15 Mar, 2021

Securing The DevSecOps Pipeline

by nVisium

It doesn’t take a rocket scientist to figure out that implementing best practices for security throughout the entire lifecycle of a software development project will ensure that risk mitigation is at its highest once deployed; but what are the best tools , tips and techniques to ensure this success?

What Tools Are Used To Secure Software?

In order ensure the most secure coding from the start of every project, you need automated test coverage as well as well-designed deployment and runtime security controls for end-to-end security.

The types of testing you should perform at different phases of your CI/CD pipeline vary depending on the state of your software and built packages. The most commonly used testing techniques for security in CI/CD include:

  • Static analysis
  • Dynamic analysis
  • Software Composition Analysis/ Software Bill of Materials (SBOM)
  • Unit Testing
  • Chaos Testing
  • Interactive Security Testing (IAST)

For example, static analysis is typically run post compilation but prior to building an application, while unit testing requires building and running an application to perform various tests at runtime while either mocking out components or setting up an elaborate testing infrastructure.

Security testing can be built into automated workflows through plugins, integrations, and often, elaborate scripts and custom tooling to glue systems together. The goal of embedding security checks across our stages is to ensure we are identifying issues where we can achieve the highest levels of both speed and precision.

Securing The DevSecOps Pipeline

To secure your software, we need to make sure the pipeline you ship it with is free of security defects and that your pipeline can enforce your procedural security constraints in an automated fashion. This requires hardening the CI/CD pipeline systems themselves as well as ensuring proper authentication and access control as it interacts with external systems such as cloud infrastructure, application servers, and container orchestration APIs. In addition to technology hardening across your common pipeline components, you must consider the realistic threats against each of your engineering team members and consider how to limit your attack footprint there as well.

In many organizations, software engineers and development teams are often given highly elevated privileges to production or pre-production environments. They are frequently granted elevated rights to their local systems where they run different development, build, and testing tools. Often, they may have sensitive data (ie- production databases) stored locally and they have access to view and modify source code across repositories.

How can you limit the likelihood of a compromised developer account causing you a large-scale security incident?

  1. Require multi-factor authentication everywhere possible. While multi-factor authentication does not prevent all account takeovers, it increases the difficulty in doing so and significantly reduces the likelihood. This includes at login, as well as using keys and cryptographic verification to authorize sensitive transactions such as a commit to main/master branches, etc.
  2. Ensure good monitoring and alerting – the better we understand what’s normal, the quicker we’ll be able to identify odd activities as they occur. This includes deploying directly to production rather than through the CI/CD pipeline, operating in an unexpected configuration/security posture, etc.
  3. Enforce the principle of least-privilege access across all of your architectural components. As you build your IAM policies and isolation

Your Trusted DevSecOps Partner

We have discussed in previous blogs new ways to secure your DevsecOps pipeline as well as why DevSecOps matter in today’s cyber threat laden times but that is why developing a relationship with a trusteed partner will increase your likelihood of success.

nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.

Call us when you are ready for security assessments to test the vulnerability of your applications, Internet of Things (IoT), networks, mobile and cloud or better yet, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.

devsecops AppSec CISO

You might also like:

Get Security Assessment Tips Delivered to your inbox