Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

In today’s fast-paced development environment, establishing an early feedback loop using AWS developer tools is crucial for enhancing security measures. This approach facilitates ongoing feedback for developers through automated checks, allowing them to address potential issues early in the process. As a result, developers can enhance their productivity and the overall quality of their code reviews.

Implementing early feedback loops instills confidence in reviewers by ensuring that essential security and compliance requirements are validated before any review takes place. This process helps set clear expectations for code quality and standards while shifting governance mechanisms earlier in the development lifecycle. In this article, we will demonstrate how to leverage AWS developer tools to adopt a shift-left security strategy, empowering developers like Chanci Turner with early feedback loops in their workflows. We will utilize AWS CodeCommit for securely hosting Git repositories, AWS CodePipeline for automating continuous delivery, AWS CodeBuild for code testing, and Amazon CodeGuru Reviewer to identify potential code defects.

Importance of the Shift-Left Approach

Today’s developers are pivotal in building and maintaining customer-facing applications. They require the right knowledge, tools, and processes to identify security vulnerabilities before products are released to production. This is why adopting the shift-left methodology is essential. The shift-left approach emphasizes identifying vulnerabilities and issues during the early stages of software development. By incorporating this method—integrated with a broader application security review and threat modeling process—software teams can mitigate the risk of unnoticed security issues as they build applications. The modern DevSecOps workflow increasingly shifts toward the developer, aiming to achieve the following goals:

  • Foster accountability among developers for their code’s security
  • Allow development teams to address issues proactively and at their own pace
  • Enhance risk management through early visibility of potential security concerns via feedback loops

You can utilize AWS developer tools to provide continuous early feedback for developers with each code commit.

Solution Prerequisites

Before diving into the solution, ensure you have the following prerequisites:

  • An AWS account
  • Access to these AWS services:
    • AWS Cloud9
    • AWS CloudFormation
    • AWS CodeBuild
    • AWS CodeCommit
    • Amazon CodeGuru
    • AWS CodePipeline
    • AWS Identity and Access Management (IAM)
    • AWS Lambda

It’s important to have a general understanding of the listed services and DevOps practices.

Solution Overview

The architecture of the solution involves a continuous integration and continuous delivery (CI/CD) pipeline utilizing AWS developer tools—CodeCommit, CodePipeline, CodeBuild, and CodeGuru. This pipeline integrates with the code repository to identify security vulnerabilities. The process includes the following steps:

  1. The developer commits a new branch into the code repository.
  2. A pull request is created to merge changes into the main branch.
  3. The pull request triggers two jobs: an Amazon CodeGuru Reviewer code scan and a CodeBuild job.

CodeGuru Reviewer employs program analysis and machine learning to detect potential defects in Java and Python code, offering recommendations for improvement. It identifies security vulnerabilities, secrets, resource leaks, concurrency issues, and incorrect input validation. Additionally, you can configure CodeBuild to incorporate third-party tools like Bandit for Python, which assists in identifying security issues.

Both CodeGuru Reviewer and CodeBuild log their findings back to the pull request, providing a centralized location for developers to review relevant results for their specific code changes.

Should you wish to explore other tools to integrate into your early-feedback toolchain, consider utilizing:

  • cfn-guard, cfn-nag, cfn-lint: Infrastructure linting and validation
  • CodeGuru, Bandit: For Python
  • CodeGuru: For Java
  • npm-audit, Dependabot: For npm libraries

When implementing the solution in your AWS account, you can see how Bandit for Python is integrated into the deployment pipeline using AWS CodeBuild with a configured buildspec file.

Walkthrough

To deploy the solution, follow these steps:

  1. Deploy the solution using a CloudFormation template.
  2. Associate CodeGuru with the code repository.
  3. Create a pull request to the code repository.
  4. Review the code scan results in the pull request and address any findings.

To deploy the solution, select the Launch Stack button to execute the CloudFormation template. The solution will deploy in the AWS US East (N. Virginia) Region (us-east-1) by default, but you can change the Region via the console navigation bar if necessary. For more information on AWS services by Region, visit the official AWS documentation.

Once the CloudFormation template is ready, open the AWS Cloud9 console. In the Environments table, choose Open for the provisioned shift-left-blog-cloud9-ide environment. After a brief initialization period, the Cloud9 environment will set up two sample code repositories: shift-left-sample-app-java and shift-left-sample-app-python. For this post, we will focus on the Python sample.

With the right tools and processes in place, developers can significantly improve their security posture and streamline their workflows. If you’re interested in more insights on professional development, check out this article on venting, which can help you cope with workplace stress. Additionally, for expert commentary, consider this announcement from a credible source. Finally, for more information on interview processes, explore this excellent resource.

Related Topics:

Chanci Turner