Security
Security is a cross-cutting concern that must be addressed across a company’s systems, organization, processes, and culture. CodeNOW is doing its part by providing security capabilities that are based on a fully open-source stack and cover the entire software delivery lifecycle.
CodeNOW relies entirely on widely used, constantly updated, secure open-source stacks
CodeNOW relies on a fully open-source stack to standardize and automate software delivery. Open-source stacks provide the following security advantages:
- The open-source technologies used by CodeNOW (e.g., Gitlab, Kubernetes, SonarQube) are widely used in the industry. They incorporate in their design security features that reflect the needs of a large variety of users.
- Given the large audience of our open-source stack, vulnerabilities are more likely to be found and reported quickly. No single company can prevent security issues from being disclosed.
- Vulnerabilities are also more likely to be fixed quickly when they are found. Our open-source stack has a large and growing number of contributors. Any developer, including ours, can contribute fixes.
CodeNOW security capabilities cover the entire software delivery lifecycle
CodeNOW offers the following security features out of the box, with more on the roadmap:
Design & Create phase
In the design phase, the most prevalent security concern is code security. CodeNOW leverages GitLab capabilities to protect against code loss and code infiltration and provide code secrecy.
GitLab is one of the most comprehensive solutions for source code management. GitLab users can start their application as a single developer to end up engaging distributed teams and managing multiple feature branches. GitLab can assign specific roles and rights to team members, hence providing controlled access to code repositories and operations (e.g., feature branch merge, commit of changes).
CodeNOW is managing backup for its customers. Alternatively, thanks to the distributed nature of the GitLab client, you can fully backup your source code independently — for instance, for really critical packages.
Testing & Deployment phase
The CodeNOW platform leverages SonarQube to provide smart code analysis capabilities that are automatically used when the code has been updated. SonarQube is an open-source product that provides continuous code quality and code security through thousands of automated static code analysis rules. SonarQube capabilities include, but are not limited to, vulnerability scanning and quality gates (e.g., code quality static analysis, security checks).
CodeNOW additionally lets its users define policies to prevent developers from deploying dangerous changes to the application.
Production phase
Encryption and access control
There are two important techniques to secure the confidentiality of data in production environments: encryption at transport, and encryption at rest. The issues solved by encryption at transport (e.g., communication interception) are addressed by CodeNOW’s design and architecture. CodeNOW architecture is made of components that directly interact with each other without the possibility for a foreign actor to intercept inter-component communications. As a matter of fact, literally, nobody has access rights into the production environment — or any other environment. Everything is automated. The only way to interact with the application or running environment is to use well-defined interfaces provided either by the CodeNOW platform or by the application under implementation. This particular approach implemented by CodeNOW enables higher performance and faster response times by avoiding using time-consuming and resource-consuming encryption where it is not needed.
Encryption at rest provides protection for stored data (at rest). Developers have many options available. Developers can encrypt stored data with their preferred technology. For instance, they can configure the encryption of the storage device at the virtual machine, virtualization platform, or storage service level. They can alternatively configure a database component without CodeNOW to use encryption at rest. CodeNOW is currently identifying the most secure and developer-friendly approaches to provide encryption at rest capabilities directly into the CodeNOW platform.
Vault
CodeNOW also lets developers store sensitive data (e.g., private keys, certificates) in a secure location. You can utilize the same best-in-class user experience, granular access control, and authenticated encryption of your technical users’ credentials — no one is tempted to store secrets in an insecure config file. Granular access control gives people and apps access to the right information at the right time, without slowing down development. You will benefit from automatic synchronization across instances and modules: if you rotate a token or create a new one, it’s automatically synced — everywhere.
Centralized logs
CodeNOW provides, by design, low-level logs that give a fine-grained view of the system behavior.
Low-level, fine-grained logs generated by the distributed tracing of the running system enable root-cause problem analysis and the detection of security issues. CodeNOW users can, for instance, define a set of rules to generate specialized security alerts for suspicious activity of internal or external users.
Additionally, CodeNOW logs can be integrated into an external SIEM (Security Information and Event Management) solution. This provides flexibility for customers who want to implement a dedicated security monitoring solution covering applications running outside of the CodeNOW platform.