Security teams often do not get visibility into security design gaps until the application is already is in production. Identifying issues this late significantly increases the cost of fixing them. Industry metrics show that these costs can be 100x greater. Developer velocity is negatively impacted.
The Developer’s time now needs to be prioritized across product/feature development and addressing security issues, which is often a source of friction between security and development teams.
Our approach
Proactively avoid these security design gaps as early as the design phase, avoiding the cost of re-architecture. In cases where a redesign is required, security engineers can quickly update the security design and automate how the design gets applied using oak9.
Let’s say you want to update your TLS configuration for all B2C applications that are using an weak ciphers. Today, security engineers must investigate to find all applicable consumer-facing applications requiring significant time and resources. Once identified, developers must plan and prioritize the tasks to update the configurations.
Our approach
Oak9 provides security engineers with visibility across all the consumer facing apps using weak ciphers. The security engineer selects the applications to push the change to and oak9 creates change requests for the developer through CI/CD pipeline. The developer reviews this change and can immediately push the change through the pipeline.
Ensure consistent security across your complex hybrid deployments
Current State
Many organizations are adopting hybrid deployment architectures to get the speed and scalability public cloud, while having the control of their private cloud and the ability to easily integrate with their legacy on-premises applications.
Hybrid architectures increase the attack surface with many interdependent and interacting components deployed across different environments. This makes designing security challenging for hybrid architectures as security teams must comprehensively consider security across the entire application to ensure that the application meets the organization’s security and compliance objectives.
Our approach
Use oak9’s security blueprints to quickly build & tailor a deployment agnostic security design. Oak9’s security blueprints are designed to holistically consider security for your application – not just individual configurations.
Oak9’s automation bakes security-in for cloud-native components to ensure that they are meeting your security and compliance objectives. Use our task-based workflows to ensure the same for your on-premise components. Assign, sequence and track security implementation tasks over Jira.
Have visibility into how the security design is adhered to, across your cloud and on-premise deployments. Stay in-sync with your development teams across your cloud and legacy deployments.
Keep up with the rapid rate of change for your applications
Current State
Today developers can design, build and deploy foundational changes to your cloud-native application at an unprecedented rate. For example:
Developers may quickly design, build and deploy a new feature to post-process business-sensitive data using a serverless function
Developers may introduce a new analytics service into the solution architecture and can quickly deploy it for initial use.
Security teams often have no visibility into these changes, or if they do, struggle to keep up with speed of the evolution of the product. When such changes are discovered, identifying and addressing security considerations can add significant delay to the application’s feature release timelines.
Our approach
Developers get instant security feedback as infrastructure as code (IaC) changes are checked-in to the code repository.
Security engineers are notified and can quickly tailor the security design for the application change.
Oak9’s automation enables developers to immediately bake the security design into the implementation directly through the CI/CD pipeline.
Keep up with the changes across your application portfolio
Current State
Developers are under pressure to deliver faster and more frequently than ever. Under-resourced security teams struggle to keep up with this rate of change across the application portfolio they support and end up constantly fighting fires.
The result – many application changes across the enterprise’s application portfolio get deployed with little to no security guidance, leading to the business accepting higher security risks.
Our approach
Organizations get the most value from their security teams as they focus on building and managing security reference architectures (security blueprints) that can be easily tailored and reused.
With Oak9’s automation, security is able to move in-sync with development, allowing the security team to scale to entire application portfolio.
Get instant feedback on security gaps when writing infrastructure as code such as CloudFormation & Terraform
Current State
IaC developers often build infrastructure as code from unvetted reference implementations (sometimes copy-pasted from GitHub) and have no visibility into potential security gaps. As developers and SREs focus on the functional capabilities of the product, security engineers are presented with challenge of ensuring that security considerations are met within the infrastructure as code.
Security engineers often may not have the domain expertise in IaC languages. Even with this expertise, manual code reviews can be costly and time consuming, and security engineers cannot keep up with rapid changes to the IaC.
Our approach
Oak9’s platform automates security quality checks for IaC and you get instant security feedback. Developers get actionable guidance and with Oak9’s automation can quickly remediate any security gaps.
At oak9, we believe in making security and compliance easier and more accessible for developers. Our dashboard is at the forefront of this revolution. This dashboard helps our customers visualize and interpret security and compliance for the organization as well, as individual projects. It’s as straightforward as these 4 visualizations that give meaningful insights into your cloud security:
1. Total Design gaps: Below you will see a simple bar graph with 4 bars showing the total number of design gaps for each severity (Critical, High, Moderate, Low). If you click on the arrow on the top right corner of the card, you will see your design gaps filtered by individual projects and by severity.
2. Resources: Here, you can see the total resources on an Enterprise Level. If you flip this card, you can view the total number of resources by Project. Just like the Total Design Gaps, you will see a simple bar graph with 6 scrollable bars showing at one time. Hovering over a particular bar will show you the name of the project and the number of resources.
3. Compliance Frameworks: Here you will see a heat map that shows how compliant your projects are. When you hover over a box, you can see the number of compliance framework met out of the total. If you click on a compliance name, you will see all the projects with that compliance framework. Severity is represented from red for critical to grey for low criticality, so colors are based on the highest severity attached to the Compliance Framework.
4. Design Gap Trends: In the picture below, you can see design gap trends by severity over a period of 2 months. Hover over a part of a line to see the date for that point and the number of design gaps.
Also, if you want a customized view for a particular project, all you must do is select your desired project from the dropdown. Now, your dashboard view will present you with all the information for your selected project.
This dashboard ensures developers aren’t slowed down but empowered to share in the ownership of product security. Security teams are enabled to become true strategic partners in product development and design. And executives have peace of mind knowing products can be delivered faster and more securely.
For a more comprehensive understanding of our dashboard and how it relates to your use case, drop us a line at hello@oak9.io.
One of our main goals at oak9 is to make our solution to developers’ security needs accessible and available. That’s why we’re happy to announce that oak9 is now listed on the AWS marketplace! With oak9 being available on the AWS Marketplace, our customers can purchase our product directly from Amazon. In turn, this will allow our customers to:
Make purchases quicker and easier than before
Eliminate the need for a separate purchasing agreement from oak9
Utilize their existing AWS credits to either purchase our product or offset part of the cost
Now, any AWS client who may be looking for a cloud security solution can just search the AWS marketplace and find our solution directly! Our intent in this move was to help our customers streamline the purchasing process, allowing them to focus their time and efforts on what really matters.
Let us know what you want to see next by dropping us a line at hello@oak9.io
It’s here! With over 56M developers on GitHub and 17K+ Terraform projects, now developers can use the oak9 GitHub Action to easily scan for infrastructure-as-code (IaC) security issues in the GitHub pipeline.
oak9 makes cloud infrastructure security easy for developers while eliminating the need for tradeoff between time and security. We’ve built this platform with developers in mind. This integration is part of our goal to seamlessly integrate into development workflows to make it easier for developers to build secure solutions at the velocity they desire.
As a developer, you can now catch security issues before they are merged & deployed and save significant time having to debug and fix them later. You will be notified, in real time, of security issues in your IaC while getting a better understanding of your security and compliance risks for your application.
Here are the highlights:
Integrate your code repository with your project in the oak9 console
Include oak9 security assessment as part of any workflow that you use in GitHub
Automatically start to find, fix and monitor your code for configuration errors in Terraform as seen in detail below:
View a high level summary in the GitHub action result page of any issues found, as well as a link back to the project in the oak9 console to view detailed results.
For example, any time new code is pushed, or a pull request is created, the new code can be automatically scanned by oak9 for design gaps. This check can be used to prevent code with design gaps from being merged into the main branch or deployed to the application environment. Here is an example of the results after the job is run.
Using oak9’s GitHub Action, you’ll be able to quickly scan for IaC security issues right in your GitHub pipeline. See how to setup your integration here: oak9 Github Action
Let us know what you want to see next by dropping us a line at hello@oak9.io
With our updated design gap content, it’s never been easier for developers to understand what their security design gaps are, why these design gaps are important, where these design gaps are, and what to do to quickly fix them.
Using oak9, you can finally eliminate the guesswork by catching security design gaps early as you update infrastructure as code (IaC) for cloud-native applications. Our platform is built right into existing development workflows starting in the design phase. You can visually depict your IaC and make security design changes with a simple drag-and-drop interface and get notified of security design gaps without ever leaving your workflow.
With this new feature, oak9 tells you:
What is the security design gap?
Where in the architecture does the gap exist?
What is causing the gap?
What is the business impact if I don’t fix it?
How do I fix it? What part of the infrastructure-as-code do I need to change to fix it?
Oh, and by the way, if you want an executive view of all these design gaps, our new dashboard rolls all of these into a single pane of glass:
Let us know what you want to see next by dropping us a line at hello@oak9.io
