The product walkthrough helps surface shadow engineering issues across your cloud infrastructure and explains what they mean for your team.
As the time to deliver functionality decreases and the demand to deliver increases, deployment speed is of the utmost importance. Engineering teams do not want to be interfered with and Security teams want to ensure a standard is set. By implementing guardrails limiting the potential paths through the development lifecycle, both Engineering and Security can feel confident in how code is being built, secured and deployed.
The following actions can help mitigate shadow engineering risks:
- Identify Services that are not associated with a repository in production
- Run a campaign to address non-compliant build tools
- Run a campaign to ensure applications are being deployed to the appropriate cloud accounts
You should be logged into your Crash Override account and be inside of your workplace. If you don’t have an account, contact us for a demo and we will be pleased to set you up.
Identify Services that are not associated with a repository in production
An initial path to tackling potential shadow engineering events is getting clear visibility into who deployed what, and where it lives.
Step 1: Navigate to the Services, selecting the Untracked tab
Step 2: Apply the filter to refine the services or review as is.
Gaining visibility into cloud-deployed services allows teams to assess and optimize their cloud resource utilization, especially when addressing the risks and inefficiencies introduced by shadow engineering practices.
Run a campaign to address non-compliant build tools
By building and running a campaign to identify repositories using unapproved build tools, teams can surface gaps where builds are bypassing the approved process.
Step 1: Select the Campaigns tab, and click the CI/CD Platforms tile.
Select the approved platforms and proceed to the next step.
Refine the campaign scope if desired.
Define the target campaign goal.
Finalize the details before starting the campaign.
Step 2: Use the created campaign to identify areas of improvement.
Action on the campaign by contacting an identified code owner, changing status, marking progress and/or creating a ticket.
A campaign addressing the use of non-compliant build tools mitigates the risks associated with inconsistent outputs, security vulnerabilities, and pipeline maintenance issues. Addressing this is vital for software quality, security, and maintainability.
Run a campaign to ensure applications are being deployed to the appropriate cloud accounts
Circling back to the importance of where the applications are deployed, we have the Deployment Accounts campaign. By ensuring applications are flowing through the appropriate pipelines to the appropriate cloud accounts, we can feel more comfortable with the controls in place for an application’s lifecycle.
Step 1: Select the Campaigns tab and click the Deployment Accounts tile.
Define which accounts or project IDs are approved.
Proceed through the wizard, defining the scope, goal, and adding the final details.
Step 2: Use the created campaign to identify areas of improvement. Action on the campaign by contacting an identified code owner, changing status, marking progress and/or creating a ticket.
Defining where services should be deployed on top of designating approved pipelines and detecting rogue services, Crash Override can aid in the assurance that appropriate controls are in place for an application’s lifecycle.
By identifying where Shadow Engineering activities are present, Crash Override enables customers to strategically pinpoint these activities and the accountable party, reducing operational and security risk for the enterprise.
If you would like to know more, get a demo or try the platform for yourself we would love to hear from you. As we always say, we’re not going to bend your ear or twist your arm to sell you a solution you don’t need. We just love showing people what we have and are building.
