Bamboo – DevopsCurry

Securing your CI/CD pipelines with DevSecOps in 2023

Tue, 09 Mar 2021 17:03:38 +0000

Injecting Security in your CI/CD pipelines

DevOps is well known for the path-breaking changes it has brought in the software industry. The most prominent one is to bring the Dev and Ops team together, to work in sync at all times throughout the application development lifecycle. And the second is to automate pretty much the entire CI/CD pipeline. These two have been the most remarkable transformation brought to us by the DevOps process.

DevOps has been constantly finding ways to make the CI/CD pipeline more efficient and better. Today we cipf-es.org are going to discuss DevSecOps; the process aims to put a security blanket around the entire lifecycle.

In the older processes, the security check-in the older processes for the application used to happen at the later stages usually before the deployment. This practice would result in fixing last-minute code and testing issues which in turn delays the product release.

So, to accelerate the whole process DevOps uses the ‘Shift Left’ approach. The method focuses on bringing the security practice right from the early stages of the DevOps lifecycle. The key is to incorporate test and security at the beginning ensures speedy process.

Securing the application is not which means to be done at a certain point it needs to be done at every step throughout the process. Securing the application is a continuous process that’s why it’s called Continuous Assurance.

Now the question arises what do we need to check for the security?

Automated CI/CD processes are a critical component of DevOps infrastructure. CI/CD orchestration tools like Jenkins, CicleCI, Bamboo, TeamCity,Travis,Buddy etc are increasingly deployed in DevOps processes to improve processes, facilitate faster deployment of software and product delivery, and provide continuous cost reduction.

But we also need to keep in mind that these CI/CD tools are the biggest consumers of secret and confidential data and have access to a lot of sensitive resources such as other apps and services and information like codebases, credentials and databases.

Ensuring that our CI/CD pipelines are protected and secured and cannot be compromised, is a must.Hence we need to think about the ways to protect the pipeline itself.

Security Checks for CI/CD Pipelines

There are several security checks that needs to be performed:

Source Code Vulnerabilities– This check is related to security of the software. If the source code is not protected might be subjected to potential malicious attacks.

OSS Library Vulnerabilities– Well not just source-code, there are high chances that the open source library used in the application can have vulnerabilities.

OSS Version– Open-source libraries come in handy, but there are chances that after a few years that version may be deprecated. If deprecated then there might not be any maintenance or any replacement for the library.

Identifying Compromising Credentials- there is always a possibility of human error when dealing with secrets and credentials within your CI/CD pipeline. However we now have many tools that can scan for secrets and credentials which can be accidentally committed to a source code repository.

There are several other vulnerabilities that the application might be exposed to due to libraries, code infrastructure, or any exposures. So here are some ways as how do we check for Security?

Static Application system Testing (SAST)- The testing is primarily done before code compilation. The testing method analyses the code security vulnerabilities. It is also known as white-box testing. This test happens very early in the SDLC as it helps to fix the code issues.

Active and Passive penetration test (Dynamic Analysis) – The test is described as a dynamic analysis because it checks the system response to variables/parameters that are not constant. In easy language, it checks the application behaviour with real-time values.

Infrastructure Analysis- This involves scanning the actual environment like configuration, server status to understand and analyse the actual drift and what could be the fix for the drift.

These are some of the checks that are performed by the Build/Devops team to ensure a secure CI/CD channel.

You can also refer to our posts on CI/CD, Why Jenkins is so popular and Alternatives to Jenkins.

Understanding CI/CD in a DevOps Toolchain

What makes Jenkins everyone’s favourite in 2020

Jenkins is getting Old, so what are the alternatives in 2021 ?

Security Tools for CI/CD Pipelines

There are many Devops tools available in the market to perform these tests. Let’s have a look at a few tools:

Checkmarx– Facilitates the SAST testing to analyze the code vulnerabilities in the early stages. It can be easily integrated with any CI/CD tool or environment.

IMMUNIO- The tool provides cloud based solution to protect the web application from malicious attacks. The tools is unique because it does not continuously scan the application instead it focuses on possible vulnerabilities.

Aqua Security- The tool gives the security for containers throughout the CI/CD pipeline. The main feature is that it works with all platforms and clouds very well.Aqua security helps save the day, providing container security throughout the DevSecOps pipeline.

OWASP Zed Attack Proxy (ZAP) – One of the most popular tools to protect the web applications from potential threats. It produces ZAP Docker weekly which has all the common vulnerabilities listed.

Twistlock – A multifaceted tool which offers security to containers, hosts, and serverless components.

CyberArk: CyberArk provides a way to keep secrets out of your Jenkins master, off disk, and also out of source control. CyberArk provides a Jenkins plugin which can be uses to provide credentials to your Jenkins jobs at runtime. The plugin securely provides credentials that are stored in Conjur to Jenkins jobs.

WhiteSource: Another type of security risk for your CI/CD pipelines is the open-source vulnerabilities.WhiteSource is a tool that integrates into the DevOps pipeline, and runs continuously in the background, tracking the security, licensing, and quality of open source components and matching them against WhiteSource’s comprehensive database of open source repositories to provide real-time alerts

Chef InSpec: Inspec from Chef is also recommended for scanning your applications and infrastructure. Chef InSpec is an open-source (OSS) automated testing tool for integration, compliance, security, and other policy requirements.

Fortify Webinspect (MicroFocus): Fortify WebInspect is another dynamic application security testing (DAST) security tools that finds and prioritizes exploitable vulnerabilities in your web applications.

The list goes on as there are many more Devops tools available as per the need of the application.

Conclusion

So we now realise that baking security within your Devops CI/CD process is the need of the hour. With more and more organisations adopting and integrating CI/CD tools for their build, release and deployment process, keeping your CI/CD pipelines secure is more important than ever before.

In today’s world, just like quality, security is also a shared responsibility.

In this above post we have tried talking about importance of DevSecOps in your CI/CD pipeline and covered ways and tools that can help you implement standard security measures for pipeline security.

The post Securing your CI/CD pipelines with DevSecOps in 2023 appeared first on DevopsCurry.

Seven CI/CD tools you should know in 2021

Namrata Joshi — Fri, 09 Oct 2020 08:13:12 +0000

Popular CI/CD Tools in DevOps to know in 2021

There are various CI/CD tools available in the market, which will enhance your DevOps Culture in a game-changing way. However the task of picking the perfect tool for your project can be unexciting and boring.

To make this process simple and more smooth, we are sharing some of the most popular CI/CD tools available in the market.

1. Jenkins 

Jenkins is an open-source CI/CD tool in DevOps. It is a Java-based program. Jenkins is a self-containing program with packages for Windows, Mac OS, etc. It is so far one of the most popular CI/CD tools. Jenkins provides Docker images for running a server as well as agents.

Features:
Easy installation and upgrade to various Operating Systems.
Simple user interface.
Works great with a huge community-based plugin resource.
It can easily distribute work across several machines.

2. Bamboo
Bamboo is a paid CI-/CD Tool in DevOps. It comes with a 30-day trial package. Bamboo is a CI server that automates software application release management. It includes development and functional testing, assigning models, marking updates, etc. Bamboo integrates closely with Jira Software, Bitbucket, and Fisheye.

Features:
Bamboo can support upto 100 remote agents.
It creates images and pushes them to a record.
Run parallel batch tests.
Installation is pretty simple.
Built-in Git branching and workflows will automatically merge branches.

3. GitLab CI
GitLab is an Open Source CI/CD tool in DevOps. It is a part of GitLab. It is a web application with an API that maintains the state in a database. GitLab is designed to handle different aspects of a software creation life cycle. It allows commits to trigger builds, run tests, and deploy the code.

Features:
GitLab Container Registry is a secure registry of Docker images.
It provides APIs for most features. So developers can create deeper integrations in the development process.
Keeps the information secure with confidential issues.
All internal projects in GitLab do allow promoting the inner sourcing of internal repositories.

4. Buddy
Buddy is an Open Source CI/CD tool in DevOps. Buddy will lower the entry of the threshold to DevOps. Delivery pipelines are used to build, test, and deploy the software. Buddy is designed by GitLab, Bitbucket, and GitHub. It uses Docker containers to build on and monitor actions with DevOps.

Features:
Supports major languages and frameworks.
Quick installation and configuration.
Integrates with AWS, Azure, WordPress, DigitalOcean, Shopify, etc.
It manages workflows with models for cloning, exporting, and import pipelines.
Progress and logs are monitored in real-time with unlimited history.
Fast to customize Docker based images as an environment for testing.

5. TeamCity 

TeamCity is a Paid CI/CD tool in DevOps created by JetBrains. It is a Continuous Integration server with many dominant features. It helps to develop and deploy various projects. TeamCity runs on a Java environment. It integrates with Visual Studio and IDEs. It works well with Windows and Linux with support to .NET and open stack.

Features:
You can reuse the parent project settings and configurations for any sub-project.
It is possible to build history, view test history reports, pin, tag, and add favorites.
Flexible user management. It is easy to assign user roles, grouping users, various user authentication methods, etc.
Provides better code quality.
It keeps the CI server healthy and stable in every condition.
Configure builds in DSL.

6. Travis CI 
Travis Ci is a Paid CI/CD tool in DevOps. It is a Continuous Integration service build to construct and test projects. It automatically detects new commitments in GitHub. After each commit, Travis CI will build the project and executes tests. Travis CI supports java, Node, PHP, Python, Perl, etc.

Features:
Quick installation.
Deployment of multiple Could services.
Auto deployment on the build which passes.
Supports Linux, macOS, and iOS.
Pre-installed apps on servers.
Supports various languages like C, C#, C++, Java, JavaScript, Perl, PHP, Python, R, Ruby, etc.

7. Circle CI
Circle CI runs on cross-platform mobile apps, Python API server, or Docker cluster. It supports agile development and release of the software. CircleCI can be integrated with GitHub, GitHub Enterprise, and Bitbucket. It also hosts continuous cloud-managed integrations.

Features:
Compatible with GitHub, Bitbucket, and Cloud Enterprise.
Faster testing.
Completely customizable.
Speedy setup and unlimited construction.
Support languages like C++, JavaScript, PHP, .NET, Python, Ruby.
You can configure a customized environment with Docker support.
Forbid non-admins from modifying .

These are some of the most used CI/CD tools by DevOps experts. Many other popular tools can be added to the list. Some of them are: Nevercode, Integrity, Strider CD, Final Builder, Autorabit, Buildkite, Wercker, Semaphore, CruiseControl, Urbancode, Buildbot, Codeship, GoCD.

The post Seven CI/CD tools you should know in 2021 appeared first on DevopsCurry.