DevSecOps stands for development, security, and operations. It's an approach to integrate security at every phase of the software development lifecycle, from integration, testing, deployment, and software delivery.
One of the essential things to ensure security is by auditing package dependencies for security vulnerabilities, it helps users to detect and fix known vulnerabilities in dependencies they used which could cause data loss, service outages, unauthorized access and other security violations.
In this session I will be showing "How a developer/organization can audit their project dependencies at the Development, Deployment and Delivery phase, using a single platform known as CodeReady Dependency Analytics." This platform can take care of vulnerability scanning at every phase of the software development lifecycle and it not only provides vulnerability details but also shows users the GitHub statistics to get the popularity of packages, license analysis to get information of package license.
This platform provides vulnerability and compliance analysis at following steps of SDLC
1). Feature development:- CRDA provides extensions for some of the most used IDEs to help developers find and fix vulnerabilities while writing the code. Users can also use CRDA CLI to scan dependencies from the terminal.
2). Build Pipelines:- At this stage users can leverage CRDA by using it in build pipelines, for it CRDA is available as GitHub Action, Jenkins Plugin and Tekton Task.
3). Containerization:- Once images are built it can be scanned for vulnerabilities using CRDA integration available in Clair image scanner and when image is pushed to Quay repo CRDA can scan image for vulnerabilities.
In the session I will talk about all capabilities of CRDA and demonstrate its usage in SDLC.
Video Stream