Tag: Carlsberg (Page 2 of 2)

Introduction

This is part 2 of:

• Part 1: Using GitHub as a Software Development Platform improves Developer Experience
• Part 2: GitHub Advanced Security enables Shifting Security Left
• Part 3: GitHub Copilot drives better Developer Experience

Explaining how Carlsberg unifies development on GitHub and accelerates innovation with Copilot in more detail.

In the digital transformation journey of Carlsberg, the implementation of GitHub Advanced Security (GHAS) marked a significant shift towards embedding security directly into the developer workflow. This strategic move, part of our “Security First” initiative in Software Engineering, has not only elevated the security posture of our software development lifecycle but has also manifested in substantial time and cost savings by identifying and rectifying vulnerabilities prior to deployment.

Using GHAS to Scan for Vulnerabilities

Centralizing scanning in the GHAS platform eliminates concerns about the security configurations of developer workstations and the code contributions from external parties. By conducting security scanning centrally, we ensure consistent and thorough examination of all code, regardless of its origin. This approach not only streamlines our security processes but also enhances the security posture of our software, providing peace of mind and allowing our developers to focus on innovation and productivity raising the Developer Experience.

We use GHAS to scan for the following:

• Secrets: The inclusion of secret scanning within our workflow has been pivotal in detecting exposed secrets such as keys and tokens, preventing potential security breaches.
• Static Application Security Testing (SAST) with CodeQL: CodeQL’s integration allows us to perform comprehensive static code analysis, identifying security vulnerabilities and coding errors at their inception.
• Dependencies with Dependabot: Dependabot plays a critical role in our ecosystem by monitoring dependencies for known vulnerabilities and automatically suggesting updates or patches, thus maintaining the integrity of our software supply chain.
• Binaries and Containers: By incorporating tool plugins for CodeQL we enhance our ability to scan binaries and containers for vulnerabilities, ensuring a robust security framework across all components of our software.

Integration into Developer Workflow

The transformation brought about by GHAS in our developer workflow cannot be overstated. By embedding security checks directly into pull requests, GHAS ensures that every code change is automatically scanned for vulnerabilities before being merged. This integration not only streamlines the security assessment process but also empowers developers to address security issues in real-time. The proactive security posture facilitated by GHAS equips developers with the tools and insights needed to identify and rectify potential security flaws from the outset, fostering a culture of security awareness and responsibility. This approach significantly enhances the overall security of our software projects, contributing to a more secure and efficient development environment.

Centralized Security Scanning

Adopting GHAS as a centralized platform for security scanning has provided us with a command and control center for managing vulnerabilities emanating from both source code and dependencies. The Security Center dashboard offers a comprehensive overview of vulnerabilities, CVEs, and the most affected repositories, allowing us to prioritize and focus our remediation efforts effectively.

Since the inception of GHAS in our development practices, we’ve observed a notable reduction in security vulnerabilities, with over 30000 issues addressed. This achievement underscores the effectiveness of GHAS in enhancing our security posture, demonstrating its value not only in safeguarding our applications but also in supporting our broader business objectives of innovation and growth.

Conclusion

With GHAS and shifting security left into the developer workflow we’ve achieved remarkable success eliminating 600+ secrets from source code (now down to 0 and no secrets can enter our code now) and removing more than 30000+ security vulnerabilities and using AutoFix to constantly remediate vulnerabilities.

Introduction

This is part 1 of:

• Part 1: Using GitHub as a Software Development Platform improves Developer Experience
• Part 2: GitHub Advanced Security enables Shifting Security Left
• Part 3: GitHub Copilot drives better Developer Experience

Explaining how Carlsberg unifies development on GitHub and accelerates innovation with Copilot in more detail.

Navigating Complexity: The Challenge of Multiple Development Tools

In the fast-paced world of software development, managing multiple tools can become a bottleneck that impedes efficiency and innovation. At Carlsberg, our developers and engineers were navigating a complex toolchain landscape that included GitHub, GitLab, BitBucket, Azure DevOps, Jenkins, Nexus, SonarQube, and both Azure and AWS Container Registries. This multiplicity not only slowed down our processes but also fragmented our development environment, leading to increased context-switching and security vulnerabilities.

Unified Platform: Adopting GitHub for Streamlined Operations

The decision to streamline our development tools into a single, integrated platform came as a strategic move to enhance our operational efficiency and bolster security measures. We chose GitHub as our all-encompassing platform for several reasons:

• GitHub Source Control provides a robust system for tracking changes in computer files and coordinating work on those files among multiple people.
• GitHub Actions makes it easier to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub.
• GitHub Packages serves as a software package hosting service that allows you to host your software packages privately or publicly and use packages as dependencies in your projects.

By migrating from Jenkins to GitHub Actions, from SonarQube to GitHub’s integrated code scanning features, and from Nexus and various container registries to GitHub Packages, we were able to retire outdated systems and reduce our toolchain complexity significantly.

Enhanced Productivity and Security: The Benefits of Consolidation

The consolidation has profoundly impacted our software development operations by centralizing source control and unifying the development environment. Our engineers now enjoy a streamlined workflow with reduced context-switching, thanks to a centralized pipeline and improved build and deployment processes managed through GitHub Actions. The centralization of package management through GitHub Packages has also enhanced the efficiency of managing and sharing package dependencies.

By reducing our tools from nine to one, we’ve not only simplified our technology stack but also enhanced our capability to manage projects more effectively, ensuring that our software development practices continue to support Carlsberg’s legacy of innovation.

Future Focus: Continuing Innovation at Carlsberg

As we continue to refine our approach and leverage the full potential of GitHub, our focus remains on innovation and efficiency. The journey of consolidating our development tools has been a pivotal step in our digital transformation strategy, positioning Carlsberg at the forefront of technological advancement in the beverage industry.

I’m honored that GitHub have chosen to do a customer story on how we’re transforming software development in Carlsberg: https://github.com/customer-stories/carlsberg-group and a friggin awesome movie.

The movie was also used by Satya Nadella in the Build 2024 Keynote:

To provide a bit more background information I’ve written some posts:

• Part 1: Using GitHub as a Software Development Platform improves Developer Experience
• Part 2: GitHub Advanced Security enables Shifting Security Left
• Part 3: GitHub Copilot drives better Developer Experience