Harbormaster Integrated Security & Compliance
Table of Contents
Security and compliance are crucial and there is no better place to consider both than from the start. Harbormaster ensures the projects it generates utilize the latest secure dependencies.
A software project naturally has external libraries it depends upon. Within the Harbormaster architecture, these dependencies are defined within the build process contained in a tech stack.
For instance, an Angular type tech stack will draw upon 3rd party NPM packages to help the resulting application accomplish its tasks. These libraries are application dependencies and therefore introduce the possibility of vulnerabilities and compliance violations.
A Period Of RiskTodays DevOps typically has a solution in the toolchain responsible for looking for security vulnerabilities. This security scanning is initiated as soon as code is checked triggering some CI platform to rebuild the application and scan the result. But what about the time before code is checked in? It is possible to retrieve application dependencies from a solution responsible for ensuring the they are free from security vulnerabilities. That is great for when a developer is compiling, but what about the code they are writing? Remember it has not been checked in yet and therefore not scanned. This security hole is impossible to address unless a solution like Harbormaster is used. WIthout it, the time period between starting a project and the 1st check-in is a period of vulnerabilty
Unlike any other platform that produces application code, Harbormaster is based off of reusable model driven templatized reference applications or tech stack package. To maximize the security of any application resulting from Harbormaster Project Generation, each tech stack published to the platform is checked weekly. Checking a tech stack involves generating a project using a generic model, CircleCI as the CI/CD platform, an appropriate Dockerfile, and JFrog. The importance of JFrog is that the JFrog Artifactory is used as the source of application dependencies along with the repository for storing the resulting Docker image. Also, JFrog Xray is used to scan the Docker image content for high level security vulnerabilities and violations. If any are discovered, the tech stack author (e.g. firstname.lastname@example.org, email@example.com, etc..) is notified via email with the report provided from JFrog. Importantly, the Harbormaster Platform notifies the creator of any prior projects generated with that tech stack.