Policy as code Shifts Security Left

By Twain Taylor
December 14, 2022

Shift left is essential to catch issues early on in a development cycle. Policy as code extends this model to security and compliance. Learn more about it in this blog.

Related posts

Shifting Security Left with GitOps and Trusted Delivery

Trusted Application Delivery: Security shifts left with GitOps and Policy as Code

What is Policy-as-Code?

Universal adoption of agile practices has accelerated the software development lifecycle across the industry. A development project following the waterfall paradigm would put testing right before the production release phase. Here, security teams perform both static and dynamic analysis testing procedures, and their results either give the application a green flag for deployment or reject it pending remediation from developers. So, if any bugs are found which require immediate fixing, the release would inevitably be delayed.

Shifting left reduces the chance of defects and misconfigurations from making it into production by detecting them early in the software delivery lifecycle. Shifting left reduces not only unexpected business costs and product defects but also quickens time to market. Security issues often start from something seemingly insignificant and snowball into a severe vulnerability that requires major efforts to fix. Shifting security left hints at implementing security measures throughout the development lifecycle rather than testing for them at the end, and that’s where we leverage policy as code to define policies declaratively and prevent security breaches.


What is policy as code?

Given the context, policies are essentially rules or instructions that govern IT operations. As manual handbook-based policy management is impractical in any organization regardless of the size, defining policy as code is a groundbreaking approach where we use code to define and manage these rules declaratively. Development teams often use YAML, Rego, or Python to define such policies, but the choice of programming language boils down to the management and enforcement tools that we’re using.

As it goes, developers modify existing code to make updates and involve others to manually review these changes to see if they adhere to the organization’s policies. Now, using version control systems like Git and the broader GitOps approach, organizations can use policy as code to ensure that all policies are met right from the development phase. This is done automatically using a policy engine that runs automated policy checks, thus reducing manual effort, and preventing surprises at a later stage that would delay the release.

Given its automation benefits, policy as code is the obvious alternative to managing rules and procedures manually. Policies can now be spelled out as code as well as shared and enforced at any scale. This eliminates the need for the Ops team to enforce a policy every time it becomes critical to do so. It is also faster and more accurate, whereas manually configured policies often run the risk of human error.

Whitepaper: Shifting Security Left with GitOps and Trusted Delivery

Learn about shifting security left in GitOps workflows using policy as code and how DevOps teams can seamlessly deploy enterprise policy checks across cloud environments.

Download your copy

How does policy as code shift compliance and security left?

For releasing secure and compliant applications, automating policy enforcement is not negotiable, and DevSecOps teams are achieving this by using policy as code. Apart from delivering the obvious benefits of automation, policy as code decouples policies from the application code and infrastructure layers. This enables developers to run and enforce policies at any level (platform, application, and so on) at their will.

One of the classic problems today’s organizations face stems from having an ecosystem of wildly different software systems. In such an ecosystem, permissions, policies, and authentication — all need to be managed across all components. On that front, the policy as code paradigm uses a uniform file format to define policies that can be integrated across a myriad of software systems. This gives enterprises a single toolkit in a single framework, using a simple language to define the policies across their tech stack.

Policy as code is crucial to the success of cloud-native systems. It ensures security and compliance are built into the application while allowing for efficient and timely delivery as teams are now trying to release updates to their code in hours and days instead of weeks. It makes perfect sense to automate certain aspects of these processes. Developers can now simply write their code, push it into a GitOps pipeline, and they’ll be notified if their code is non-compliant or unsecure based on a list of pre-defined policy checks. These issues can then be rectified so that the release is not only timely but, more importantly, secure and compliant.

With a tiered approach to policy, SREs and developers can easily define self-service security policy changes to a Kubernetes cluster without running the risk of overriding any previously defined policies. It doesn’t require a central manager or a control point to create, review, and approve new policies. Of course, this creation and tweaking of policies can be as controlled or as flexible as an organization needs. This allows us to define the ideal team culture within an organization and be able to enforce it effortlessly.

In conclusion, policy as code is one of the great advances that have come as a result of the shift to cloud-native. It automates security and compliance testing, reduces manual effort and errors, and brings in predictability and scalability. Solutions like Weave GitOps offer a flexible yet robust way to define and implement policy as code. The end result is security guardrails that give platform operators the peace of mind that every release is secure and compliant by default. Shifting security left used to be a nice-to-have. But today, with solutions like Weave GitOps, it is a reality that any organization can experience irrespective of where they are in their cloud journey.

Weave GitOps and Policy as Code

Weave GitOps Enterprise is a continuous operations solution that includes policy as code checks to automatically detect misconfigurations, halt the deployment, and notify the concerned team. As its adoption continues to grow, it offers the simplest trajectory for implementing a policy as code approach to compliance and security in IT.


Figure: Policy as code in GitOps pipeline

Development teams keeping policy in mind is one of the security pain points today, and policy as code ensures that security checks are completed before deployment. And with runtime drift detection offered by Weave GitOps, these security solutions come together to offer trusted application delivery to prevent inconsistent app performance and guarantee policy-driven deployment. All in all, you get automated remediation of misconfigured resources, actionable compliance posture reports, increased deployment speeds with lowered risks, and a strategy that shifts security left.

The Weave Policy Engine follows the same principles as GitOps, where active policy definitions are stored in Git and security guardrails are automatically enforced all along the pipeline.

Contact us to learn more about Weave Policy Engine and our 100+ curated library of security and compliance policies, and how you can get started.

Related posts

Shifting Security Left with GitOps and Trusted Delivery

Trusted Application Delivery: Security shifts left with GitOps and Policy as Code

What is Policy-as-Code?