A DevOps model follows a non-traditional approach to application delivery that relies on continuous automation and wider collaboration among distributed teams. While automation and collaboration are fundamental features of a DevOps framework, securing deployment pipelines requires diligent planning, efficient threat modeling, and comprehensive testing.

In this Refcard, we delve into various challenges and key considerations for administering robust security into continuous delivery pipelines.

Continuous delivery supports accelerated application deployment and delivery cycles by leveraging sustainable, frequent updates. In a typical DevOps framework, continuous delivery is extended upon continuous integration (CI) to collectively help in automatic deployment of infrastructure and code changes into a production environment.

Figure 1: Administering security in a typical DevOps workflow

Enforcing CD security is crucial for enterprises as it enables developers, operators, and security teams to make informed decisions on the deployment pipeline’s architecture and workflow pattern. Integrating security into a delivery pipeline allows software teams to automatically run stress, acceptance, and performance tests, documenting early warnings of security risks before they make it into production. While CD helps to deliver advanced features and bug patches rapidly, organizations remain mostly apprehensive toward various challenges in securing a continuous delivery pipeline.

Challenges of Maintaining Security in a CD Pipeline

CD pipelines are built to shorten delivery times, which fundamentally remains the prime concern of organizations that are looking to perform extensive security and QA analyses. Some common challenges of implementing security within CD pipelines include: an inconsistent approach to services, resistance from developers, reduced delivery velocity, compliance requirements, and inadequate integration of security automation tools.

Inconsistent Approach to Services

While containers offer a lightweight, portable, and platform-independent deployment option, they require a non-traditional approach to protect workloads that is considerably more complex than securing monolithic frameworks. Security profiling tools in such instances often need more memory and processing power than a container image can be allocated. Due to the distributed nature of multiple loosely coupled services, the framework requires security controls to be broken down and deployed at the service level while ensuring minimal impact to orchestration patterns. As each service relies on independent platform configuration and threat control, any inconsistency may lead to additional complexity of securing CD pipelines.

Developer Resistance

Securing a CD pipeline relies on successful collaboration between developers, security experts, QA, and operations teams. Developers usually restrain from implementing CD security practices, as dealing with infrastructure engineering and production troubleshooting adds to their workload. Most developers are accustomed to a specific technology stack that helps build functional code quickly without factoring in cyber threats and security best practices. Administering robust security throughout the CD pipeline also implies more time spent testing the code. This essentially requires developers to adopt incremental security checks throughout their programming process, and hence, is one of the most common reasons for developer resistance toward a security-first approach. 

Security Reduces Delivery Velocity

The core objective of DevOps CD pipelines is to automate frequent deployments and updates. While attributing more importance to automation and collaboration as the fundamental benefits of a DevOps model, security is often viewed as an afterthought, where security tests are performed at the end of the software development lifecycle.

Traditional approaches of static and dynamic application security testing rely on scanning the entire codebase, even with a few committed changes. As CD pipelines undergo frequent code changes, such testing mechanisms eventually reduce the velocity at which newer features make it to production. Besides this, modern applications operate on a loosely coupled service architecture, with each service requiring its own stack of application security solutions. Aggregating data from these disparate sources introduces bottlenecks in security decision-making processes, further slowing down the CD pipeline.

Compliance Requirements

Industry standards and security frameworks offer guidance on the way data should be transmitted between different systems in a continuous delivery toolchain. Although these guidelines help adopt industry best practices, implementing them adds to effort overhead toward monitoring, testing, and documentation. As CD pipelines leverage distributed environments for deploying different components of the workload, comprehensive observability of infrastructure and compliance risks is often a complex undertaking. Security compliance monitoring and audits require the proper alignment between architecture principles, coding practices, and safety controls, which further add to the complexity of modern deployment pipelines.

Inadequately Integrated Security Automation Tools

Although most security solutions offer a web UI or CLI tool for integrating and interacting with the CD pipeline, lack of comprehensive automation is often considered insufficient for holistic security. In the absence of appropriately administered automation, a CD pipeline relies on human intervention to perform security management functions at predefined checkpoints. A pipeline should also be configured to move seamlessly from one stage of the application security testing process to the next.

Besides this, once a vulnerability is identified, developers are responsible for taking down the affected service and making sure the application stays available while they build security patches. Lack of automation in administering security not only raises manual overheads but is also considered an inefficient approach of mitigating attacks in real time.

Securing continuous delivery pipelines requires a multi-faceted approach that involves alignment between different frameworks, technologies, and operational cultures. As a result, the security of a typical CD pipeline can be subdivided into a number of different aspects, including testing, IaC automation, runtime security, role-based access controls, threat modeling, source control, continuous monitoring, incident response plans, secure secrets, and vulnerability scanning.

Testing

Software security testing aims to identify threats and system weaknesses before they can be exploited in production. Used by QA teams and security experts alike, comprehensive testing helps to determine a system’s vulnerability score and provides guidance for hardening security measures.

Figure 2: Essentials of security within the CD pipeline

Security testing is often considered to be a broad term that includes a number of security mechanisms focused on different components of a workflow, including application security testing (AST), runtime application self-protection (RASP), software composition analysis (SCA), vulnerability scanning and penetration testing, and quality analysis (QA) testing.

Application Security Testing

Application security tools scan, analyze, and report the security posture of an application across different phases of the CI/CD pipeline. An AST mechanism is primarily categorized into the groups shown in the table below:

Table 1

Runtime Application Self-Protection

RASP is an advanced technology that has evolved over time to respond to security vulnerabilities and attacks in real time. The tool runs on an application server to help obtain collective visibility of the application's source code and underlying runtime components. RASP protection tools are primarily used to detect active threats while sniffing out and isolating malicious actors. While RASP can be customized differently for prevention tactics, the most common approaches are to either issue an alert, terminate the session, or both.

Software Composition Analysis

SCA automates the identification of open-source software vulnerabilities used within the application stack. A typical software composition analysis involves scanning the container images, manifest files, source code, and binary files to come up with a Software Bill of Materials (SBOM), which is compared against a database of known vulnerabilities for security posture evaluation. SCA tools also enable security teams to evaluate the code quality, license limitations, and compliance of open-source software used within an existing workflow.

Vulnerability Scanning and Penetration Testing

Vulnerability scanning and penetration testing are active threat identification processes that involve inspecting the application from an attacker’s point of view. Though the processes are mostly used as two separate approaches, they can also be used as concurrent steps to identify application flaws.

As the first step, vulnerability scanning helps proactively identify weaknesses within the enterprise network. Once these vulnerabilities are identified, security professionals perform penetration tests to see how the attacker can exploit them to orchestrate attacks. Beyond identifying system weaknesses, threat hunting functionalities also help determine the effectiveness of security controls in place and flag enhancement opportunities.

Quality Analysis Testing

QA testing is the process of evaluating whether the software performs to customer expectations and the required standards of the user experience. Beyond testing the functional and technical performance of software, QA tests assess the product’s usability, compatibility, and known vulnerabilities.

IaC Automation

Infrastructure as Code (IaC) enables the provisioning and management of infrastructure resources across multiple deployment environments using declarative text files. Developers can leverage dedicated CD and DevOps processes for security testing, version control, application updates, and security fixes. With automated IaC tools, organizations can proactively enhance the security posture of an application’s infrastructure while fostering collaboration between security, development, and operation teams.

Runtime Security

Runtime security encompasses various activities focused on identifying and remediating security flaws of a production environment. Securing a runtime primarily involves analyzing the application’s source code and server activity — as well as monitoring network activity — for any defects and potential threats.

On account of its multiple underlying components and sub-processes, securing a runtime often involves leveraging various tools and a collection of security controls, including:

• Runtime application self-protection (RASP)
• Web application firewall (WAF)
• Log analysis
• Vulnerability scanning
• Container security

Role-Based Access Control

Role-based access control (RBAC) is one of the most widely adopted mechanisms for governing permissions and actions of a CD pipeline at the component/sub-workflow level. The mechanism forms the foundation of CD security by relating data privacy, confidentiality, compliance, and access to specified resources and processes.

RBAC helps developers implement resource access as a function of the firm’s organizational structure, helping to group users efficiently based on seniority or functions performed. To achieve this, RBAC systems implement an innate separation of duties, breaking down sensitive functionalities into smaller units, thereby reducing the attack surface in the event of an account breach.

Threat Modeling

Threat modeling involves an elaborate analysis of how a system operates while examining the combination of user behavior with data flows across network components. Ethical hackers and security researchers commonly use threat modeling to identify potential security gaps and attack mechanisms of a tech stack to help mitigate known and unknown vulnerabilities. Though the process involves integrating security checks throughout the development lifecycle to identify and remediate security issues, the approach is considered one of the most critical security practices during the initial phases of system design.

Source Control

Version/source control management (SCM) enables cross-functional teams to collaborate liberally without the apprehension of unwanted changes and updates. Leveraging a centralized branch as a single source of truth for all interlinked systems of the workflow, SCM tools retain committed changes in an organized and well-structured format. SCM tools also maintain comprehensive version history that allows CD security teams to roll back or undo erroneous updates.

Continuous Monitoring

Continuous monitoring is one of the core processes that automates the identification of security flaws and compliance errors throughout the software development lifecycle. The mechanism essentially blends observability into the continuous change processes that characterize a typical CD pipeline. Continuous monitoring covers multiple facets, including:

• Comparison of deployments over time
• Daily trend analysis
• Vulnerability scanning, reporting, and remediation
• Security incident alerting
• Retrospective analysis of security incidents

Besides helping to identify error sources and security vulnerabilities, continuous monitoring also aids enterprises in measuring the user experience and KPIs. Adoption of such monitoring tools allows QA teams to receive prompt feedback on how a recent security update affects users, subsequently helping to refine the security strategy.

Incident Response Plans

An incident response plan allows organizations to maintain clarity and an escalation matrix during a security crisis. The plan outlines the systematic handling of security attacks to ensure such incidents cause minimal impact to the organization’s assets, financials, and reputation. Diligently designed incident response plans help CD security teams protect crucial data, maintain trust, and safeguard the firm’s revenue while resolving a security crisis.

Secure Secrets

Secrets such as user credentials, configuration files, API keys, tokens, and other sensitive information exist throughout the lifecycle of a CD pipeline. These secrets are considered one of the primary sources of data leakage and hence, should be consistently hidden, protected, and governed.

While seamless delivery of code through different phases of the SDLC is crucial, it is equally important to maintain robust security of secrets across all stages of the workflow. The adoption of secret management systems that streamline the storage and management of access management components is often considered a key factor that prevents unauthorized access of system resources without impacting delivery. Some of these solutions also offer encryption, key management, and identity management services, further simplifying the secure access to organizational data and resources.

Open Source Vulnerability Scanning

Organizations that rely on third-party-developed open-source software often tend to overlook certain features and vulnerabilities of their source code. On account of the open source nature of such software, hackers typically possess detailed intricacies of the code along with the list of known vulnerabilities. Unsurprisingly, mitigating attacks in such workflows requires focused vulnerability scans of open-source components to identify weaknesses before they are exploited.

Vulnerabilities in open-source software commonly arise due to a number of factors, including:

• Inexperienced developers and maintainers of the open-source code
• Lack of coding best practices 
• Outdated/unpatched code

Continuous delivery enables rapid builds by provisioning test environments that match production as closely as possible. Although integrating security across all stages of a CD pipeline has its own challenges, with automation and programmable infrastructure, it is possible to secure CD components and underlying processes. As the threat landscape continuously evolves, it is also critical for organizations to adopt a shift left for security mindset — the approach that essentially prioritizes security at par with automation and collaboration.

Additional Resources:

• "Continuous Delivery Patterns and Anti-Patterns" Refcard – https://dzone.com/refcardz/continuous-delivery-patterns
• "Continuous Integration Patterns and Anti-Patterns" Refcard – https://dzone.com/refcardz/continuous-integration
• "Introduction to DevSecOps" Refcard – https://dzone.com/refcardz/introduction-to-devsecops
• OWASP DevSecOps Maturity Model – https://owasp.org/www-project-devsecops-maturity-model/
• Web Security Learning Materials and Labs – https://portswigger.net/web-security
• Overview of Cloud-Native Security – https://kubernetes.io/docs/concepts/security/overview/
• How to Exploit a Microservice Architecture – https://www.javelynn.com/devops/how-to-exploit-a-microservice-architecture/