Automated DevSecOps release validation ensures security by default

In modern cloud-native environments, which rely heavily on microservices architectures, application teams that are responsible for innovation face a dilemma: How are they to comply with ever-increasing security requirements while managing fast release cycles for hundreds of microservices? Without an automated approach to security enforcement, this can drastically slow down your team's ability to safely release new application functionality. 

Conventional approaches to application security can’t keep pace with cloud-native environments that rely on agile methodologies, API-driven architectures, microservices, containers, and serverless functions. Existing approaches focus on static security scans of build artifacts and libraries in build pipelines, with two major downsides: (1) Pipelines for each bit of software need to integrate security scans and (2) vulnerabilities might only become known after build execution and therefore remain undetected and unblocked in those software versions that have already been deployed.

By combining DevOps with Security to enable DevSecOps, you can shift security checks left into the software development lifecycle (SDLC), allowing you to keep up pace and velocity without jeopardizing security.

Secure releases by default

In recent months, Dynatrace introduced Cloud Automation quality gates, which automate build validation based on service level objectives (SLOs), not just for production but across the whole SDLC. By combining Dynatrace Cloud Automation answer-driven release validation with Dynatrace Application Security, security is transformed from a detached, often manual process to an automated release process that provides continuous feedback to the DevSecOps team. This allows releases to remain secure by default.

Introducing release validations into your continuous delivery pipeline allows for automated analysis of the quality of your new software versions and planned releases. Security vulnerabilities are checked throughout the lifecycle, including comparisons against previous releases.

These checks not only automatically detect vulnerabilities; they also automatically assess risk and user impact, thereby avoiding false positives and helping teams to focus on what matters most.

Such release validations with quality gates automate the manual task of analyzing and comparing data from numerous dashboards to determine whether a build meets your quality criteria.

By identifying degradation in quality and security throughout the lifecycle, remediation actions can be triggered automatically. This ensures that bad quality or risky releases won’t advance in any pipeline stage, much less negatively impact your customers’ experience by disrupting production environments.

Automated release decisions enriched with security

Cloud Automation release validation with quality gates query service-level indicators and compare them against service-level objectives. When an objective is met, the quality gate evaluation returns a value of succeeded. Otherwise, the evaluation returns a value of failed.

To enrich a release validation with security, simply add one of the out-of-the-box Dynatrace security metrics to your release validation dashboard.

For example: If you don’t allow any new critical-risk vulnerabilities in your releases, add the Open Security Problems (split by Management Zone) metric to a dashboard chart, filter it based on the critical risk level dimension, and specify an error criteria of >=1.

That’s it. After you include this chart on your release validation dashboard—or add the metrics query and objective into the SLI and SLO.yaml, if you prefer the code approach—then Dynatrace Cloud Automation quality gates will evaluate the number of critical risk vulnerabilities as part of the release validation scoring. As the following release validation overview shows, you can add multiple security-related SLOs to your release validation:

What’s next

You can find further details in Dynatrace Documentation. If you want to learn more, reach out to us in the Dynatrace Community.

Level up your continuous delivery by integrating Dynatrace Cloud Automation into your existing DevOps toolchain, which orchestrates the software development lifecycle and remediates detected issues automatically.

Dynatrace Cloud Automation is currently available to all Dynatrace Managed and SaaS customers as a SaaS instance. Further Managed deployment options will be released in a future release.