Securing DevOps platform environments
The business demand to release new or upgraded software in ever faster cycles has seen a rise in the uptake of DevOps practices. A new eBook published by Sogeti and Microsoft in the series of guides to Modern App Development and Enterprise DevOps considers the security implications for enterprises that rely on DevOps platforms for deployment.
How secure are your DevOps platforms, including the pipelines and production environments your developers require to be productive? It’s an important question because pipelines and production environments are extremely attractive to hackers. In Securing Enterprise DevOps Environments, we reveal that DevOps platform environments are one of three threat surfaces in need of urgent attention as hackers become ever more ingenious and malicious.
All tools that help enterprise DevOps teams to function represent key entry points for attackers, from pipeline automation to code validation, and code repositories. A common example occurs when company code is infected by hackers before it reaches production systems and thereby passes through cyber security checkpoints. On top of pipeline and personal access token scenarios, enterprises need to verify the security of their third-party tool integrations.
So where do you start? As our eBook points out, begin by ensuring that granular control and audit trails are available across each environment. You’ll also need to implement least privilege access when you can and ensure the right level of read/write permissions. The goal is to build a secure setup, minimizing exposure of secrets and parameters.
This chapter offers guidance for securing the DevOps platform environment with six key actions:
Action 1: Ensure no team member has access to secrets and certificates
Every stage in the application lifecycle now uses secrets and certificates that must be stored securely. This means that every secret, every password, access token, and certificate must be managed and a best practice for the Enterprise DevOps team is to develop always as if it is an open-source project. Ensure that teams are storing no secrets anywhere in the code or on team environments, rather they should be kept within key vaults.
Action 2: Automate scans for Infrastructure-as-Code (IaC) templates
DevOps teams use a combination of tools and languages to get their job done, but how do they verify their code is running safely? To raise the maturity of your security posture and ensure compliance, it’s necessary to automate scans for IaC environments.
Action 3: Equip every DevOps platform environment with audit trails
Audit trails are a backbone of secure DevOps environments. Ensure you’re tracking who gained access, what change occurred, and the date/time for any active system. This specifically includes DevOps platform that teams are using with CI/CD pipelines that flow into production.
Action 4: Automate approval workflows
For any approval workflow to push code into production, certain automatic or manual checks must confirm the security, business value, status, and quality of each request. More automation in security reduces the risk of human error and provides efficiency gains, but some automated actions depend on approvals or non-IT human actions, so try tools like ServiceNow to automate the approval request and process the response.
Action 5: Secure the software supply chain
With every library you bring into your codebase, you expand the software supply chain and inherit dependencies from each open-source project or tool. Ask yourself if you really do need the dependency or library and, if you don’t, remove it to reduce the attack surface. But if you do, consider one of several options for both GitHub and Azure DevOps to best track and update dependencies.
Action 6: Allow only verified DevOps tool integrations
DevOps tools come with many extensions and integrations to make the DevOps team efficient and secure. A secure practice is to only allow verified integrations that require the least privilege possible to execute their work.
Read the eBook
Want to know how to move ahead with all of these recommended actions? This chapter of Securing Enterprise DevOps Environments not only gives more detail on the ‘what’ to do to secure your DevOps platform environments but offers invaluable advice on ‘how’ to do it.
Read the eBook
Want to know how to move ahead with all of these recommended actions? This chapter of Securing Enterprise DevOps Environments not only gives more detail on the ‘what’ to do to secure your DevOps platform environments but offers invaluable advice on ‘how’ to do it.
Blog author
Clemens Reijnen, Sogeti Global CTO Cloud Services, is the co-author of Securing Enterprise DevOps Environments in partnership with Microsoft.
