It is widely known that the CI/CD pipeline is one of the most effective ways to work in software development. CI/CD provides an unmatched integration from start to finish for software developments as well as the deployment process. It is no wonder that this is the favored DevOp tactic as it saves developers precious time and allows them to focus on the coding process.
However, there is a potential downside to using the infamous CI/CD pipeline. While the CI/CD pipeline is quite quick, if not attended to the pipeline can be quite insecure. To further add to the risk, the CI/CD pipeline often is deployed into the cloud which if the CI/CD pipeline is not properly secured, can only add to the risk. With the constant work that is required for software development, you will want to ensure that all the data is sealed off to any outside sources that should not have any access to this information.
Thankfully it is fairly simple to secure the CI/CD pipeline. Often these steps should be taken when building the software as it will keep the process as simple as possible however it is possible to make an existing CI/CD pipeline more secure. If you are looking for ways to secure your Ci/CD pipeline, read on!
First Steps Towards a Secure System
When building software programs, some security checks will be included just due to the nature of the constant feedback loop of the CI/CD pipeline. Unfortunately, that is not enough to promise a completely secure CI/CD pipeline and implementing an entire security toolchain into any existing pipeline can be extremely tedious and frustrating as well as prone to error. The best way to ensure a completely secure pipeline is to utilize the DevOps approach to software development.
When first starting, checking if the code has been tampered with can be a tedious and time-consuming task. The best way to do so is to physically keep hardcopy notes on the code when it is imputed and cross-referencing the code that is outputted to see if it matches the original code. If there is any variation, unfortunately, there is some level of tampering being done to the code and it needs to be resolved quickly!
In addition to this aforementioned manual way of checking if any code has been tampered with, some automated ways are much simpler and faster to use. One of the most popular ways to check if there is an error in the development is to use another software that runs a check on the code. This adds an extra layer of security as these programs ensure that all infrastructures and software applications don’t have any vulnerable areas that could be susceptible to any interference. Once you learn that there is a problem you can begin to work on how to fix the issue.
The best place to start is at the source. Security tools like git-secrets hook into git and check the code during a commit. Git-secrets catches hardcoded passwords and API Keys before they are pushed into the repository.
Git-based security checks can also be installed on the CI/CD pipeline early on to detect leaked secrets. For instance, the following commands detect AWS-related secrets:
- Install git-secrets in the CI environment:
$ git clone https://github.com/awslabs/git-secrets.git
$ cd git-secrets
$ sudo make install
- Install and configure git-secrets in your repository:
$ git-secrets --install
$ git-secrets --register-aws
$ git-secrets --scan
Many developers take for granted their dependencies. Yet, dependencies with known vulnerabilities affect the security of the application. The CI pipeline is the ideal place to run dependency checks before building it. Fortunately, many dependency check tools can be integrated into the pipeline. For example:
- Find Security Bugs: a Java dependency analyzer. It can be integrated into the IDE or with Maven.
- Retire.js: a dependency checker for the browser and Node.JS.
- Python Dependency Check: a dependency checker for Python.
Almost all languages have one or more dependency checkers.
Start by Trying to Break it
This may seem counterintuitive but another way to ensure that you have a secure program is to try to break it! Yep, you heard that right! One of the best ways to safeguard your software is to try to find a way that it could be brought down.
The reason that this system is so effective is that it makes the coder think more about the inner workings of the CI/CD pipeline. While the coder should already be extremely familiar with the pipeline as well as the inner workings of the program that they are writing, sometimes these methods help instigate this type of thinking.
When a coder is looking for ways to “break” the software, they are finding areas that the code is weak and can be improved. By shedding light on these areas, the coder can pinpoint the areas that the software can be improved upon. This makes the next steps, or the “fixing” process easier to tackle. Finally, this leads us to our next step.
As soon as the application is in a deployable state, we should focus on running some penetration tests. It’s better to find the vulnerabilities ourselves before anyone else. Penetration tests replicate probes that attackers may try on the released application.
According to OWASP top 10 risk list, the most common vulnerability is SQL Injection. Caused by inadequate input validation, SQL Injection allows arbitrary SQL commands to reach the database. Consequently, if your application uses a relational database, consider using a tool like sqlmap in your CI/CD pipeline to weed out injections.
You can install sqlmap with Python pip:
$ pip install sqlmap
Sqlmap can analyze HTTP requests. For instance, the following commands check a particular endpoint in a Django application:
$ python manage.py migrate
$ python manage.py runserver &
$ sqlmap -u "http://localhost/api/person?id=1"
Additionally, sqlmap can connect to the database directly for more advanced analysis:
$ sqlmap -d "mysql://USER:PASSWORD@localhost:3306/TEST_DB"
Penetration testing is not limited to SQL injections; there is an impressive array of tools that you may use to secure the application further:
- Network tests: tools like nmap can discover opened ports and replay known attack patterns.
- Web application tests: add OWASP Zap to your CI/CD pipeline to check for potential exploits like cross-site scripting, insecure configurations or sensitive data exposure.
Check OWASP for a comprehensive list of open-source and commercial scanning tools.
Learn how to fix it
After learning what areas in a software program are weaker or more prone to viruses, it is now time to start working on a solution. Finding the solutions can be a bit tedious and require a bit of trial and error but the secure final product is very much worth the effort. After all, you want a software program that can withstand all the user demands without falling victim to any of the bugs.
When looking for a solution to the problems that were exposed in the code, it is easy to strive for the perfect fix. However, don't get stuck in that endless quest. Instead, look to minimize any of the potential risks by some correlation to the stage of your project and the outcomes that you are looking to acquire.
There are a few main checks to consider when looking to put the final touches on the fixes your software requires. It is important to note if the program requires logging, monitoring and alerting on each stage of the software build? This helps provide another firewall that any potential bugs cannot get through, protecting you and your code even further. This is yet another way that the coder can add an extra “layer of safety” to their code and prevent any viruses or bugs from infiltrating the software development process.
Nothing can derail a software development project more quickly than a security issue that occurs from a poor software build. But thankfully you no longer have to worry if your CI/CD pipeline is secure enough or wonder if your software will suddenly crash from some unforeseen issue that has snuck up on you. Thankfully by following some or all these steps, you will ensure that the CI/CD pipeline is as secure as it can be. As all software developers know, there is nothing better than a strongly developed CI/CD pipeline that is secure against any potential threats