Accelerate secure builds and innovation on AWS with Buildkite and Lacework

Erin K. BanksMay 21, 20245 min read

At Lacework, we understand the importance of application security. The “shift left” concept is not new, but it is a vital part to our overall cloud security story because you can’t address code security without having a clear understanding of your risk, threats, and identities. We also understand that the more that we internally focus on building integrations with the technologies you admire the most, the better outcomes we can help you achieve when protecting your cloud and applications.

A key focus for us at Lacework is building a platform that integrates with your current tech stack. We understand that the easier it is for you to build secure applications in your cloud and identify vulnerabilities within those applications or infrastructure, the more secure we all are. Aaron Kornhauser, Senior Director of Global Partner Solutions Engineering, recently affirmed this message, "Security thrives on teamwork, and our partners are essential players in this game. It's all about crafting integrations that hit the mark for our customers and application challenges they are trying to solve. The Buildkite and Lacework partnership is a big win for customers building on AWS faster and more securely and allows them to integrate security earlier in the application development process." 

This partnership comes at a critical time for application security. Integrating security into application development is at the core of DevSecOps. While a goal for most organizations, DevSecOps can be difficult to operationalize for companies with deeply entrenched processes. However, that difficulty makes the concept no less important.

According to Forrester’s 2023 State Of Application Security report*: 

"Software vulnerability exploits are still too easy. Of security decision-makers whose firm experienced an external attack, 25% pointed to software vulnerability exploits as a cause of the external breach. In last year’s survey, software vulnerability exploits were among the most often cited breach attack methods. The number of known vulnerabilities is increasing, as is the use of open source libraries: The Synopsys open source security risk report indicates that, as of 2021, 78% of application code is open source. Forrester expects this to keep increasing — and with the mix of old and new versions of open source components, this attack method will only expand.”

That is why today, we are happy to announce our latest integration with Buildkite. Buildkite is a continuous integration/continuous delivery (CI/CD) application that helps developers quickly and easily build code pipelines. Their hybrid approach to CI/CD separates the SaaS control panel and your infrastructure. Buildkite manages the control panel, dispatching work as it appears. They give you full control over your build environment and agents, giving you flexibility and extensibility so that platform limitations won't block your goals. This integration is available through GitHub and will require a Buildkite and Lacework account, but if you do not have one, you can sign up for a free trial of Buildkite or a free trial of Lacework.

What this integration covers 

Software composite analysis (SCA) enables you to identify all of your third-party code dependencies, automatically prioritize and remediate their associated vulnerabilities, and detect risk and non-compliance associated with open-source licenses. We help you assess the risk and compliance with open-source software licenses for the components your teams are using. 

Static applications security testing (SAST) gives your teams the ability to rapidly scale your static code analysis, reduce noise, prioritize what matters most, and uncover hidden security defects. We provide differential analysis each time code is updated to highlight new vulnerabilities and allow developers to focus on risks they’ve introduced.

Container vulnerability scanning allows you to integrate Lacework security capabilities into your software supply chain workflows by allowing you to scan and assess Docker container images for vulnerabilities without checking them into a container registry. The inline scanner container registry integration performs an inline scan outside of Lacework. You can then configure the inline scanner to send a request to Lacework to assess the collected data. 

Infrastructure as code (IaC) extends automated security and compliance checks of IaC early in the development process to prevent misconfigured cloud services from being deployed. Lacework integrates IaC security seamlessly into developers’ existing toolchains, so they don’t have to switch out of their workflows to secure their code.

Why this integration matters

The DevSecOps and “shift left” narrative puts more onus on developers, but there’s a much higher value in building security earlier in the development process. DevSecOps will prevent you from deploying vulnerable images into production and will reduce your software vulnerability exploits. This Lacework and Buildkite integration enables you to more easily “shift security left.”

If you need more technical information on this integration, feel free to check out the Buildkite blog

 (*The State Of Application Security, 2023, Forrester Research, Inc., June 7, 2023)

Suggested for you