{"id":119416,"date":"2020-10-09T16:00:25","date_gmt":"2020-10-09T23:00:25","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=119416"},"modified":"2020-12-04T03:34:16","modified_gmt":"2020-12-04T11:34:16","slug":"cloud-add-security-cicd-pipeline","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/10\/cloud-add-security-cicd-pipeline\/","title":{"rendered":"3 Simple Techniques to Add Security Into the CI\/CD Pipeline"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">I propose that there are three fundamental and concrete practices DevOps and security teams can adopt to add security into the CI\/CD pipeline and secure critical applications, involving:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Infrastructure-as-Code (IaC).<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Kubernetes application manifests.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Containers and container images.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">But before discussing these technology-related components, it is important to highlight salient aspects pertaining to the people and process components of the application lifecycle.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">People and Process<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">I've <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/05\/cloud-devsecops\/\"><span style=\"font-weight: 400;\">previously discussed solutions<\/span><\/a><span style=\"font-weight: 400;\"> for the cultural stalemate that can arise between DevOps and security teams in the people and process part of cloud native adoption. For this article, I'll add a few additional statements.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>DevOps Teams Do Not Need to Be Security Experts<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">It is not a secret that security is hard to get right. Security teams are resourced with highly skilled members with the domain expertise needed to secure the critical assets of an enterprise. But they cannot be expected to be experts on the code for every business application. Similarly, DevOps teams are highly skilled at building, deploying and running complex applications, but cannot be expected to be security experts.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, as the principal authors and architects of infrastructure and applications, DevOps teams have the <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/02\/cloud-3t-shift-left-security\/\"><span style=\"font-weight: 400;\">incentive to deliver<\/span><\/a><span style=\"font-weight: 400;\"> quality products \u2013 and security can be a part of quality. DevOps teams just need to be armed with tools that help them build security in from the start.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Purpose-built security tools can provide DevOps teams with security failure and vulnerability information, including how to make fixes. Armed with rich and contextual information, DevOps teams can remediate and address security failures in the same manner they would address failures arising from the QA testing process.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, modern and purpose-built security tools <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/prisma-cloud\/cloud-devops-plugins\/\"><span style=\"font-weight: 400;\">integrate seamlessly<\/span><\/a><span style=\"font-weight: 400;\"> with existing DevOps processes, making adoption less burdensome. For example, security scans and checks can be triggered within an integrated development environment (IDE), when a pull request (PR) is executed or as an additional step in the CI\/CD pipeline.\u00a0\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Security Teams Require a Trust-But-Verify Posture<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">Traditionally, security teams don't obtain visibility into applications until the last minute. They must scramble to incorporate best practices for compliance, vulnerability management, configuration checks, network security and least-privileged access. This contributes to an undesirable reality where security is always \"bolted-on\" at the end.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In contrast, the ideal posture is to ensure that security is injected <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/05\/cloud-secure-cloud-native-applications\/\"><span style=\"font-weight: 400;\">throughout the development process<\/span><\/a><span style=\"font-weight: 400;\">, in close collaboration with the DevOps teams. Such an approach enables DevOps to deliver applications at a rapid rate, while security teams have the requisite oversight to ensure applications are deployed in accordance with enterprise security policies and compliance requirements.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Importantly, the security teams <\/span><b><i>must<\/i><\/b><span style=\"font-weight: 400;\"> trust DevOps teams to incorporate the desired security capabilities. Even still, security teams can still verify that security has been incorporated by using a lightweight footprint, meaning, using tools that offer visibility into the CI\/CD pipeline but remain decentralized \u2013 as it should be. This truly affords a win-win scenario for both teams, with the ultimate winner being the business.\u00a0\u00a0\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Security Teams Need to Empower DevOps<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">To recap what has been stated so far, bolted-on security is undesirable and potentially insufficient to protect enterprise applications; the ideal scenario is one wherein security is incorporated as a non-functional requirement for DevOps teams; security teams should work to provide the tools and processes to satisfy those requirements in a DevOps-friendly manner.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The benefits of such an approach are that DevOps teams rightly assume responsibility for satisfying security requirements, while security teams are responsible for empowering DevOps with tools to achieve these requirements in a cloud and container native manner. There are powerful benefits when DevOps and security teams agree on how and where to incorporate security into the CI\/CD pipeline:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Security is not a bolted-on afterthought.\u00a0\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Security is treated as a \"first-class citizen,\" similar to other app components such as implementation errors and software bugs.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Security testing and failures are identified early and addressed early on \u2013 and more importantly, prior to application deployment, when changes are more costly.\u00a0<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Putting Secure DevOps into Practice<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">You can see the interdependence of people, process and technology, and their effect on a successful cloud native security posture. Let us now pivot to the specific <\/span><b>technology<\/b><span style=\"font-weight: 400;\"> steps that can be taken by both teams in order to adopt and realize the ideal state for secure DevOps.\u00a0<\/span><\/p>\n<figure id=\"attachment_119430\" aria-describedby=\"caption-attachment-119430\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:28.56%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-119430 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/10\/build.png\" alt=\"This diagram shows the security touchpoints across the build, deploy and run stages of development, showing opportunities to add security into the CI\/CD pipeline. Under build, we see Developer IDE and Infrastructure as Code; Under Deploy, we see Infrastructure as Code and Container Image Registry; Under Runtime, we see how Prisma Cloud Runtime Security protects running software. \" width=\"900\" height=\"257\" \/><\/span><\/div><figcaption id=\"caption-attachment-119430\" class=\"wp-caption-text\">Figure 1. Security touchpoints across build, deploy and run stages of development.<\/figcaption><\/figure>\n<h5><\/h5>\n<h5><strong>1. Scan Infrastructure-as-Code Templates\u00a0<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">DevOps teams have adopted IaC templates \u2013 such as Amazon CloudFormation, Azure Resource Manager and Hashicorp Terraform \u2013 in conjunction with automation to rapidly deploy, tear down and manage infrastructure. However, Unit 42 Cloud Threat research on IaC templates has revealed that a <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/cloud-threat-report-intro\/\"><span style=\"font-weight: 400;\">large number of templates contain misconfigurations<\/span><\/a><span style=\"font-weight: 400;\"> that do not comply with either best practice or enterprise security policies. This results in the deployment of insecure infrastructure that could potentially result in exploits and breaches.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This problem can be overcome by incorporating IaC template scanning, using purpose-built security tools that:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Seamlessly integrate into existing DevOps processes such as IDEs, PR and CI\/CD pipeline steps (as discussed above).<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Provide the results of a scan, the misconfiguration identified and relevant information needed to address the security failure.\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_119443\" aria-describedby=\"caption-attachment-119443\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:8.44%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-119443 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/10\/IaC1.png\" alt=\"This example of IaC scan results generated by Prisma Cloud shows how results are classified by severity. \" width=\"900\" height=\"76\" \/><\/span><\/div><figcaption id=\"caption-attachment-119443\" class=\"wp-caption-text\">Figure 2. IaC scan results generated by Prisma Cloud.<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">Scanning IaC templates <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/prisma-cloud\/cloud-iac-build-policies\/\"><span style=\"font-weight: 400;\">within the DevOps process<\/span><\/a><span style=\"font-weight: 400;\">, prior to the deployment of the infrastructure, greatly reduces the occurrence of security incidents in the runtime environment.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>2. Scan Kubernetes Application Manifests\u00a0<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">The predominant approach to deploying applications on Kubernetes platforms is by declaring all the relevant parameters in a YAML file called an application manifest. However, the same Unit 42 report cited above found that 42% of Docker containers leveraging open source software contain insecure defaults, which can result in the deployment of vulnerable containers and applications.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The Application Container Security Guide from the National Institute on Standards and Technology (<\/span><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-190\/final\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">NIST SP 800-190)<\/span><\/a><span style=\"font-weight: 400;\"> lists controls for containers and containerized applications that should be incorporated in order to secure these applications. Inserting security tools that can scan for these controls in the DevOps IDE, PR workflows and CI\/CD pipeline steps helps support compliance and other best practices.\u00a0<\/span><\/p>\n<figure id=\"attachment_119456\" aria-describedby=\"caption-attachment-119456\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:9.22%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-119456 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/10\/IaC2.png\" alt=\"Kubernetes scan results generated by Prisma Cloud classify results by severity and include notes on how to address the issues raised. \" width=\"900\" height=\"83\" \/><\/span><\/div><figcaption id=\"caption-attachment-119456\" class=\"wp-caption-text\">Figure 3. Kubernetes scan results generated by Prisma Cloud.<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">The benefit to DevOps teams is that security scans can identify insecure and noncompliant configurations prior to deployment, where they still have the ability to make the necessary corrections and fixes. For example, a security scan can identify and alert an engineer if a container image is either run as the root user or with escalated privileges. Detecting vulnerabilities at this earlier point \u2013\u00a0rather than detecting them in runtime after the container has been deployed \u2013 also greatly reduces team friction.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h5><strong>3. Scan Container Images\u00a0<\/strong><\/h5>\n<p><span style=\"font-weight: 400;\">This third and final step involves scanning the container image \u2013 which is a lightweight, standalone executable piece of software. Because container images are often pulled from public repositories \u2013 essentially untrusted sources \u2013 they can be a major threat vector for containerized applications. However, with purpose-built security tools, it is possible to provide detailed <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/prisma-cloud\/cloud-container-image-trust-groups\/\"><span style=\"font-weight: 400;\">vulnerability information<\/span><\/a><span style=\"font-weight: 400;\"> to DevOps teams at multiple points during the development and deployment cycle by performing an image scan when the image is built and again in the CI\/CD pipeline.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The scan results provide a detailed account of the vulnerability, its severity, the status of a fix and the version of the software package in which the vulnerability has been fixed. A DevOps engineer can easily address and fix the vulnerabilities in a prioritized manner as determined by security policies. These steps help ensure only sanctioned and secure images are deployed.\u00a0<\/span><\/p>\n<figure id=\"attachment_119469\" aria-describedby=\"caption-attachment-119469\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:39.44%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-119469 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/10\/vulnerabilities.png\" alt=\"Container scan results from Prisma Cloud include CVE numbers, severity, CVSS, information on package, version and status, and a detailed account of the vulnerability. Tools like this allow DevOps teams to add security into the CI\/CD pipeline. \" width=\"900\" height=\"355\" \/><\/span><\/div><figcaption id=\"caption-attachment-119469\" class=\"wp-caption-text\">Figure 4. Container scan results from Prisma Cloud with detailed description.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Takeaways: How to Add Security Into the CI\/CD Pipeline<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">By adopting these three concrete steps, <\/span><b>people<\/b><span style=\"font-weight: 400;\"> on DevOps teams can maintain lockstep with security requirements early in the build and deploy phases, greatly enhancing agility and the deployment of secure applications. This posture is achievable due to the availability of powerful security <\/span><b>technology<\/b><span style=\"font-weight: 400;\"> that DevOps teams can incorporate into existing <\/span><b>processes<\/b><span style=\"font-weight: 400;\"> such as PRs and CI\/CD pipelines.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Concluding takeaways:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Purpose-built security tools provide early, context-rich information to DevOps teams.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">These security tools seamlessly integrate with existing DevOps tooling and processes.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Enterprise lines of businesses are secured as both DevOps and security achieve their domain objectives.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">To learn more about implementing DevSecOps strategies and hardening the CI\/CD pipeline, you can check out the <\/span><a href=\"https:\/\/register.paloaltonetworks.com\/shiftingsecurityleft\"><span style=\"font-weight: 400;\">on-demand webinar I recently hosted<\/span><\/a><span style=\"font-weight: 400;\"> with CodeFresh. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Three approaches using a minimal footprint for DevOps and security teams to add security into the CI\/CD pipeline.<\/p>\n","protected":false},"author":663,"featured_media":119417,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768,6765],"tags":[7318,1665,7030,7136,7319],"coauthors":[6902],"class_list":["post-119416","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","category-secure-the-enterprise","tag-ci-cd-2","tag-devops","tag-devsecops","tag-iac","tag-shift-left","cloud_sec_category-cloud-workload-protection-platform","cloud_sec_category-devsecops"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/10\/Collaborate-blog.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/119416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=119416"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/119416\/revisions"}],"predecessor-version":[{"id":119484,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/119416\/revisions\/119484"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/119417"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=119416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=119416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=119416"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=119416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}