Securing DevOps platform environments

Home / Explore / Blogs / Securing DevOps platform environments

The business demand to release new or upgraded software in ever faster cycles has seen a rise in the uptake of DevOps practices. A new eBook published by Sogeti and Microsoft in the series of guides to Modern App Development and Enterprise DevOps considers the security implications for enterprises that rely on DevOps platforms for deployment.

How secure are your DevOps platforms, including the pipelines and production environments your developers require to be productive? It’s an important question because pipelines and production environments are extremely attractive to hackers. In Securing Enterprise DevOps Environments, we reveal that DevOps platform environments are one of three threat surfaces in need of urgent attention as hackers become ever more ingenious and malicious.

All tools that help enterprise DevOps teams to function represent key entry points for attackers, from pipeline automation to code validation, and code repositories. A common example occurs when company code is infected by hackers before it reaches production systems and thereby passes through cyber security checkpoints. On top of pipeline and personal access token scenarios, enterprises need to verify the security of their third-party tool integrations.

So where do you start? As our eBook points out, begin by ensuring that granular control and audit trails are available across each environment. You’ll also need to implement least privilege access when you can and ensure the right level of read/write permissions. The goal is to build a secure setup, minimizing exposure of secrets and parameters.

This chapter offers guidance for securing the DevOps platform environment with six key actions:

Action 1: Ensure no team member has access to secrets and certificates

Every stage in the application lifecycle now uses secrets and certificates that must be stored securely. This means that every secret, every password, access token, and certificate must be managed and a best practice for the Enterprise DevOps team is to develop always as if it is an open-source project. Ensure that teams are storing no secrets anywhere in the code or on team environments, rather they should be kept within key vaults.

Action 2: Automate scans for Infrastructure-as-Code (IaC) templates

DevOps teams use a combination of tools and languages to get their job done, but how do they verify their code is running safely? To raise the maturity of your security posture and ensure compliance, it’s necessary to automate scans for IaC environments.

Action 3: Equip every DevOps platform environment with audit trails

Audit trails are a backbone of secure DevOps environments. Ensure you’re tracking who gained access, what change occurred, and the date/time for any active system. This specifically includes DevOps platform that teams are using with CI/CD pipelines that flow into production.

Action 4: Automate approval workflows

For any approval workflow to push code into production, certain automatic or manual checks must confirm the security, business value, status, and quality of each request. More automation in security reduces the risk of human error and provides efficiency gains, but some automated actions depend on approvals or non-IT human actions, so try tools like ServiceNow to automate the approval request and process the response.

Action 5: Secure the software supply chain

With every library you bring into your codebase, you expand the software supply chain and inherit dependencies from each open-source project or tool. Ask yourself if you really do need the dependency or library and, if you don’t, remove it to reduce the attack surface. But if you do, consider one of several options for both GitHub and Azure DevOps to best track and update dependencies.

Action 6: Allow only verified DevOps tool integrations

DevOps tools come with many extensions and integrations to make the DevOps team efficient and secure. A secure practice is to only allow verified integrations that require the least privilege possible to execute their work.

Read the eBook

Want to know how to move ahead with all of these recommended actions? This chapter of Securing Enterprise DevOps Environments not only gives more detail on the ‘what’ to do to secure your DevOps platform environments but offers invaluable advice on ‘how’ to do it.

Read the eBook here

Read the eBook

Read the eBook here

Blog author

Clemens Reijnen, Sogeti Global CTO Cloud Services, is the co-author of Securing Enterprise DevOps Environments in partnership with Microsoft.

Clemens Reijnen

Global CTO of Cloud Services

Cookies	Description
Registered visitor cookie	Cookie given to each registered user.
Registered visitor functionality cookie	Cookies used to remember the unique identifier given to each registered user.
Social plug-in content sharing cookie	Cookies set by services such as Facebook Connect or Twitter Button, which allow social networks users to share the content of our websites on social networks.
Unregistered visitor cookie	Cookies used to give to unregistered users a unique identifier in order to recognize them and to analyze how they use the website.
Analytic cookie	Cookies used to store URLs of the previous page visited, enabling to track users navigating from inside or from outside the website. If you click on a Sogeti advertisement on a non-Sogeti website, a cookie may be used to log which website you are on, in order to ensure our advertisements are served effectively and to measure whether our advertisements are viewed. Google Analytics: cookies set by Google analytics are used for web analytical purpose, but are not used to track individual users. For further information on how Google Analytics collects and uses information on our behalf and the right to use such cookies, please refer to the Google Analytics products and services privacy statement. If you object to your Personal Data being collected by Google Analytics, you may download and install the Google Analytics Opt-out Browser Add-on. Pardot: cookies set by Pardot are used to track users on our website. Visits are tracked for known users only. Unknown users are recorded as anonymous users. Please refer to Pardot privacy policy for any further information on their use and your rights related to the use of such cookies.