Securing your CI/CD pipelines with DevSecOps in 2023
Injecting Security in your CI/CD pipelines
DevOps is well known for the path-breaking changes it has brought in the software industry. The most prominent one is to bring the Dev and Ops team together, to work in sync at all times throughout the application development lifecycle. And the second is to automate pretty much the entire CI/CD pipeline. These two have been the most remarkable transformation brought to us by the DevOps process.
DevOps has been constantly finding ways to make the CI/CD pipeline more efficient and better. Today we cipf-es.org are going to discuss DevSecOps; the process aims to put a security blanket around the entire lifecycle.
In the older processes, the security check-in the older processes for the application used to happen at the later stages usually before the deployment. This practice would result in fixing last-minute code and testing issues which in turn delays the product release.
So, to accelerate the whole process DevOps uses the ‘Shift Left’ approach. The method focuses on bringing the security practice right from the early stages of the DevOps lifecycle. The key is to incorporate test and security at the beginning ensures speedy process.
Securing the application is not which means to be done at a certain point it needs to be done at every step throughout the process. Securing the application is a continuous process that’s why it’s called Continuous Assurance.
Now the question arises what do we need to check for the security?
Automated CI/CD processes are a critical component of DevOps infrastructure. CI/CD orchestration tools like Jenkins, CicleCI, Bamboo, TeamCity,Travis,Buddy etc are increasingly deployed in DevOps processes to improve processes, facilitate faster deployment of software and product delivery, and provide continuous cost reduction.
But we also need to keep in mind that these CI/CD tools are the biggest consumers of secret and confidential data and have access to a lot of sensitive resources such as other apps and services and information like codebases, credentials and databases.
Ensuring that our CI/CD pipelines are protected and secured and cannot be compromised, is a must.Hence we need to think about the ways to protect the pipeline itself.
Security Checks for CI/CD Pipelines
There are several security checks that needs to be performed:
Source Code Vulnerabilities– This check is related to security of the software. If the source code is not protected might be subjected to potential malicious attacks.
OSS Library Vulnerabilities– Well not just source-code, there are high chances that the open source library used in the application can have vulnerabilities.
OSS Version– Open-source libraries come in handy, but there are chances that after a few years that version may be deprecated. If deprecated then there might not be any maintenance or any replacement for the library.
Identifying Compromising Credentials- there is always a possibility of human error when dealing with secrets and credentials within your CI/CD pipeline. However we now have many tools that can scan for secrets and credentials which can be accidentally committed to a source code repository.
There are several other vulnerabilities that the application might be exposed to due to libraries, code infrastructure, or any exposures. So here are some ways as how do we check for Security?
Static Application system Testing (SAST)- The testing is primarily done before code compilation. The testing method analyses the code security vulnerabilities. It is also known as white-box testing. This test happens very early in the SDLC as it helps to fix the code issues.
Active and Passive penetration test (Dynamic Analysis) – The test is described as a dynamic analysis because it checks the system response to variables/parameters that are not constant. In easy language, it checks the application behaviour with real-time values.
Infrastructure Analysis- This involves scanning the actual environment like configuration, server status to understand and analyse the actual drift and what could be the fix for the drift.
These are some of the checks that are performed by the Build/Devops team to ensure a secure CI/CD channel.
You can also refer to our posts on CI/CD, Why Jenkins is so popular and Alternatives to Jenkins.
Understanding CI/CD in a DevOps Toolchain
What makes Jenkins everyone’s favourite in 2020
Jenkins is getting Old, so what are the alternatives in 2021 ?
Security Tools for CI/CD Pipelines
There are many Devops tools available in the market to perform these tests. Let’s have a look at a few tools:
Checkmarx– Facilitates the SAST testing to analyze the code vulnerabilities in the early stages. It can be easily integrated with any CI/CD tool or environment.
IMMUNIO- The tool provides cloud based solution to protect the web application from malicious attacks. The tools is unique because it does not continuously scan the application instead it focuses on possible vulnerabilities.
Aqua Security- The tool gives the security for containers throughout the CI/CD pipeline. The main feature is that it works with all platforms and clouds very well.Aqua security helps save the day, providing container security throughout the DevSecOps pipeline.
OWASP Zed Attack Proxy (ZAP) – One of the most popular tools to protect the web applications from potential threats. It produces ZAP Docker weekly which has all the common vulnerabilities listed.
Twistlock – A multifaceted tool which offers security to containers, hosts, and serverless components.
CyberArk: CyberArk provides a way to keep secrets out of your Jenkins master, off disk, and also out of source control. CyberArk provides a Jenkins plugin which can be uses to provide credentials to your Jenkins jobs at runtime. The plugin securely provides credentials that are stored in Conjur to Jenkins jobs.
WhiteSource: Another type of security risk for your CI/CD pipelines is the open-source vulnerabilities.WhiteSource is a tool that integrates into the DevOps pipeline, and runs continuously in the background, tracking the security, licensing, and quality of open source components and matching them against WhiteSource’s comprehensive database of open source repositories to provide real-time alerts
Chef InSpec: Inspec from Chef is also recommended for scanning your applications and infrastructure. Chef InSpec is an open-source (OSS) automated testing tool for integration, compliance, security, and other policy requirements.
Fortify Webinspect (MicroFocus): Fortify WebInspect is another dynamic application security testing (DAST) security tools that finds and prioritizes exploitable vulnerabilities in your web applications.
The list goes on as there are many more Devops tools available as per the need of the application.
Conclusion
So we now realise that baking security within your Devops CI/CD process is the need of the hour. With more and more organisations adopting and integrating CI/CD tools for their build, release and deployment process, keeping your CI/CD pipelines secure is more important than ever before.
In today’s world, just like quality, security is also a shared responsibility.
In this above post we have tried talking about importance of DevSecOps in your CI/CD pipeline and covered ways and tools that can help you implement standard security measures for pipeline security.
