Integrate Security Into DevOps and IaC
This article provides recommendations on implementing security into your CI/CD and infrastructure as code pipeline, and most importantly, how to enable both security and DevOps to start speaking each other’s languages.
Save to Folio
There is no question that gets asked more by security teams, as they are typically brought into the DevOps world once the CI/CD pipeline is already built and clients are asking about compliance, security, and internal company regulations. Without the background on the process of building the pipeline, it can be complicated for security teams to comprehend all the stages in the process. Conventionally, the focus of DevOps teams is not on security, it’s on building applications and delivering them on time, but who is to say that can’t be done securely? Let’s dive into the main pain points.
Download the e-book version: How Can We Integrate Security into DevOps and Infrastructure as Code Pipelines?
The “Big” Challenge of Integrating Security and Overcoming It
Generally speaking, if you mention words like Ruby, Go, Node.JS, Java, or Python, security teams aren’t necessarily going to be able to join into the conversation—to no fault of their own. When DevOps was just becoming popular, security teams weren’t deemed responsible for the verification of the development pipeline. Back then, and even now, the security code within the pipeline depended on the knowledge of the developers and best practices they relied on for their development process. Now, with the more recent introduction of DevSecOps, a new set of tools have been introduced to automate security and incident response. This provides more of an incentive for security to learn the language of DevOps and work together.
It won’t be long until security teams start adapting and accepting this new reality. Working together starts with an understanding of one another’s processes. If security teams understand the pipeline process, they can start planning security in the very early stages of any new application. Applying security directly into the integrated development environment and CI/CD pipeline will lead to faster detection and response of new security flaws that may be introduced and give developers real-time feedback to fix it.
To embrace a DevSecOps culture, a company needs to look at cross training their teams, for instance, teaching developers about security and educating security professionals on development processes and how to build new applications on demanding timelines. When we better understand one another, we can learn to speak each other’s language and work better as a team without so much friction. Now, the mention of programming languages won’t make security teams look at you with confusion and they may even understand how APIs can automate mundane tasks. Wouldn’t that be nice?
Imagine if your security team had the knowledge to write and understand an automation script in Python, Node.JS, or any other scripting language that would allow them to manipulate APIs to automate the regular day-to-day work. Many organizations are automating security processes and technologies for more effective and efficient security. This would include the use of APIs across build pipelines and runtime platforms and environments, but security needs to understand how it all works. If your company is not well adapted to the new world, you may start to face some very complicated challenges.
Nine Security Recommendations to Begin Implementing into Your CI/CD Pipeline
The methods below could be applied to monolithic applications or microservices applications using technologies like container, serverless, or cloud-native solutions.
- Unit Testing
This type of security verifies individual and small units of a software. Developers could use this to test if the right function is providing the right return, or to ensure a change/update in a small function isn’t affecting the results from the application.
- Static Application Security Testing (SAST)
SAST is more commonly known as “white box testing”. This type of security testing gives developers the ability to find source-code vulnerabilities earlier in the software development life cycle (SDLC), which can help you remediate the code faster. SAST solutions analyze an application from the “inside out” in a non-running state.
- License Scanning
This scanning tool helps you find what licenses your project uses in its dependencies, and decides whether to allow it or not.
- Dynamic Application Security Testing (DAST)
DAST is more commonly known as “black box testing”. This type of security testing allows you to find security vulnerabilities and weaknesses in web apps without a view into the internal source code.
- Dependency Scanning
Many applications use external libraries or packages from open-source projects. This technique helps to automatically find vulnerabilities in your dependencies while you are developing and testing applications.
- Container Scanning
This technique analyzes container images for known vulnerabilities, secrets, compliance checklists, and malware. You will want to execute this at all stages of the SDLC to help operations teams gain a clearer picture of what the security concerns are inside the container before they are sent to the production environment.
- Runtime Protection
This layer of security is used on physical or virtual machines to protect the OS and/or container engines. If the OS were to be compromised, it could cause a Denial of Service (DoS) from all the containers running on that container host or node. This solution can help you to protect against malware and vulnerabilities, as well as assist with the audit process using features like file integrity monitoring, log inspection, and application control.
- Privileged Container Security
This is where the container uid 0 is mapped to the host’s uid 0. In such containers, protection of the host and prevention of escape is entirely done through Mandatory Access Control, seccomp filters, dropping of capabilities, and namespaces. Those technologies combined typically prevent any accidental damage to the host. There are some concerns with this security capability. If you are giving the privileged container full access to the host, it could potentially impact all the containers running on it if something goes wrong.
- Runtime Application Self-Protection (RASP)
RASP works inside the application as a security framework that monitors and continuously inspects traffic to the application. RASP dynamically intercepts the traffic that is deemed malicious, protecting you from SQL injection, cross-site scripting (XSS), vulnerabilities, bots, and many other web application attacks. A RASP security framework is attached at the start of the SDLC, making the application secure by default. This security concept can be used in web applications, containers, and serverless.
These are just a few of the many security layers you can integrate into your DevOps pipeline. With a strategic approach, you can slowly begin to implement the proper security layers to gain assurance that your pipeline is secure, while continuing to move quickly.
Below is an architecture that shows how to layer in security at different steps in the DevOps pipeline:
Three Ways to Add Security into Your Infrastructure as Code (IaC) Pipeline
Now that we have more information on implementing security into the CI/CD pipeline, let’s continue by discussing how to add security checks for misconfigurations in your IaC.
According to Gartner, “Through 2023, at least 99% of cloud security failures will be the customer’s fault.”1 Gartner also states, “Through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.”1
This statistic is mainly associated with misconfigurations in the cloud infrastructure. It is so important to have visibility and a process for real-time feedback, as it gives developers more information about the IaC before they build. Without the proper information, a developer could unknowingly start to build in a new cloud environment with security flaws that could generate a lot of headaches for your company.
- Integrated Development Environment Security Plugin
This type of plugin is designed to get real-time feedback to developers on the IaC and application development. Developers can scan and fix issues in the development environment workspace without any additional security tools to detect issues—shifting security the farthest to the left possible.
- Template Scanner
This scanner uses APIs directly within the security platform to integrate with custom tools or specific use cases in CI/CD pipelines. The scans provide real-time checks every time you push new code. The results can be shared with developers and cloud architects, providing them with the information they need to monitor any issues before going to production.
- Cloud Security Posture Management (CSPM)
A security tool to detect misconfigurations in multiple cloud service providers. This technology can integrate with DevSecOps capabilities to help with auto-remediation capabilities in your cloud infrastructure. It can also help organizations gain a coherent picture of security and compliance risks across multi-cloud environments.
As we continue to evolve, every company will need to re-think its current cybersecurity strategy for cloud workloads, containers, and serverless environments. At the end of the day, the successful integration of security into the DevOps pipeline comes down to ensuring that security teams are involved in the early stages of the project. Utilizing this approach will help to facilitate more reliable communication and integration between the DevOps and security teams, resulting in higher quality outcomes and better security for applications.
1 Gartner, Inc.; Innovation Insight for Cloud Security Posture Management; 25 January 2019 | G00377795