Tapiserí: Blueprint to modernize DevSecOps for real world

Abstract

Micro-service application pattern has revolutionize the overall software delivery lifecycle. Modularization has allowed breaking monolithic application into independent components that can be developed faster and automation in CICD has enabled high velocity deployment of applications to the cloud. Such a modernization has mandated a need to put security at the center of the workflow from code to container, giving rise to the DevSecOps paradigms. Although effectiveness of the existing DevSecOps solutions is limited by lack of good development practices and narrow scope where it is applied for security analytic only around code hygiene, like vulnerability scanning, license auditing, etc. We discuss our survey on these challenges and highlight their security implications. In tapiserí we then present wider perspective to design a DevSecOps solution that addresses prevalent challenges around supply chain security, build security for micro-services, ensures integrity of the pipelines themselves and brings transparency and auditability to the process.