DevSecOps as a service

Yes and No. It is common to put security aside until a startup gets mature and pays off, which is understandable, since security is not a cheap thing to get, and slows down a development process, since it requires compliance with a lot of standards. However, Alpacked’s recommendation is to worry about security from day one, as it’ll get even more difficult and expensive later on. One of the examples is a control over outgoing connections - it is always easier to block all of them at the beginning and then whitelist them one by one, as the need emerges. Implementing it later on, will require a dev team to collect the URLs, forget about some of them, as it usually happens, and suffer from blocked connections to various 3rd-party integrations (Based on real events at different projects)

Yes, you should. Even though some of the NIST requirements related to processes might be too strict, technical standards there were written down by real professionals, and we recommend following them whether you get ready for the audit, or simply try to apply security best practices

SIEM stands for Security information and event management. It usually implies a monitoring, reporting and alerting system for security events, like authentication, authorization, configuration and secrets management, IDP, and IDS

Going through different security audits, we have noticed a list of common requirements all of them have:

1. Least privilege principle
2. Visibility and reporting
3. Continuous patching and updates
4. Ubiquitous encryption
5. Static and dynamic prevention mechanisms
6. Processes

 It requires a dedicated person or a team (depending on the size of the dev team and company) responsible for processes, technical implementation or technical statement of the problem

Considering the 4 key points of security audits, we recommend to leverage the following services:

1. Least privilege principle - IAM, Access advisor, CloudTrail, Macie 
2. Visibility and reporting - CloudWatch, Security Hub, Inspector, Artifact
3. Continuous patching and updates - Inspector, SSM Compliance and Patch manager 
4. Ubiquitous encryption - KMS, Certificate Manager, Signer
5. Static and dynamic prevention mechanisms - Firewall, WAF, Shield, Guard Duty
6. Processes - Audit manager, Config

Kubernetes has a large community and therefore a huge list of different security services. We recommend checking them out at CNCF Landscape. However, Alapcked recommends paying attention to Istio, OPA, Notary, Kube-bench, Falco as the main ones

Yes. CNCF and Kubernetes main participants and donators are large enterprise companies, which invest into opensource technologies to make them more stable and mature, and use them for their own needs. They spend tons of money and time to develop these products, validate and maintain them, making opensource software suitable for any needs. However, unlike the enterprise software, opensource one requires a team of professionals to properly configure the integration with other services, since they usually tend to be different solutions rather than a part of a certain family.