Feb 25 · 9 min read
With a global workplace and endless numbers of useful tools, it might be too easy to forget that it’s not only your developers and your teams who need access, but also contractors and other external parties contributing to your work, and APIs from other systems assisting with automation. Be pedantic in the access you give, and limit it based on the nature of work for each individual and group.
The authentication granted between your different systems, to enable them to operate smoothly, is referred to as trust relationships. Inevitably though, there are many threats and vulnerabilities in essential components or interactions of the continuous deployment pipeline. While some of the innate threats can be attributed to vulnerabilities in the tools themselves, most issues are related to either improper configuration of access or unencrypted transfer of information.
The deceiving notion that you have created “trust relationships”, combined with the large amounts of sensitive inadvertently-stored data can lead to disaster. Make sure you know which application is “talking” with which applications and when, what kind of data they’re sharing, and so forth.
Misconfigurations can leave doors wide open. Make sure your Git is secure, keep yours. Git files private and monitors your Kubernetes configurations as well. You should also implement data policies, and make sure that your secure data is properly encrypted.
Data and code leaks are the two biggest dangers in your pipeline, and so these should be your focus when prioritizing. One study recently found that “hundreds of thousands of API and cryptographic keys leaked at a rate of thousands per day,” in GitHub alone. Start protecting against these leaks by securing all of your credentials and secrets. After all, secrets should be kept secret. And as recently reported by SANS in their 2019 Cloud Security Survey, “In 2019, almost 50% of all breaches came from the misuse of credentials, frequently found in code.”
Implement processes that spell out where and how credentials for access to cloud resources and toolchains should be stored. Otherwise, developers are likely to either inadvertently hard code credentials for simplicity’s sake or use environment variables. While it’s true that the latter is certainly preferable over the formal, neither is secure enough. Attackers can dump variables to get all the information they need to exploit other resources.
Hashicorp, for example, helps you manage all of your credentials and secrets across the entire organization seamlessly, simplifying the use of those credentials by your teams. Similarly, GitLab offers native automated secrets detection for your repositories and Azure offers its own vault for proper secrets management.
A lot of the advice we’ve offered up until now relies on visibility, proper tools to support you, and awareness. Part of the awareness component is syncing between individuals and groups, and making sure everyone is on the same page.
As part of this, it’s important to outline your development processes in a way that is adaptable to your specific ecosystem and organization, making sure you identify who owns which roles and responsibilities, and governing and updating those processes on an ongoing basis as things change. This can all feel hard to handle, but when everyone is included, it can be much easier to delegate, administer, monitor and keep it all together.
It’s particularly important that you involve the different DevOps and DevSecOps teams at your organization to ensure that everyone is aligned. You should also take into consideration all of the other related roles that are involved such as your developers (of course), AppSec teams, Quality Assurance teams SOC teams, and the like. Make sure everyone knows who’s responsible for what.
We’ve already talked about the top four best practices: auditing and monitoring your ecosystem, continuously controlling access, managing your secrets, and implementing flexible development processes.
These steps, however, won’t keep your assets airtight. It’s obvious that you can’t manually map out every tool, framework, and utility being used, and no team can manually check every release or enforce best-practice configurations for every single new developer or code project. Immediate visibility into your development environments is crucial however.
Automating security can help you cover more of these gaps, and detect the issues that might slip by otherwise due to the human factor. As we’ve discussed, most vulnerabilities are directly related to improper access control and unencrypted data, and so you should place particular emphasis on these issues when planning automation to tighten up and lock your open doors. Argon is an excellent tool to support you in this quest, helping you automate across the ecosystem as much as you can to help you keep tabs on it all.
While it might seem like an impossible feat, there really are some fast and reliable ways you can increase your security posture overnight. With 5 simple steps, you’ll be amazed at just how secure your development environment will become: map out your entire ecosystem and know how everything is connected, implement, audit and monitor policies, secure source-code and credentials, establish organizational processes, and last but not least – automate processes in order to swiftly identify and mitigate risks.
We know that attacks at any stage of your CI CD pipeline can be stressful and impact your employees, customers, and culture on a deep level. Talk to us about our 3 pipeline security engines, designed to level-up your abilities to keep your Software integrity and protect your entire DevOps Pipeline.
Modern software development and delivery is not done in a silo, on a single-developer machine. It is written in collaboration…
When building legacy or cloud-native applications, codebases can quickly become entangled. This complexity becomes an issue when your teams add…
There are many aspects to securing a software supply chain, and these keep changing and growing as technology advances. One…