Fast secure: Achieving secure continuous delivery of cloud native applications [Updated]
Continuous integration and continuous delivery (CI/CD) are critical to achieving DevOps success across organizations -- offering the ability to get software changes into production safely, quickly, and sustainably. By reducing the time between when code is written and deployed, while allowing developers to maintain high quality and minimize risk, CD enables teams to release new features quickly.
However, for CD to be a success, speed cannot come at the detriment of security. By building security validation into the CI/CD pipeline, developers will see benefits in productivity by reducing time to market and build consumer trust by developing more secure apps and data.
This is even more critical as cloud native applications leverage GitOps as part of the software delivery where the focus typically is to increase productivity and deliver faster.
The security challenges associated with continuous delivery
There are many foundational problems that can impact CI/CD pipelines. For example, many developers fail to apply the 12 Factor App principles, resulting in overly complicated apps that slow down build and deployment times. And an immature development lifecycle can significantly harm CD at scale through improper version control, inefficient repository structure and lack of code reviews, resulting in poor-quality products and a lack of scalable pipelines. Beyond these operational challenges, many of the most significant risks to the CI/CD pipeline are the security challenges that affect application development teams.
Firstly, pipeline sprawl can lead to management inconsistencies, where pipelines are not declared as code or are patched and overextended across multiple generations. This can create vulnerabilities in inconsistent CI/CD processes.
Meanwhile, a lack of best practices and security governance can harm developers' ability to audit and trace changes to software -- significantly reducing visibility into software environments and impacting CD. These problems are often compounded by poor testing coverage and a lack of quality testing to measure key development performance indicators.
Together, these challenges can leave organizations and customers open to attacks by opening attack vectors that allow malicious actors to exploit application vulnerabilities. These problems can seriously impact the time to market of apps and potentially have devastating impacts on business. We've seen the impact of security vulnerabilities in countless recent security breaches, such as the Solarwinds SUNBURST attack.
In this instance, malicious actors were able to deploy SUNBURST’s backdoor on numerous organizations -- including the US government -- from a single point of weakness in the software supply chain. The fact that SUNBURST was digitally signed and originated from a trusted source enabled the attackers to gain access to high-profile targets and hide in plain sight. Incidents like these have forced businesses to take a renewed look at the security of their applications.
Ensuring teams are protected from threats
In the modern day, adding continuous security validation to the CI/CD pipeline is vital to reducing the risk of vulnerabilities going undetected during the software development lifecycle. To do this, there are three key steps to consider:
- Focus on pipelines: The first step is to look at the pipelines running in CD, which offer the foundation of security by having version-controlled pipelines as code. This specifies the stages, jobs, and actions to ensure pipelines perform, and are critical to handling fast, secure continuous delivery at scale. Vitally, these allow teams to embed security and compliance policies ensuring simplified access to approved, secured and reliable pipelines.
- Implement testing: Since CI/CD is a crucial component in software supply chains, it's vital to ensure it is as secure as possible through static or dynamic testing. This make sure artifacts can be trusted and validated. To achieve this, organizations must use secure credential storage and rotate keys frequently, inspect the build output, code sign all artifacts and implement runtime checks to guarantee integrity.
- Put in a security framework: It's also vital to have checks and best practices to guarantee artifact integrity and ensure that the source code is trusted. This can be achieved through leveraging a security framework, offering a checklist of standards and controls to prevent tampering, improve integrity and secure business infrastructure. A security framework like SLSA (Supply-chain Levels for Software Artifacts) includes a checklist of standards and controls, which can prevent tampering, boost integrity, and secure packages and infrastructure.
Cloud native automation to ensure a smooth deployment process
By using cloud native automation, developers can achieve a high-grade and consistent deployment process -- helping CD remain protected throughout its lifecycle. To do this, teams must be able to automate security best practices and ensure the developer experience is as smooth, consistent and reliable as possible.
While this is a hard task, this can be achieved by implementing a platform that provides the visibility and control of certificates, and configuration statuses across Kubernetes and OpenShift clusters. Meanwhile, the use of tools such as a control plane can also help by enabling and automating key tasks, such as the maintenance and authentication of machine identities and their lifespans.
Together, this reduces manual workloads, freeing developers from the responsibility of tasks such as managing machine identities and allowing them to work in a way that is fast and secure. This also applies a safety net to operations, allowing the automation of security alerts when anomalies are detected, so teams can respond rapidly to critical security events and tackle outages early on. Investing in the right tools is now essential to keeping DevOps moving at machine speed, while reducing the risk of breaches, and reducing the pressure and stress on teams.
Image credit: jirsak / depositphotos.com
Sitaram Iyer is Senior Director of Cloud Native Solutions at Venafi.