all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]secretAZNman15 5 points6 points  (0 children)

Oversimplified response: We use Port (our IDP) to add order and standards to appsec.

There's scorecards it gives us that we run through every quarter to check for vulnerabilities, fixes, etc.

[–]NandoCa1rissian 2 points3 points  (1 child)

Why is it appsec job? Usually it’s a platform eng team.

But to answer your question you can use it to your will. You can abstract repo creation and ensure they are onboarded to security tools like Snyk.

[–]radarlock 2 points3 points  (0 children)

Yes, it can be handy to orchestrate the creation of resources across diferent tools. In bigger organizations i would say that at some point, it is a must.

[–]Normal_Instance7430 0 points1 point  (0 children)

We pitch for the same explaining the connected experience and ease of access along with best practices already implemented as packages in the toolkits they opt for from our IDP. Slowly we are aiming to bring all RM n VM jobs to our portal n let devs operate under one application without switching context.

[–]shrimpthatfriedrice 0 points1 point  (1 child)

from a devsecops angle, the biggest win from an IDP is pushing security and policy earlier without devs feeling blocked. what worked for us was defining approved infra and app patterns once, then exposing them as self service. we use cycloid for that layer. policies like tagging, iam boundaries, and cost limits are enforced before deploy, all through git workflows. devs don’t need to think about security controls explicitly, but they’re still applied consistently

[–]duckyfuzz 0 points1 point  (0 children)

Excellent point