The ATO Journey & Its Challenges
The Authority to Operate (ATO) is a formal declaration and approval that a software environment is ready to be deployed onto a federal production environment. Achieving an ATO includes a long and careful process that requires evaluating each tool in the technology stack and ensuring that it won’t place the security posture of the environment at risk. Multiple security and vulnerability tests are executed, manual security scans are run, and even the load balancers and F5 need to be configured properly to pass an ATO evaluation. The evaluation can take anywhere from 6-12 months, and sometimes longer depending on the outcome of the initial assessments. As one can imagine, this is a daunting exercise that can have teams scrambling and stressed. Federal programs will sometimes make technological and architectural decisions based on whether it would be easier to achieve the ATO – even if these decisions are not the most optimal or don’t position the technology stack for scalability in the future. Achieving an ATO is one challenge, and then there’s maintaining it. After an ATO, recurring evaluations are performed to ensure the security standards for that federal agency are still being met.
Introducing DevSecOps & Espier
This is where DevSecOps and Espier (an open source plugin for penetration and Open Web Application Security Project [OWASP] testing) come in – the next step in the evolution of DevOps. In DevOps, developers create continuous integration / continuous delivery (CI/CD) pipelines enabling them to build, deploy, and test software with every commit included in the code repository. Code is unit tested, regression tested, validated with each build, and deployed upon a successful test run. DevOps ultimately reduces technical debt, errors, and bugs in each development sprint and makes teams more productive as there’s automation built into each step. Espier integrates security and vulnerability testing into the DevOps process (hence DevSecOps), automatically testing your security posture with each developer commit.
The Value of Espier
Espier is a Jenkins plugin that automatically scans for cross-site scripting attacks, SQL injections, and performs other types of penetration testing. It continuously detects vulnerability issues as part of every software build, allowing developers to incrementally remediate them. At most federal agencies, penetration testing is disconnected from the core development process and is conducted late in the system delivery lifecycle. For an ATO, it’s a requirement that needs to be satisfied early on. Espier is treated as a series of tests that runs alongside your test suite in Jenkins. As it’s encapsulated in Jenkins, Espier supports Docker and deployments to multiple environments. eGT Labs, the innovation engine that created Espier, decided to make a plugin rather than a standalone application to avoid an additional tool insertion, which for federal projects can be a big deal. Adding tools can modify an ATO posture, but if Jenkins is already approved, then Espier can easily be integrated. Plugins are also extensible and easy to install and maintain, and we chose Jenkins as it’s the industry standard tool for CI/CD and DevSecOps. Even if you use SonarQube or a static analysis tool like Fortify in your stack, penetration tests are often overlooked and can be difficult to emulate. Espier is a simple solution that is free, open source, and available to use today.
Contact EGT Labs at EGTLabs@eglobaltech.com to get started with Espier!
Copyright 2018 | EGlobalTech | All rights reserved.