SlideShare a Scribd company logo

The Challenge of Integrating Security Solutions with CI.pdf

Savinder Puri
Savinder Puri

Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions). Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).

Technology
1 of 4
Download to read offline
The Challenge of Integrating Security Solutions with CI/CD Workflows Created for UnBound Security In Mobile World Conference (MWC), 2019, Satya Nadella, the Executive Chairman and CEO of Microsoft famously reiterated “Every company is now a software company”. This message was also stated by Watts S. Humphrey, the father of quality in software and CMMI, about two decades ago, when he said “Every business is a software business”. In today’s native digital world, we know that a Bank is a software company and a car is a computer – computing is a core part of every industry. Those of us who have been around in the software industry well understand that DevOps or CI/CD workflows form the bedrock of this software. It is the CI/CD pipelines or workflows that churn out software faster, better and more secure. As the role of software becomes more pervasive, the role of security across the software development lifecycle becomes paramount. Enterprises have been taking security very seriously, since a breach can lead to loss of repute as well as heavy financial losses. The Covid-19 pandemic has further accelerated security deployments and investments across Enterprises. The 2021 State of Security Operations survey highlights this changing trend: 2021 State of Security Operations Research Report (microfocus.com) The report states: • 85% of respondents say their companies increased their security budgets • The same percentage increased their adoption of cloud-security services and technologies • 82% say they have increased the adoption of threat intelligence
With the heavy focus and investments on security, threat intelligence and detection is one of the key components. Verifying that the deployed code is legitimate so that threats such as supply chain attacks can be mitigated is most critical. The need to ensure that the software was provided from the stated vendor and was not tampered by a malicious adversary and contains malware or any unwanted code is most critical. The method for protecting code is using digital signatures and PKI – specifically using code signing certificates. There are a number of approaches for securing code signing certificates: • DIY: A Do It Yourself, custom built code signing solution integrating with your CI/CD pipeline. While its tempting to build something that fits perfectly into your ecosystem, it’s a classic build-vs-buy decision. • Hardware Security Module (HSM): These are FIPS-40 certified, dedicated hardware devices, requiring special expertise to deploy and maintain. Hyper scalers typically provide their own HSM’s and that makes an Enterprise solution (on premise + cloud) much more difficult to manage • 3rd Party vendors: Use HSMs as a root of trust for a 3rd party code signing solution. While this centralises the Management of code signing certificates from 3rd party, it’s still a hardware based solution. It also restricts CI/CD integration, due to limited availability of “signer utilities” by HSM • SECaaS: This provides centralised management of code signing certificates without the HSMs or any other backend software. In certain cases, SECaaC services requires the code signing certificates to be generated by a certain, specific Certificate Authority (CA), and does not allow to use code signing certificates from any CA. • Niche solution: There are specialised solutions that Centrally manage code signing certificates without dedicated hardware, support signing of any code, integrate with CI/CD platforms and include additional security layers, such as scan the file for malwares before it is signed, in order to mitigate supply chain attacks. Let’s now explore how all these aspects are brought together in the CI/CD pipeline. That’s the place where all dimensions of security is embedded in. Illustration of how security is integrated through the CI/CD pipeline
1. Agile backlog: The Security NRF Requirements are captured in the Agile tool (Jira, Rally, Azure DevOps etc.), so that they can be implemented at the appropriate layer (infra/app/db etc.) during the SDLC 2. Development IDE: Depending on what security tools the Enterprise uses, their corresponding IDE (Eclipse, IntelliJ IDEA, Visual Studio etc.) plugins are available, so that Developers can “left-shift” - detect and fix issues before the code leaves the IDE itself! 3. Build Tools: Build tools like maven, gradle etc. have security checks embedded in like OWASP vulnerability etc. 4. CI System: CI system like Jenkins, TeamCity, Azure DevOps etc. have plugins for SAST/DAST security tools like SonarQube, Veracode etc. This is where the first stage gate is typically implemented. If a critical vulnerability is found, the build is “terminated” and the entire pipeline stalled 5. Environment Provisioning: While spinning up environments using infra-as-code tools like terraform, chef, puppet etc, care has to be taken to adhere to Enterprise security guidelines 6. Database Deploys: Tools like Liquibase or Datical treat database-as-code and enable code reviews and automated deploys, with stage gate implementation 7. App Deploys: Whether you use tools like Jenkins, TeamCity, Azure DevOps, or cloud native ArgoCD or more sophisticated IBM UrbanCode Deploy, they have integrations with various security facets like verification of code signatures etc. 8. Testing: This is where you might have specific focus on security testing using tools such as Acunetix, Netsparker, ZED Attack Proxy (ZAP)), and Pen testing with Netsparker, Wireshark, Burp Suite etc. 9. Production System: Monitoring of Production Systems and their security posture through Argus, Splunk, SolarWinds, Nagios, OSSEC etc. Given the plethora of tools for each tenet in the CI/CD space, you would imagine that embedding security into the pipeline would be a pretty standard and mature practice. However, this is far from the reality of most Enterprises. Here are the top 5 reasons why it is challenging to integrate security solutions into CI/CD pipelines: 1. No gold standards for security: With the huge variations in technology and toolset landscape across Enterprises, there are no gold standards for security. Of course, there are regulatory and compliance requirements. Some industry guidelines are available, however, their implementation specifics are often left open, to suite
inclusion 2. It’s beyond the SAST tools of the world: As a DevOps Consultant, I often hear this – “Of course we embed security into the SDLC – we use SonarQube”. That’s a great place to start; however, there’s an entire world out there beyond this one! 3. Loss of control: Traditionally, there was an elusive Security Team, which got invoked during the Pre-Release phase, and who had the all-encompassing power to stop a Release! Now, with “Continuous Release” making Release itself a non-event and everything-as-code embedding security, the Security Teams tend to feel threatened 4. Developer resistance: With everything-as-code, the boundaries of a developer’s role are getting blurred. They are increasingly becoming responsible for not just the application, but also the infrastructure, configuration, deployments etc. And not all developers like this evolution 5. Complexity of the game: As Enterprises become composable and cloud native, their complexities grow disproportionately. It’s hard before it becomes simple. As an example, the cryptographic key management is very complex and demands a niche solution. It needs a unified key management and protection platform which controls and manages all keys anywhere – on-premise, in the cloud, any cloud. Easily integrates to existing solutions, and includes native support for all standard libraries, including KMIP. That’s a pretty big ask! Marc Andreessen, the co-author of Mosaic, the first widely used web browser; co-founder of Netscape famously said a decade ago – “Software is eating the world”. As this statement continues to be true in this decade and more, the importance of integrating security with CI/CD pipelines is now more than ever.

Recommended

Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesElanusTechnologies
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 

Recommended

Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesElanusTechnologies
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxXavor Corporation - Redefining Health Technology
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxXavor Corporation - Redefining Health Technology
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as codePrancer Io
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
 
How BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperHow BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperBlackBerry
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4Integral university, India
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloudwww.datatrak.com
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSource Code Control Limited
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 

More Related Content

Similar to The Challenge of Integrating Security Solutions with CI.pdf

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as codePrancer Io
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxInfosectrain3
 
How BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperHow BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperBlackBerry
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSource Code Control Limited
 

Similar to The Challenge of Integrating Security Solutions with CI.pdf (20)

Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as code
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
 
How BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperHow BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White Paper
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
 

Recently uploaded

Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 

Recently uploaded (20)

Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 

The Challenge of Integrating Security Solutions with CI.pdf

  • 1. The Challenge of Integrating Security Solutions with CI/CD Workflows Created for UnBound Security In Mobile World Conference (MWC), 2019, Satya Nadella, the Executive Chairman and CEO of Microsoft famously reiterated “Every company is now a software company”. This message was also stated by Watts S. Humphrey, the father of quality in software and CMMI, about two decades ago, when he said “Every business is a software business”. In today’s native digital world, we know that a Bank is a software company and a car is a computer – computing is a core part of every industry. Those of us who have been around in the software industry well understand that DevOps or CI/CD workflows form the bedrock of this software. It is the CI/CD pipelines or workflows that churn out software faster, better and more secure. As the role of software becomes more pervasive, the role of security across the software development lifecycle becomes paramount. Enterprises have been taking security very seriously, since a breach can lead to loss of repute as well as heavy financial losses. The Covid-19 pandemic has further accelerated security deployments and investments across Enterprises. The 2021 State of Security Operations survey highlights this changing trend: 2021 State of Security Operations Research Report (microfocus.com) The report states: • 85% of respondents say their companies increased their security budgets • The same percentage increased their adoption of cloud-security services and technologies • 82% say they have increased the adoption of threat intelligence
  • 2. With the heavy focus and investments on security, threat intelligence and detection is one of the key components. Verifying that the deployed code is legitimate so that threats such as supply chain attacks can be mitigated is most critical. The need to ensure that the software was provided from the stated vendor and was not tampered by a malicious adversary and contains malware or any unwanted code is most critical. The method for protecting code is using digital signatures and PKI – specifically using code signing certificates. There are a number of approaches for securing code signing certificates: • DIY: A Do It Yourself, custom built code signing solution integrating with your CI/CD pipeline. While its tempting to build something that fits perfectly into your ecosystem, it’s a classic build-vs-buy decision. • Hardware Security Module (HSM): These are FIPS-40 certified, dedicated hardware devices, requiring special expertise to deploy and maintain. Hyper scalers typically provide their own HSM’s and that makes an Enterprise solution (on premise + cloud) much more difficult to manage • 3rd Party vendors: Use HSMs as a root of trust for a 3rd party code signing solution. While this centralises the Management of code signing certificates from 3rd party, it’s still a hardware based solution. It also restricts CI/CD integration, due to limited availability of “signer utilities” by HSM • SECaaS: This provides centralised management of code signing certificates without the HSMs or any other backend software. In certain cases, SECaaC services requires the code signing certificates to be generated by a certain, specific Certificate Authority (CA), and does not allow to use code signing certificates from any CA. • Niche solution: There are specialised solutions that Centrally manage code signing certificates without dedicated hardware, support signing of any code, integrate with CI/CD platforms and include additional security layers, such as scan the file for malwares before it is signed, in order to mitigate supply chain attacks. Let’s now explore how all these aspects are brought together in the CI/CD pipeline. That’s the place where all dimensions of security is embedded in. Illustration of how security is integrated through the CI/CD pipeline
  • 3. 1. Agile backlog: The Security NRF Requirements are captured in the Agile tool (Jira, Rally, Azure DevOps etc.), so that they can be implemented at the appropriate layer (infra/app/db etc.) during the SDLC 2. Development IDE: Depending on what security tools the Enterprise uses, their corresponding IDE (Eclipse, IntelliJ IDEA, Visual Studio etc.) plugins are available, so that Developers can “left-shift” - detect and fix issues before the code leaves the IDE itself! 3. Build Tools: Build tools like maven, gradle etc. have security checks embedded in like OWASP vulnerability etc. 4. CI System: CI system like Jenkins, TeamCity, Azure DevOps etc. have plugins for SAST/DAST security tools like SonarQube, Veracode etc. This is where the first stage gate is typically implemented. If a critical vulnerability is found, the build is “terminated” and the entire pipeline stalled 5. Environment Provisioning: While spinning up environments using infra-as-code tools like terraform, chef, puppet etc, care has to be taken to adhere to Enterprise security guidelines 6. Database Deploys: Tools like Liquibase or Datical treat database-as-code and enable code reviews and automated deploys, with stage gate implementation 7. App Deploys: Whether you use tools like Jenkins, TeamCity, Azure DevOps, or cloud native ArgoCD or more sophisticated IBM UrbanCode Deploy, they have integrations with various security facets like verification of code signatures etc. 8. Testing: This is where you might have specific focus on security testing using tools such as Acunetix, Netsparker, ZED Attack Proxy (ZAP)), and Pen testing with Netsparker, Wireshark, Burp Suite etc. 9. Production System: Monitoring of Production Systems and their security posture through Argus, Splunk, SolarWinds, Nagios, OSSEC etc. Given the plethora of tools for each tenet in the CI/CD space, you would imagine that embedding security into the pipeline would be a pretty standard and mature practice. However, this is far from the reality of most Enterprises. Here are the top 5 reasons why it is challenging to integrate security solutions into CI/CD pipelines: 1. No gold standards for security: With the huge variations in technology and toolset landscape across Enterprises, there are no gold standards for security. Of course, there are regulatory and compliance requirements. Some industry guidelines are available, however, their implementation specifics are often left open, to suite
  • 4. inclusion 2. It’s beyond the SAST tools of the world: As a DevOps Consultant, I often hear this – “Of course we embed security into the SDLC – we use SonarQube”. That’s a great place to start; however, there’s an entire world out there beyond this one! 3. Loss of control: Traditionally, there was an elusive Security Team, which got invoked during the Pre-Release phase, and who had the all-encompassing power to stop a Release! Now, with “Continuous Release” making Release itself a non-event and everything-as-code embedding security, the Security Teams tend to feel threatened 4. Developer resistance: With everything-as-code, the boundaries of a developer’s role are getting blurred. They are increasingly becoming responsible for not just the application, but also the infrastructure, configuration, deployments etc. And not all developers like this evolution 5. Complexity of the game: As Enterprises become composable and cloud native, their complexities grow disproportionately. It’s hard before it becomes simple. As an example, the cryptographic key management is very complex and demands a niche solution. It needs a unified key management and protection platform which controls and manages all keys anywhere – on-premise, in the cloud, any cloud. Easily integrates to existing solutions, and includes native support for all standard libraries, including KMIP. That’s a pretty big ask! Marc Andreessen, the co-author of Mosaic, the first widely used web browser; co-founder of Netscape famously said a decade ago – “Software is eating the world”. As this statement continues to be true in this decade and more, the importance of integrating security with CI/CD pipelines is now more than ever.