Select Page
by

Vardhan NS

|
last updated on March 12, 2024
Share

In this blog, I’ll focus on the need for integrating security in software delivery pipelines and how engineering a DevSecOps Pipeline is the solution. However, If you’d like to take a step back and learn the basics, then I urge you to read my earlier blog explaining what DevSecOps is all about.

Introduction - Need for a DevSecOps pipeline in enterprises

We all know that a CI/CD Pipeline is at the heart of a software delivery process. But one thing that has silently gone under the radar these last few months is how vulnerable a CI/CD pipeline is to security threats. 

With development teams shifting security practices to the left, attackers have started moving right – to exploit the delivery/ deployment phase. This was the primary reason for the White House to issue Executive Order 14028 to improve the Nation’s Cybersecurity.

Traditionally, security was often overlooked in the CI/CD aspect of ‘DevOps’. DevOps CI/CD pipelines are often optimized for speed and scale, at the expense of security controls. Hence the ideology behind DevSecOps is rooted in ensuring greater security-focus and policy compliance in a DevOps process.

To read about the differences between DevOps vs DevSecOps, click here.

The vital role of ‘Security’ in CI/CD

Bringing ‘Security’ to CI/CD is an understated principle of DevSecOps. What people seem to forget is that the purpose of DevSecOps is not just to shift (prioritize) security to the left, but to prioritize security throughout the entire development process from planning and coding to deployment and operations.

Why? Because security threats can be introduced anywhere in the software supply chain. It can either get introduced during:

  1. ‘Coding’ stage by developers in the form of vulnerable code in compromised open source libraries 
  2. ‘Build’ stage by:
    1. Packaging compromised artifacts 
    2. Using a compromised package manager 
    3. Improper artifact signing / injecting bad artifact that bypasses CI/CD security testing 
  3. ‘Deployment’ stage by: 
    1. Deploying container images to prod without proper verification/ approval
    2. Not enforcing policy gates to promote a build to the next stage in CI/CD
    3. Not verifying container image signature 
  4. ‘Production’/ ‘Maintenance’ stage by:
    1. Ineffective secrets management or by passing credentials via pipeline APIs
    2. Leaving open ports or abusing privileges 
    3. Ineffective authorization/ authentication techniques 

and more…

security attacks in different stages of sdlc

Hence without proper security checks, security vulnerabilities accidentally introduced by developers will go unnoticed, posing grave risks to business operations. Incorporating security into CI/CD helps identify and address vulnerabilities early in the development process, reducing the risk of security incidents and improving the overall security posture of the application.

What is a DevSecOps Pipeline? (means to achieve CI/CD Security)

A DevSecOps pipeline is nothing but a basic CI/CD pipeline integrated with security practices and tooling that perform activities such as code scanning, threat intelligence, automated security testing, policy enforcement, compliance validation, and more. The goal is to ensure that security is an integral part of the software development life cycle rather than being treated as a separate phase.

While DevSecOps refers to prioritizing security in the entire software development & delivery process, a DevSecOps pipeline focusses on ensuring that CI/CD pipelines in particular are secure and not compromised to outside threats.

It can thus be stated with confidence that enterprises which successfully build DevSecOps pipelines not only improve release velocity and code quality, but also improve their application security posture. Now, let’s dig deeper and understand more about DevSecOps pipelines.

Understanding DevSecOps Pipelines

Let’s understand the many facets of DevSecOps pipelines – stages, phases, tools, etc.

DevSecOps Pipeline Phases

Since the words ‘stages’ and ‘phases’ are used interchangeably and lack consistency, in this blog I will refer to Phases in DevSecOps Pipelines as the different phases that span the entire software development lifecycle. 

An important point to note is that, these phases are based on what makes up a ‘DevOps Pipeline’, but in addition to it, includes numerous security practices and tools for obvious reasons.

Planning

This is the phase where you define security requirements for the project and make plans for security testing throughout the development lifecycle. Threat modeling is one such activity to identify potential security risks.

Coding

During this phase, teams must enforce secure coding practices and provide clear guidelines to write code. Peer code reviews and static code analysis are performed to identify vulnerabilities in source code.

Building

During this phase, teams must ensure secure build processes and tools are used for building/ packaging. Artifact signing to ensure integrity and authenticity and dependency scanning to identify and address vulnerabilities in third-party libraries are common activities here.

Testing

This is the phase where security testing takes center stage. Activities are: 

  • Dynamic application security testing (DAST) is done to simulate real-world attacks on the running application
  • Static application security testing (SAST) can be performed to analyze code for security issues
  • Penetration tests are conducted to identify and address security weaknesses in the application

Integration

During this phase, you need to scan integrated components for security issues. Activities such as automated security regression testing can be performed to ensure security controls.

Deployment

During this phase, you need to ensure security controls for Infrastructure as Code (IaC), and ensure secure configurations during deployment. Automated deployment verification tests (DVT) can be performed to verify the security of the deployed application.

Monitoring and Incident Response

This phase requires you to implement continuous monitoring of the deployed application for security threats and anomalies. Setting up an incident response plan and establishing the SRE function is key to the whole process.

Feedback and Continuous Improvement

During this final phase, you should collect and analyze security metrics to assess the effectiveness of your security practices. You can generate reports and use the feedback to continuously improve your security processes, tools, and practices.

Stages of a DevSecOps Pipeline

Since the words ‘stages’ and ‘phases’ are used interchangeably and lack consistency, in this blog I will refer to the different activities within the ‘Testing’ phase as examples for different Stages within the “Testing” Phase of DevSecOps pipeline. 

These stages are more focused and may involve specific tools or processes related to a particular aspect of development or security. Some of the common stages are:

Dynamic Application Security Testing (DAST)

DAST is an essential component of security testing that helps organizations identify and address security issues in their applications during runtime. As explained earlier, it focuses on identifying vulnerabilities and weaknesses in running web applications by simulating real-world attacks.

Static Application Security Testing (SAST)

SAST is a security testing strategy that analyzes the source code, bytecode, or binary code of an application to identify security vulnerabilities and weaknesses without executing the program. It is conducted during development, primarily at the code level, and helps developers discover and address security issues early on in the software development lifecycle.

Security Unit Testing

As you might be aware, ‘Unit Testing’ is an essential software development practice, where individual units of code are tested to ensure they perform as expected. Security Unit Testing extends this process to specifically focus on identifying and addressing security-related issues at the unit level.

Penetration Testing

Also referred to as pen testing or ethical hacking, this involves simulating a cyberattack on a computer system, network, or application to identify and address security vulnerabilities. The goal is to evaluate the security posture of a system and discover potential weaknesses before malicious actors can exploit them.

Software Composition Analysis (SCA)

SCA is the practice of analyzing and managing open-source and third-party libraries used in software code. The goal is to identify and address security vulnerabilities, licensing issues, and other risks associated with the use of 3rd party or open source packages and libraries in a project.

While these are just some of the common stages, specific activities will vary from team to team. Now let’s move onto the last topic in this blog – the various tools that make up a DevSecOps pipeline.

DevSecOps Pipeline Tools

DevSecOps pipelines leverage a variety of tools to integrate security into the software development lifecycle. Let me name at least one tool for each phase of a DevSecOps pipeline:

devsecops pipeline tools

Planning

Jira: This is a popular issue-tracking and project-management tool used by product and engineering teams for planning and managing sprints and tasks, including security-related tasks.

Coding

During the coding phase, numerous tools are employed by teams to tackle different security issues. Here are a few popular one’s used:

SonarQube: Used for continuous inspection of code quality, security, and providing static code analysis.

Checkmarx: Used for static application security testing (SAST) to identify and remediate security vulnerabilities in source code.

Building

Maven/ Jenkins: Maven is a popular build tool which is usually used in combination with a CI tool like Jenkins.

Testing

Testing is one of the essential aspects of ‘DevSecOps’. With security testing shifting to the left, following are some of the commonly used tools by developers in a DevSecOps pipeline to scan code and keep vulnerabilities at bay.

OWASP ZAP (Zed Attack Proxy): This is an open-source security testing tool used to find vulnerabilities in web applications during dynamic application security testing (DAST).

Burp Suite: This is a web application security testing tool used for manual and automated security testing, including penetration testing.

Integration

Jenkins: This is an open-source CI tool used for building, testing, and as well as for deploying code. Jenkins is primarily a CI tool, but it can also be used for CD and further extended with plugins for security scanning and other security activities.

Deployment

OpsMx SecureCD: This is a software delivery/ deployment tool that can help you achieve your DevSecOps goals. It is designed specifically for enterprise security and compliance and helps teams automate approvals, block vulnerabilities, and enforce policy compliance.

Monitoring and Incident Response

Tools popularly used for monitoring, logging and incident response are: 

Splunk: It is a tool for searching, monitoring, and analyzing machine-generated data, including logs and security events. 

ELK Stack (Elasticsearch, Logstash, Kibana): This is an open-source log management and analysis solution for monitoring and detecting security incidents.

Feedback and Continuous Improvement

OpsMx SecureCD: OpsMx SecureCD can again be used to improve your DevOps/ DevSecOps process. It provides a DevSecOps dashboard to analyze the security posture of applications, understand application health, past deployment status and make improvements over the software lifecycle.

Achieving Continuous Security: Building a DevSecOps Pipeline with OpsMx

OpsMx can play the mediator in your delivery process by integrating with a number of tools and automating a variety of workflows. OpsMx’s different modules enforce timely security checks and ensure smooth automation during delivery verification, approvals, and audits.

Vulnerability checks - pre and post deployment

Vulnerabilities are inevitable. They can be reported at any time during the SDLC – either during the development phase, or when the code is being tested in staging or worse, after it is deployed to production.

OpsMx’s DBOM (Delivery Bill of Materials) can work in conjunction with security tools such as Aquasec for dynamic vulnerability (code) tracing. You can extend this level of security to dependencies by enabling automated dependency validations for every build and secure your entire supply chain.

Approvals and Verifications

We understand that software delivery in enterprises is very complex thanks to stringent internal and external policies. Teams may need approval from one or more people to pass the code onto the next stage in the pipeline. Deployment verifications need to be done to ensure integrity and authenticity.

OpsMx’s Deployment Firewall can automate policy gates to ensure DevOps (or delivery) velocity. It can also analyze open or broken firewall rules, automate policy checks, deployment verification, and even perform rollback when needed.

Audit & Compliance

Depending on the industry an organization is operating in, there are stringent compliance rules and regulations that they have to comply with. Policy compliances play a crucial role by helping orgs adhere to those regulations. 

The Deployment Firewall’s Policy-driven automated Compliance Checks automate guard rails and block the release of insecure or out of compliance code. Infact, support for popular regulatory compliances such as FedRamp, PCI, and HIPAA are inbuilt in our system. The Deployment Firewall can also create deployment audit and attestation reports for when auditors come knocking for proof of actions for associated incidents.

DevSecOps Control Plane

One of the biggest challenges today in enterprise software delivery is visibility. There is a lack of deployment/ delivery visibility, there is a lack of visibility in the health status of applications, and mainly a lack of visibility into the security posture of applications. 

OpsMx’s DevSecOps Control Plane can automatically discover the application delivery and deployment process, gather, synthesize, and correlate data from across the full set of DevOps and security tools. By providing a unified view across all teams, tools and processes, OpsMx supports collaboration between siloed users.

If you have any questions around implementation of the features discussed above, then feel free to contact one of our Secure CD experts.

About OpsMx

OpsMx is a leading innovator and thought leader in the Secure Continuous Delivery space. Leading technology companies such as Google, Cisco, Western Union, among others rely on OpsMx to ship better software faster.

OpsMx Secure CD is the industry’s first CI/CD solution designed for software supply chain security. With built-in compliance controls, automated security assessment, and policy enforcement, OpsMx Secure CD can help you deliver software quickly without sacrificing security.

OpsMx Deploy Shield adds DevSecOps to your existing CI/CD tools with application security orchestration, correlation, and posture management.

Vardhan NS

Vardhan is a technologist and a marketing professional, currently working as a Sr. PMM at OpsMx. His strength lies in understanding complex technologies, and explaining them in un-complicated ways. Vardhan is a passionate Product Marketer with a keen focus on Content, helping brands Position themselves uniquely with clear messaging and competitive differentiation. Outside of work, he is an athlete that is passionate about Football, Swimming and Surfing.

Link

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.