Open Source Security in a CI/CD pipeline
We’re not going to get into the debate on what is DevOps, what is DevSecOps, which term is correct, is it a culture or not blah blah blah – we’re just going to focus on the benefits of using a CI/CD pipeline, with a shout out to Jenkins.
So what is CI/CD? It can be loosely defined as the series of tasks that must be done to create a release, where updated source code becomes available to end-users, via a “pipeline”, which can be split into three different categories:
- Continuous integration (CI): responds to changes in source code, automatically pulling from version control and running a build process, which usually consists of verifying that unit & integration tests and other QA checks pass
- Continuous Delivery (CD): deploys passing builds to a staging environment, where further checks can be done to verify behaviour
- Continuous Deployment (CD): automatically deploys to a production environment after staging checks have passed, instead of needing manual approval
Jenkins is an open-source tool for automating the building, testing, and deploying of code – accelerating the release process and reducing the risk of human error. This ‘code can be code to build an Application, Infrastructure or Serverless Function (such as Lambda and Azure Functions).
CICD is also a great opportunity to integrate automated security tests within the service to try and catch bugs, vulnerabilities and compliance issues early on before they enter a live environment.
Using freely available testing tools can help increase the security and resilience of the software and the infrastructure it sits on. We are talking about testing the whole stack – not just the software application layer. It is essential that the infrastructure withstand all current attacks because it is often overlooked, and software is then built on a fragile infrastructure. The best part about using the cloud is that stacks and servers are disposable and can re-built one within minutes of updating the stack.
Some useful open source tools that should be considered for pipeline integration are:
- OWASP Dependency Checker (Check your plugins & dependencies are up to date)
- SonarQube (Checks for code quality and security issues)
- Truffle Hog & Gitleaks (Checks whether any secrets are stored within the code base)
- OWASP ZAP (Dynamic Application Testing Tool)
- TerraScan (Checks Terraform for security and compliance issues)
- Clair (static analysis of vulnerabilities in application containers)
- ArcherySec (vulnerability assessment and management tool)
Getting a good level of security in the Pipeline in the beginning massively reduces the risk of any immediate compliance issues and vulnerabilities being deployed into a Production environment and should be classed as ‘proactive security’. If you need help with you CI/CD pipeline or the secure design of your Cloud workloads please contact a member of the Cyber Security Specialists team on 0161 706 0244 or email firstname.lastname@example.org.