I'm part of a 40-person SaaS team that mainly consists of engineers, and we're primarily using AWS EKS alongside GitHub Actions and ArgoCD. As we've grown from a startup to a more enterprise-like company, our application security (AppSec) needs have become increasingly complex and overwhelming. Right now, we manage around 130 microservices across three EKS clusters. While our Software Composition Analysis (SCA) in pull requests is functioning reasonably well, our Dynamic Application Security Testing (DAST) and Interactive Application Security Testing (IAST) lack organization and consistency. Scanning seems to happen at random intervals, and we struggle to adapt our practices—especially with so few team members focusing on security. With NodeJS and Go apps, we're frequently facing issues related to the OWASP Top 10. Maintaining a shift-left approach feels impossible with just me and another part-time developer advocate addressing the alerts. Moreover, our monorepo setup complicates matters further. We're also under pressure for compliance with SOC2 and PCI, meaning we can't overlook runtime or Infrastructure as Code (IaC) vulnerabilities. I'm interested in learning how other mid-sized teams effectively manage their AppSec, particularly in terms of adopting custom policies, utilizing Slack bots for triaging alerts, and finding effective EKS strategies for preventing high-risk deployments without slowing down our workflow. Despite trying out various resources, nothing has seemed applicable to our specific environment.
5 Answers
Automated gating could be a game changer for you. Not every pull request needs a comprehensive scan; instead, set up GitHub Actions and ArgoCD policies to automatically block deployments that contain serious security issues, like high-severity OWASP findings. It really reduces the cognitive load on your team. Start with critical microservices and expand your coverage over time.
Incorporating security into your workflow is vital. Consider hiring an SRE, and you might need someone to address the complexities caused by microservices. Sometimes simplifying the architecture can lead to better security practices overall.
Scaling DAST and IAST is tough without proper orchestration. Some teams run these scans on less busy branches or during off-peak hours. Then, they funnel only the most actionable alerts to platforms like Slack, helping ensure that the alerts don’t get ignored.
With that many microservices and a small team, prioritization is key. You can't scan everything equally, so tier your services based on their internet exposure and data sensitivity. Focus DAST on critical services that deal with PCI data. For runtime security, you might want to implement tools like Falco for threat detection and Trivy Operator for image scanning. These can help manage vulnerabilities more effectively within your clusters without adding extra layers of infrastructure. If SCA works well in your pull requests, consider extending that to include Semgrep for SAST—you can create custom rules that fit your codebase and run it without much disruption.
In our similarly-sized organization, we recently adopted a subscription to Wiz. We manage our policies and temporary ignore rules using a Terraform repository. We scan our base images daily, and if any issues arise, our on-call person can add ignores to Terraform to allow necessary releases. Developers can create temporary ignores specific to their applications, controlled through pull requests and code owners. We also run checks for secrets and SAST with VCS hooks during pull events.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically