DevSecOps – Noise

Beyond IAM access keys: Modern authentication approaches for AWS

Mitch Beaumont — Mon, 21 Jul 2025 23:13:43 +0000

When it comes to AWS authentication, relying on long-term credentials, such as AWS Identity and Access Management (IAM) access keys, introduces unnecessary risks; including potential credential exposure, unauthorized sharing, or theft. In this post, I present five common use cases where AWS customers traditionally use IAM access keys and present more secure alternatives that you […]

Combining Snyk’s Insight with Amazon Q Developer’s Assistance to Streamline Secure Development

Omar Faruk — Mon, 28 Apr 2025 18:40:32 +0000

Developers today face a constant balancing act – building new features and functionality while also ensuring the security and reliability of their codebase. Two powerful tools, Snyk and Amazon Q Developer, can work in tandem to help developers navigate this challenge with greater efficiency and efficacy. Snyk is a leading developer security platform that empowers […]

How GitHub uses CodeQL to secure GitHub

Brandon Stewart — Wed, 12 Feb 2025 17:00:04 +0000

How GitHub’s Product Security Engineering team manages our CodeQL implementation at scale and how you can, too.

The post How GitHub uses CodeQL to secure GitHub appeared first on The GitHub Blog.

Code security scanning with Amazon Q Developer

Surabhi Tandon — Wed, 16 Oct 2024 11:32:27 +0000

A primary objective of software developers is to develop products that uphold the highest standards of data privacy and security, fostering trust and confidence among their users and customers. Developers seek to secure their software by identifying and mitigating security vulnerabilities in their codebase, thereby enhancing its resilience against cyber threats. Amazon Q Developer, a […]

Terraform CI/CD and testing on AWS with the new Terraform Test Framework

Kevon Mayers — Tue, 02 Apr 2024 23:45:18 +0000

In this blog post, we will show you how to validate Terraform modules and how to automate the process using a Continuous Integration/Continuous Deployment (CI/CD) pipeline.

Strengthen the DevOps pipeline and protect data with AWS Secrets Manager, AWS KMS, and AWS Certificate Manager

Magesh Dhanasekaran — Wed, 10 Jan 2024 19:59:11 +0000

In this blog post, we delve into using Amazon Web Services (AWS) data protection services such as Amazon Secrets Manager, AWS Key Management Service (AWS KMS), and AWS Certificate Manager (ACM) to help fortify both the security of the pipeline and security in the pipeline. We explore how these services contribute to the overall security […]

Automate Cedar policy validation with AWS developer tools

Pontus Palmenäs — Wed, 10 Jan 2024 17:08:18 +0000

Cedar is an open-source language that you can use to authorize policies and make authorization decisions based on those policies. AWS security services including AWS Verified Access and Amazon Verified Permissions use Cedar to define policies. Cedar supports schema declaration for the structure of entity types in those policies and policy validation with that schema. […]

Introducing IAM Access Analyzer custom policy checks

Mitch Beaumont — Mon, 27 Nov 2023 14:00:04 +0000

AWS Identity and Access Management (IAM) Access Analyzer was launched in late 2019. Access Analyzer guides customers toward least-privilege permissions across Amazon Web Services (AWS) by using analysis techniques, such as automated reasoning, to make it simpler for customers to set, verify, and refine IAM permissions. Today, we are excited to announce the general availability […]

Validate IAM policies by using IAM Policy Validator for AWS CloudFormation and GitHub Actions

Mitch Beaumont — Wed, 30 Aug 2023 13:04:28 +0000

In this blog post, I’ll show you how to automate the validation of AWS Identity and Access Management (IAM) policies by using a combination of the IAM Policy Validator for AWS CloudFormation (cfn-policy-validator) and GitHub Actions. Policy validation is an approach that is designed to minimize the deployment of unwanted IAM identity-based and resource-based policies […]

Integrating with GitHub Actions – Amazon CodeGuru in your DevSecOps Pipeline

Mahesh Biradar — Wed, 22 Mar 2023 16:25:11 +0000

Many organizations have adopted DevOps practices to streamline and automate software delivery and IT operations. A DevOps model can be adopted without sacrificing security by using automated compliance policies, fine-grained controls, and configuration management techniques. However, one of the key challenges customers face is analyzing code and detecting any vulnerabilities in the code pipeline due […]

Use Amazon Inspector to manage your build and deploy pipelines for containerized applications

Scott Ward — Thu, 03 Nov 2022 16:50:23 +0000

Amazon Inspector is an automated vulnerability management service that continually scans Amazon Web Services (AWS) workloads for software vulnerabilities and unintended network exposure. Amazon Inspector currently supports vulnerability reporting for Amazon Elastic Compute Cloud (Amazon EC2) instances and container images stored in Amazon Elastic Container Registry (Amazon ECR). With the emergence of Docker in 2013, […]

Integrating Cloud Security With DevOps and CI/CD Tools

Clint Merrill — Fri, 09 Sep 2022 14:33:06 +0000

In this post, we dive into a key aspect of our approach: integrating cloud security with developer and DevOps tooling.

What It Takes to Securely Scale Cloud Environments at Tech Companies Today

Ben Austin — Wed, 25 May 2022 14:20:10 +0000

Here are three ways to help empower your teams to take advantage of the many benefits of public cloud infrastructure without sacrificing security.

Continuous runtime security monitoring with AWS Security Hub and Falco

Rajarshi Das — Fri, 17 Dec 2021 17:35:38 +0000

Customers want a single and comprehensive view of the security posture of their workloads. Runtime security event monitoring is important to building secure, operationally excellent, and reliable workloads, especially in environments that run containers and container orchestration platforms. In this blog post, we show you how to use services such as AWS Security Hub and […]

Forensic investigation environment strategies in the AWS Cloud

Sol Kavanagh — Thu, 28 Oct 2021 15:57:41 +0000

When a deviation from your secure baseline occurs, it’s crucial to respond and resolve the issue quickly and follow up with a forensic investigation and root cause analysis. Having a preconfigured infrastructure and a practiced plan for using it when there’s a deviation from your baseline will help you to extract and analyze the information […]

Use the Snyk CLI to scan Python packages using AWS CodeCommit, AWS CodePipeline, and AWS CodeBuild

BK Das — Tue, 27 Jul 2021 00:34:52 +0000

Learn how to scan Python packages for security vulnerabilities using AWS Developer tools and Snyk

Building an end-to-end Kubernetes-based DevSecOps software factory on AWS

Srinivas Manepalli — Fri, 25 Jun 2021 22:35:53 +0000

DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, […]

GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials

Wed, 03 Feb 2021 13:13:35 +0000

GitLab Watchman is an application that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally – this includes code, commits, wiki pages and more. GitLab Watchman searches GitLab for internally shared projects and loo...

Finding Results at the Intersection of Security and Engineering

Chaim Mazal — Mon, 25 Jan 2021 15:06:24 +0000

In this blog, Chaim Mazal discusses the importance of collaborating with teams to build a comprehensive security culture within an organization.

Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools

Srinivas Manepalli — Thu, 21 Jan 2021 23:16:59 +0000

DevOps is a combination of cultural philosophies, practices, and tools that combine software development with information technology operations. These combined practices enable companies to deliver new application features and improved services to customers at a higher velocity. DevSecOps takes this a step further, integrating security into DevOps. With DevSecOps, you can deliver secure and compliant […]