Writing Sample: How Secure DevOps Attracts New Users instead of New Hackers
The pace of change in CI/CD environments is so rapid, security vulnerabilities emerge faster than they can be detected. Skilled hackers are now increasingly targeting DevOps. Your engineering team still must be able to deploy fast and improve continuously, but without compromising the security of your application.
New Rewards of Rapid Release Come with New Risks
The emergence of Continuous Integration and Deployment platforms (CI / CD) have revolutionized the development process.
- Versions and builds are released faster and more frequently
- Technical stacks have become increasingly complex and diverse
- Automated processes have replaced manual ones
- Cloud platforms, SaaS applications, and third-party apps are being integrated into the engineering environment
The speed at which the latest version of your application can be released has shifted priorities in favor of developer velocity over application security. There was a time when every new release had to be approved by the security team before going live. Today, security is no longer the gatekeeper.
In a recent study, 54% of organizations admitted to releasing a new version of their app without adequate security checks in order to meet a deadline.
Sophisticated hackers have taken note. Engineering environments are now the prime target of attack. In 2021, a hack on the SolarWinds CI system spread malware to 18,000 of their clients. The GIT infrastructure for PHP was infiltrated. Users began downloading an entire programming language bundled with malware.
Whether in your code, or your delivery process, CI / CD tools, even in cloud platforms, every part in your release cycle has become the attack surface on a new cyber battlefield.
Slowing down the development process is not the answer. To maintain the overall speed of continuous improvement processes, we must redefine how to defend applications in a constant state of flux so they can be continuously secured.
The Traditional Approach
The classic approach is based on the original problem: How to protect your app by scanning the code, protecting secrets, securing the pipeline, managing code deployments, and monitoring authentication and authorization mechanisms.
It’s like adding layers of protection to a bank vault. The vault is stationary. You can reinforce the single location to keep robbers from trying to break in.
But what happens when so much cash is being ferried to and from the local Federal Reserve Bank, the crooks figure out its easier to target the money convoys?
Now, you have to defend moving targets.
Your defense perimeter changes. The resources you need changes. Your entire philosophy on repelling attackers has to adapt to the new demands of a constantly evolving battlefield.
The First Step Towards a Modern Approach
The first step in continuously securing your application to map everything to see which parts interact with one another. Once we can define what makes your application run, we can start redrawing your defense perimeters.
Mapping the environment is not a trivial task given how fast paced and dynamic the ecosystem is. It takes plenty of effort just to take a snapshot, but today’s app environment is like recording a moving picture.
We need to chronicle your source control, repos, the pipelines in your CI and CD systems, and which secrets are in those systems. We need to know the secrets scoped to specific pipelines and those scoped globally. Which pipelines are connected to source control that actually builds the code and with what permissions. We need to map which pipelines, credentials, and permissions upload everything to production.
At Cider, we call this your Technical DNA.
Mapping your technical DNA enables us to centralize everything to give you get a bird’s eye view of the security status of your application on a single screen.
Our aim is for you to detect and resolve issues fast so your engineers can deploy new releases rapidly without any speed bumps from security.
Establishing New Defense Perimeters
Living in the trenches of countless cyberattacks, we see firsthand where the attack surface is growing and changing. To counter, we devised new defense strategies based on the three foundations of CI/CD security: SIP, SOP, and SAP.
Security in the Pipeline (SIP): SIP addresses security flaws or misconfigurations inside your code. This is done on a continuous basis as your ecosystem is constantly changing. We leverage the relevant scanners to pair each scanner to the repo it’s most relevant for.
You can see all of the results in a centralized location to optimize your deployment schedule by shifting security tasks left or to any other point in the development process.
Security of the Pipeline (SOP): SOP addresses vulnerabilities in the software delivery systems and processes. How to protect code as it continuously moves along the pipeline from development to production.
Attackers aim at your sensitive data by infiltrating production environments. They breach this perimeter exploiting an open SSH port, using SQL injection, or commandeering a remote command execution vulnerability in the application. They look for misconfigurations in your cloud platform or simply by running malware in an endpoint that has access to production.
Common defenses are your web application firewall, the IPS, and periodical pen tests. For the cloud you have CSPMS, and for workstations you have the antivirus solutions. It’s important that workers are aware of the security risks involved and what they need to do to protect their workstations, especially if they are working in a hybrid or remote arrangement.
Security Around the Pipeline (SAP): SAP addresses the risk of your pipeline being bypassed.
Effective SIP and SOP lets you ship your code flawlessly. However, you are still exposed to anyone connecting directly to Kubernetes and shipping a malicious container to production, or a hacker connecting directly to AWS to modify a piece of lambda code.
SAP is about monitoring so that everything in production is originating from your pipeline and you are using all the effective controls and measures to make sure that no human or application can push code down the pipeline without your knowledge or permission.
Conclusion
Our goal at Cider Security is for your engineering team to use the best and latest DevOps tools to release fast and frequently without compromising on security. We want you to continue releasing something new for your users without giving something new to your attackers.