Product

Reducing the vulnerability backlog with Dazz CI/CD Visibility & Gating

Jonathan Jacobi

,

Jonathan Jacobi, CTO Office, Dazz

,

We all know that staying secure & fixing vulnerabilities is not an easy task - and we have been coming up with different solutions to this problem.

We broke down the problem into sub-problems, and we tackled it from different perspectives: de-duplication of findings, prioritization of findings, finding the root-cause of the problems, and actually fixing the issues.

We constantly think about new ways to widen our strategy in terms of “better security posture” - and we’re thrilled to announce our latest approach: Visibility and Prevention!

Step 1. Visibility: understand your CI/CD security posture

CI/CD pipelines adopted many different policies & security measures, to allow for a better general security posture.

A common new difficulty that was created is: “How good our adoption coverage is right now?” - and the answer for that is not trivial. Dazz provides CI/CD Security and DevOps teams the  need in order to manage their adoption of said measures. One classic example is the question of “what percentage of our repositories is being scanned by the brand new SAST we just bought and deployed?”

Dazz can easily answer this question on a per application or aggregate basis.

How Dazz delivers CI/CD visibility

By connecting to the critical sources in your environment, our solution helps you gain visibility to how good your adoption of security tools & CI/CD policies are - without any active intervention with your CI/CD pipeline.

You’ll be able to easily see which CI/CD components adopted both your CI/CD policies & security measures, all in one place.

Doing this effectively is the result of Dazz being a security data warehouse - our connections to your different tools allows us the platform to easily measure application security posture and identify gaps.

Step 2. Prevent issues before they reach runtime with Dazz CI/CD gating

The Dazz Unified Remediation platform has always allowed teams to fix security findings, effectively, at scale.

The new CI/CD Gate we introduce today allows a new strategy of tackling this - by preventing security issues, before they’re being deployed!

The ability to precisely define policies is a game changer. CI/CD gates have been around for a while, but a common issue that comes up is their inability to allow accurate, flexible policies.

This generates a lot of noise & friction between developers and security teams, and so much back & forths that annoy both sides. The result is that many teams have tried implementing gates and then have chosen to abandon them.

The architecture of Dazz provides a more flexible way to build policies and gate builds based on numerous points of context. Dazz gathers information from various different sources - ranging from the development environment, cloud environment, and security detection tools. Once connected to numerous tools, Dazz can deduce very impactful insights regarding the security posture, such as different exploitability and risk metrics, internet exposure, publicly existing exploits, and so much more. We already do this to prioritize findings in an effective way. Now, you’re able to use the same data to shift some key decisions left: before risks impact critical applications.

Combined with business context, this allows you to define very specific and precise CI/CD gating policies. A good example would be enforcing that critical vulnerabilities can not be promoted to applications that are owned by revenue-generating business applications, where the business unit has to comply with PCI. 

Consider how it’s done without a solution like Dazz: you have to know every single repository, every single pipeline, make sure the right repositories are mapped to the right applications, and have CI/CD steps to gate deployments on every single one of them. This isn’t scalable and can’t be dynamically updated, so any change of the application architecture may impact the control structure that we’ve just invested so much in and require additional work. 

With Dazz, all of this is a matter of a few clicks.

How pipeline gating works

Once Dazz is integrated into your CI/CD pipeline, you can:

  1. Set specific policies for any repository and align them to the corresponding business and application impact of the repository being deployed
  2. Have Dazz continuously monitor for findings that match that policy.
  3. Take actions based on findings that adhere or don’t comply with your policies
    1. Allow the deployment
    2. Block the deployment
      1. Refers you to the issues in Dazz that caused the block to avoid confusion, along with specific remediation guidance to help developers fix this as soon as deployments are gated
    3. Alert- Pass the deployment but get alerted

Benefits of Dazz CI/CD Gating

Pipeline Gating in Dazz brings numerous benefits to security and engineering teams. With Dazz gating you can expect to:

  1. Visibility into your CI/CD pipelines: Dazz identifies all of your CI/CD pipelines, detailing where scanners are deployed and where they’re missing. Dazz also highlights which gating policies are already in place, and what their conditions are.
  2. Gate without altering your tech stack: Unlike other solutions, Dazz policies can be configured on top of your existing scanners and tools. This means you aren’t beholden to changing out scanners - instead you can configure flexible policies derived from the best of breed detection tools.
  3. Gain actionable remediation advice when builds fail: as opposed to a simple “block” notification, developers receive full context into why a build has failed, including root cause analysis and remediation guidance on how best to fix the issue.
  4. Reduce your security backlog: Dazz gating prevents risks from reaching your production applications and allows security teams to efficiently allocate their security resources towards residual risk.
  5. Focus security analysis on vulnerabilities that need to be reviewed by humans: By enforcing policies that block critical vulnerabilities from reaching production, security attention can be focused on issues that are more complex, and require further analysis.
  6. Reduce remediation time: with a reduced backlog, security and engineering teams can further leverage automatic root cause analysis, AI-powered remediation guidance, and fixes to slash the time needed to fix security issues. 

For more information you can visit our website, or reach us out here.

See Dazz for  yourself.

Get a demo