside development processes that help them stay on the secure path with minimal disruption. Automated guardrails and remediation leverage a common vocabulary so that development and security teams can collaborate effectively.
Accurics and GitLab Enabling Advanced Security Use Cases
GitLab has been moving in this direction as well, with their advanced security capabilities including SAST, DAST, container and dependency analysis tools. All of that information is necessary for security, but as teams leverage more and more automation in pipelines and deployment processes, with GitOps representing a particularly streamlined operational model, there is less time than ever to make sense of all the findings.
We recently announced a partnership with and integration for GitLab which leverages their rich security insight to establish consistent, automated security controls extending beyond project and team boundaries. We have exciting plans to extend these capabilities to address prioritization and automated mitigation of breach paths in the future.
To help explain how codified approaches such as Infrastructure as Code and Security as Code can improve automated security decisions in pipelines and deployments, Ganesh Nakhawa, our Head of Product Management, presented on the Demo stage. Hint: the missing piece is enabling tools to understand the context of all the security findings.