What Does Security Mean #1: What does security mean for your application pipeline?

I think a power to do something is of value. Whether the result is a good thing or a bad thing depends on how it is used, but the power is a value.

― Richard P. Feynman, The Meaning of It All: Thoughts of a Citizen-Scientist

Feeling ready to be empowered?

Good, so am I. My obsessive passion to unveil the meaning behind things is the reason I'm here, and I'm secretly hoping I can take you along for the ride.

Why should you even bother reading this article?

"Why is today's topic important?", you might ask. I can hear you typing over there.

I would rather you answer this question instead: "Would you be OK with your application being compromised? Unavailable for hours, or even days? Your users' data becoming public? Millions and millions in penalties? A bad user experience? A bad reputation? Being in the headlines for weeks, and for all the wrong reasons?"

But these are true of any security topic. Allow me to zoom in and get more specific. You should care about your application pipeline security because if you do it right, you have the chance to reduce your cost of ownership tremendously. You can deploy changes and features to your customers with confidence that you will not have to do the awkward walk-back and rollback changes because your innovative idea was flawed. There is nothing worse than slowing down your CI/CD pipeline.

Secure early, and keep the confidence of your stakeholders. That way they will let you innovate often.

Why should you even care about my opinion?

Before we get started on our strongly opinionated journey, I'd like to tell you a little bit about me and about what I do first.

I'm a hybrid between a CISO and a security engineer, and I've had the good fortune of molding a company's security framework in an almost single-handed manner. In short, for the past 6 years, if it had to do with security, whether operations, strategy or policy, I had my hand in it. I have some other qualifications that may not be strictly relevant to the conversation, but feel free to check out my LinkedIn profile if you're curious.

With all of that said, let's proceed to discover some meaning.

What does security mean for your application pipeline?

Source-code management (SCM)

Please stop implementing least-privilege wrong. I beg you, in the name of all that is good.

Security at this stage means 2 main things:

• Correct access control on your source code repository. My advice is to use a service account with clearly assigned ownership and a very specific role with granular permissions.
• Funneling all changes through your source code management, so that changes can be traced in time and ownership. No manual clicking and deployment. All changes should be version-controled.

Static analysis (SAST)

This is a personal favorite. I like saving money, can you blame me?

This is the cheapest way to detect defects in general, and especially security-related defects.

What security means for your static analysis, is SAST (Static Application Security Testing). This means employing the benefits of static analysis to detect security flaws. In the DevOps world, you will need tool support for this.

Scan your code with a language-specific tool, it has a high chance of both being free and saving you tons of money and time.

Dynamic analysis and testing (DAST)

This is a slightly simpler concept embedded in a fancy term. Basically, test your application, like you would in a VAPT (vulnerability assessment and penetration testing) exercise.

What security means for your dynamic analysis, is DAST (Dynamic Application Security Testing). How do you implement it? Run common vulnerability checks on your deployed app, preferably at every deployment stage, and yes I mean production too (with some extra care and reduced aggressiveness). If it's a web app, the OWASP Top 10 is a great start.

Operational testing and system baselines

Ah the long-ignored operational aspect of software production. I love you but I hate you at the same time.

What security means for your operational side, is having a dedicated subset of testing on your system configuration.

How do you implement it? Run common system checks on your deployed computation resources. There are a million tools that can help verify that your OS is configured according to your baseline. If you know what you're doing, script your own. CIS guidelines are more than good enough in most cases.

In all cases, have your "golden image", and verify against it.

What is a golden image? I'm glad you asked: Read here.

Networking and infrastructure

Developers tend to forget sometimes: Your application cannot run without infrastructure, no matter how awesome and feature-rich it is.

I can hear the cloud enthusiasts typing. Yes I know that server-less architectures are on the rise. And yes I know that you can deploy applications without managing any systems or infrastructure. HOWEVER:

• Purely server-less architectures will seldom meet all of your needs out in the wild. There is almost always a need for some customized resources, to varying degrees.
• Server-less architectures do not exonerate you of your security duties. You must examine them as if they were infrastructure and secure them according to your baselines as well, at least when it comes to what you are responsible for configuring from the shared responsibility model.

Phew. We got through that without offending anyone. Now, what security means for your infrastructure, is running checks on your deployed network environment. If nmap is too slow for your pipeline and team's velocity, there are many alternatives, including - guess what - scripting your own scanner.

What you're trying to achieve here, is making sure that your network is perceived correctly by the users, no matter how benign or malicious their intent is.

Availability and performance

The best ability is availability. There are no two ways around this: availability is a pillar of security.

What does this mean for you? Well, I will keep this short and sweet:

• Have dedicated stages in your pipeline that examine your application's performance and availability, because these two go hand-in-hand with security.
• Always design with availability in mind. No single points of failure, no cheaping out on any resource.
• Decouple your application: separate your resources into specialized chunks (database servers, application servers, etc.)

What you want in production is a battle-tested, hardened application.

Some advanced topics

If you want to become a DevOps and software pipelines guru, you must go beyond the scope of this article. In order to ensure availability, there are some advanced concepts that you need to know about in order to succeed in the real world. I will list some of these, and possibly tackle them in future posts, but I would like to at least set you on your way:

• Blue-green deployments: This means (in an extremely oversimplified manner) deploying your application's new version without decommissioning your older version completely, until you have the needed level of confidence that your new version is stable.
• Canary deployments: This means rolling out your new features to a subset of your application servers at a time, and as your confidence level in stability increases, rolling out gradually to more and more servers.
• IAST (Interactive Application Security Testing): At a very basic level, this means testing the way your application interacts with the underlying system (OS) as it is being tested and used. You can detect a lot of security flaws using this technique, like pesky memory leaks that are usually extremely hard to catch.

Have you noticed a pattern here?

This is not a rhetorical question. Have you noticed it?

Yes! 'Tis indeed the fact that security will impact your pipeline at every step. Security embeds itself in everything, and puts its own spin on it. This is in fact true for any area of information and cyber security.

Where does that stem from?

Well, the simple fact that security is a necessity rather than a luxury. To use software lingo, security is a functional requirement. I've said this before (sorry regular content viewers), but you cannot claim to have a working software product if you have not considered the security aspect of it.

Continuous discovery of meaning

The best kind of pipelines are continuous. Thank you for attempting to enhance your continuous learning with me, and I do sincerely hope that you are benefiting from my posts, and most of all, enjoying them. In the spirit of continuity, please do not hesitate to follow up with me on your thoughts, and contact me with suggestions, criticism, rebuttals, or even questions if you think you or your organization could use my experience and opinions. Just saying hi is once more (and forever will be) perfectly fine as well. Also, find my posts on the hashtag #askroland. I just enjoy smart discussions, and I hope you and I can have them.

Send me a message or connection request, comment below, or communicate in any way if you feel like it (contact info available in my profile). I'm just impressed that you made it this far, and would like to virtually shake your hand. For now, I'm afraid this session is over. Class dismissed.

Good luck, and keep on keeping on.