Securing software releases and deliveries is one of the top priorities amongst DevSecOps, DevOps, CloudOps and Engineering teams. Security is becoming costlier day by day and the impact is enormous. Disruption or loss of business besides loss of reputation are the most common outcomes.
Security breaches can happen within any given stage of the software delivery supply chain and not necessarily at the code or the infra level. The below illustration provides insights into some of the attack vectors that lead to breaches and how the vulnerabilities can be injected at different states of the end-to-end software supply chain (from code to cloud). These breaches could be intentional or unintentional.
Assessing and Addressing The Attack Vectors Using Appropriate Security Checks?
Ideally, these breaches or vulnerabilities can be fixed by inserting automated security checks at different stages within your end-to-end workflow. The following section provides insights into what these security checks are and where to apply them to counter the attack vectors (please refer to the illustration and the description below).
Vulnerability Scanning and Static Code Analysis
Today’s enterprises use specific tools like Sonarqube, Appscan, etc. to identify vulnerabilities within code. Ideally, and if this is automated with a business-rule or a policy enforcement that no-code should be deployed without scanning or the scanning stage being successful then it ensures that even the intentional breaches do not go unnoticed. In fact, the enterprises operating within regulated industries such as banks, there’s a mandate, which requires banks to ensure no deployments happen without the code being scanned and they have to furnish an audit report for each deployment in a specific time frame. Breaches if any are notified and an informed decision can be automated, for example, terminate the pipeline.
Securing, Verifying and Attesting Builds
This particular stage within the software supply chain is often overlooked. This stage can be appropriately used to improve kernel security and avoid vulnerabilities causing security attacks, as an example. These vulnerabilities can be injected through dependencies or third party libraries required for build creation, outside the knowledge of DevOps or Engineering team. Ideally, this can be addressed by scanning the dependency files, by applying spoof checks to ensure builds are verified. Builds are then attested upon successful security checks and data stored for audit purposes. There are additional security checks to ensure the build server is not spoofed or compromised.
This is an important security check that is applied to check that the configurations, files, code or infrastructure is not altered from its ideal / desired state. The alteration may happen with or without an intention, which leads to security breaches. Policy orchestration can be used to determine if there are any alterations and subsequent policy violation notifications can be sent across to specific stakeholders. The version control is applied to all the assets including code, configurations, manifests, etc., to track alternation, resources who triggered alterations, and even the person who approved alterations manually, for audit purposes.
Release Autonomy, Compliance and Governance
A lot of enterprises I’ve worked with care about visibility into how the software is getting deployed and where it is getting deployed for versions and branches. Enterprises obtain complete visibility and traceability into what is getting deployed where. Policy checks for compliance automation can be automatically applied to verify releases and deployments.
Security Checks during Infra Provisioning
It is important for enterprises to apply security checks as a part of configuration while provisioning infrastructure as opposed to an afterthought when something goes wrong. For example: a bank would care more about provisioning the right infrastructure to a netbanking team with specified hardware configurations but also the right security checks (while provisioning the infrastructure). These configurations can be tracked and version controlled in a GIT. The common examples of these security checks are: server should have a private ip, encryption should be enabled, security scanning to be enabled, etc. As a matter of fact the infra doesn’t get provisioned if the security checks are not met. This is done using custom stages within the workflow with a no-code no-script approach where all incidents / activities are automatically updated in the governance tools – for example, jira or servicenow.
There are multiple infrastructure scanning tools available that are currently being used by the enterprises but more importantly, it’s about managing and acting upon an outcome of the scanning job – kill the pipeline, notify stakeholders, identify and fix the issue and automate the process in a repeatable manner. Enterprises can leverage third party tools or native cloud capabilities available on GCP, AWS or Azure and a lot of automation can be applied here. The purpose of automation is to shrink the preparation time for production deployments and accelerate the delivery of the software (up to 10x increase in specific cases)
Security Guardrails and Pipeline Governance
SSD enables RBAC for tight governance and insights into who is doing what, when and where. It creates guardrails into access and execution of activities / jobs within an end-to-end pipeline. With policy orchestration the enterprises are able to meet security and governance compliances for example: Setting up Separation of Duties as a part of SOX implementation. Any policy violation will notify the respective teams along with the ability to decide the outcome of the stage (send it for manual review, kill the process or proceed further in case of no violation)
Delivery Integrity & Attestation
This is to ensure that no one compromised on the infrastructure whether the infra is used for internal activities (build, artifacts – aquasec) or as a deployment destination. Besides this, enterprises may want to attest the verification of infrastructure for compliance and audit perspective, which can be automated eliminating any manual intervention.
Deployment Verification, Branch Verification, CVE checks
Post deployment, not just the performance verification but the deployment / security verification should be automated with the help of custom stages to perform these checks. For example: you would like to ensure that only the intended code got deployed. Enterprises may want to apply policy checks before any stage to verify the provenance of pipeline, code, configurations but also a check on the person executing that activity (in case it’s manually triggered). A check on branch and CVEs is performed in an automated manner ensuring there are no vulnerabilities or compromises done. This requires deep insights into your end-to-end pipeline, specific jobs within the workflow, as well as ability to map a user within a group designated for a specific job. RBAC serves as the most ideal approach to enable the guardrails.
Audit and Traceability of the Delivery Chain
In the majority of cases Audit is performed as an activity, which is “after the fact”. Enterprises collect data, logs, etc., to analyze and represent details around a sequence of activities that may have or may not have led to a particular incident. Nevertheless, it is an extremely time consuming manual activity. It need not be that painful. In fact some of the enterprises I’ve worked with are mostly audit-ready. With a press of a button they would know who did what when and where, besides getting into the specifics and perform a search on going from code to prod, going from pod in prod to CVEs, backward tracing, and audits around pipeline executions, deployments, or policy violations, etc. All of this is visually represented on the dashboard with drill down capabilities.
How can we ignore the importance of including secrets management capability and not let credentials float within the code through your pipelines. This is one another reason for common security breaches. This typically happens when you have different teams responsible for different activities which get transitioned over to other teams as part of manual or disjointed workflow. With the transitions secrets get exposed creating a threat. Including vault or any other secret management tool and setting it up as an integral component of your software delivery supply chain and associated tools is extremely important.
How To Implement These Security Checks? Are These Available Out-of-the-box?
The answer is “Yes”. This is currently being achieved at some of our recent implementations done with our customers. OpsMx Secure Software Delivery comes bundled with specific modules that offer capabilities to secure your software release and delivery. In short SSD is capable of implementing all above use cases with a no-code, no-script approach.
Please request the recent SSD capabilities doc from your OpsMx representative, but the out of the box features and capabilities that come bundled are not restricted:
1. Role Based Access Control (RBAC)
2. Digital sign offs / Attestation
3. Audit reports and dashboards
4. Policy-orchestrated governance (Policy as Code)
5. Infra as code
6. Secrets management
7. Automated verification for build, code, deployments and security scans
8. Custom stages to automated security checks at different stages of the end-to-end pipeline.
9. Out of the box integrations with 70+ DevOps tools
10. Custom stages to trigger tasks from these tools
11. Intelligent gates for automated approvals, notifications (upon verification failures or policy violations
12. Smart GitOps for end-to-end automation with complete visibility and inisghts
OpsMx Secure Software Delivery is used by world’s leading enterprises line, CISCO, Western Union, and Google to not only accelerate software delivery cycle but to also apply security checks to an end-to-end software delivery supply chain, eliminate vulnerabilities and operate safer and faster.
For beginners or a matured enterprise, securing software deliveries is the #1 priority. Having extensive experience of working with DevOps, DevSecOps, and Cloud Ops teams, SSD has been built ground up with capabilities around IAC, PAC, Secrets and Security Management to ensure complete security around software delivery supply chain.
Contact us to obtain a blueprint of securing your software delivery supply chain.
Founded with the vision of “delivering software without human intervention,” OpsMx enables customers to transform and automate their software delivery processes. OpsMx builds on open-source Spinnaker and Argo with services and software that helps DevOps teams SHIP BETTER SOFTWARE FASTER.