Security in CI/CD
Having a CI/CD pipeline has become virtually necessary in any application in order to ensure that the proper tests and checks are met before delivering a product. Here in this post, we briefly explore how we can keep security a priority in our pipelines.
First, the obvious...
When working on a project, especially a personal one, we tend to get caught up in getting a minimum viable product (MVP) up and running that we neglect the use of environmental variables. This is a severe yet common mistake especially if you plan on sharing this code with other people on GitHub for instance. API keys, docker logins, VPS credentials and other personal sensitive data often are needed in a codebase, using environment variables can help mask those values and give you an added layer of security and peace of mind when sharing your work.
Continuous Integration and Continuous Deployment
Continuous Integration and Continuous Deployment (CI/CD) is a great way to organize, automate, and speed up the shipment of code from our code editor and repository manager to the end-user. What makes it great is that many of the tasks that we would have to manually repeat can be scripted and automated with CI/CD, which tends to be a theme here on this blog. Instead of doing a general dive into the topic of pipelines I wanted to focus on how we can incorporate security into production. This makes this blog post more appropriate for an intermediate engineer rather than a beginner.
Static Application Security Testing
SAST focuses on analyzing source code, bytecode, or binary by checking for vulnerabilities. Certain code analysis tools can be incorporated to achieve this such as SonarQube, CodeFactor, or Veracode. All of these can be added to CI/CD pipelines so that it can automatically seek and detect any issues. There are also vulnerability scanning tools like OWASP Dependency Check or Snyk to scan the dependencies of an application for known vulnerabilities.
Dynamic Application Security Testing
DAST is the second category of tools that we can add to our pipelines to test the security of our applications. It is a testing method that targets misconfigurations and vulnerabilities in web applications, APIs and even mobile apps. What makes DAST especially distinct from SAST and other methods is that it tests the fully built instance of the application and can even run simulated attacks to behave as a malicious actor. Some API testing focused tools are ZAP, OWASP Zest, or Prisma. For web application scanning tools like Burp Suite or Acunetix are very thorough and provide plenty of insight.
The Limits
Automating security within CI/CD pipelines can be a powerful tool when ensuring the integrity of an application. However, this is not a replacement for following best practices when developing and relying on these tools opens up the possibility of getting attacked by what the tools have not learned to test or look for yet. Also, if too many tools are added to the pipeline this can have adverse affects to deployment time, efficiency, and the overall developer experience. Be smart, be efficient, and play it safe!
Sources
- https://www.paloaltonetworks.com/cyberpedia/what-is-sast-static-application-security-testing
- https://www.ibm.com/think/topics/dynamic-application-security-testing