Last article We get it IAST And its advantages 、 Tool type and importance . This article will introduce you to CI/CD Best practices for pipeline safety .
*
*
CI/CD Pipeline refers to continuous integration (Continuous Integration) and / Or continue to deploy (Continuous Deployment) A set of automated processes . CI/CD Assembly lines are usually DevOps The team used , Is built primarily through automated tools 、 One of the most effective ways to test and deploy code .
utilize CI/CD Assembly line , Better facilitate software build and deployment . Because successful CI/CD Assembly lines require continuous collaboration and strict implementation of agile and DevOps principle .
Why for DevSecOps Come on CI/CD Assembly line is the top priority ?
DevSecOps Is a method for developing 、 A programmatic approach to automation and platform architecture , It's in IT Security is a priority at every decision-making stage of the life cycle .
Security vulnerabilities not only put sensitive data at risk , At the same time, the cost of repair is also very high . stay 2020 year , The average cost of data leakage is 386 Thousands of dollars . To 2021 end of the year , The cost of dealing with cybercrime is nearly 6 Trillions of dollars . 90% Of Web Applications are considered unsafe , among 86% There is a risk of data leakage . most important of all , Only in 2020 In the United States 1000 Multiple data leaks , The scope of influence exceeds 1.55 Hundreds of millions of people .
Safety seems to be DevOps And agile team priorities , and DevSecOps CI/CD The pipeline embeds security practices in the existing development process .
be based on DevSecOps Our pipeline involves the following points :
Identify security issues early in the development cycle ( And try to solve these problems ), In order to reduce the friction caused by the independent execution of safety related tests and tasks .
Refine and integrate security related goals before development . When building the system , Incorporate threat modeling . Simultaneous implantation Linters Tools and static analysis , So that some controllable problems can be eliminated at an early stage .
Use Software component analysis (SCA) To verify that open source dependencies have specifications 、 Compatible License , And no loopholes .
When pushing code to the pipeline , Use Static application security testing (SAST) To locate the problem , At the same time SCA. take SAST The tools are integrated into an automated pipeline , In order to scan for possible errors and vulnerabilities after each new code submission .
Take full advantage of security integration testing after the build is complete . Please execute the code in the isolated container , Verify with test input 、 Network call and authorization process .
Instead, test access control and logging protocols . At this point, make sure that access is restricted to the relevant user subset , And the software can accurately record the necessary safety and performance indicators every time .
Configure security testing to continue with post development . Automatic patching and configuration management , So that the software can access the latest and most secure versions of all its dependencies .
DevSecOps CI/CD The assembly line integrates safety objectives and measures into each stage . By using automated tools , It can deliver products quickly without affecting data defense and security measures .
CI/CD Best practices for pipeline safety
To ensure data security 、 The development process is reliable , And make the most of it DevSecOps , Please refer to the following CI/CD Pipeline safety best practices :
1. Identify major security threats
Before development , Please identify the main security threats faced by the software under development . Identify nodes that may require additional security , Conduct threat modeling and pay close attention to security updates and validation protocols .
Usually , Pipelining to third-party tools / Any point, such as the framework, is vulnerable . Please install and update security patches regularly , Block all devices and connection software that do not meet the safety benchmark .
2. Enforce strict access parameters
Ensure that each individual accessing the pipeline is fully authenticated . Measures such as one-time passwords and authenticators are required .
When it comes to non human access , That is, the access required by third-party automation tools and frameworks , It is also important to assess the identity of the machine . Use an authenticator to verify that the properties of the container are the same as those previously assigned to the pipeline The attributes of the recognition system match . After containers and virtual machines achieve their goals , It needs to be cleaned and destroyed in time .
3. Carefully provide access
Always know which members have access to which levels of the pipeline . According to individual roles 、 Access time or specific tasks to distinguish access levels , Maintain a complete access management database , And ensure that the information is classified according to the level of access . This is the most effective CI/CD One of the best security practices , Applications can be managed through intelligent teams .
Practice “ Minimum privilege ” principle
Minimum permissions require that access be granted only to the information required by a particular role or task . let me put it another way , Individuals have access to restricted data sets and CI/CD Part of the assembly line —— The same permissions as the tasks or goals assigned to them . This approach should also be extended to connected systems 、 Devices and Applications , Because they need permissions and different levels to complete tasks . Ensure that the level of access is regularly investigated and reviewed to reinforce the minimum Authority , And keep the ecosystem safe .
4. Make sure Git It's safe
as everyone knows ,Git It has become the main target of hackers and other security threats . Every developer and tester in the project needs to be fully trained , To make sure they know how to use safely Git、 Avoid common security traps and protect Git The code on .
utilize .gitignore File to avoid accidentally submitting the generated cache file and the standard cache file . Besides , A locally stored secure backup repository can be implemented and used as part of the backup mechanism .
junction On
take DevSecOps Integration into the development pipeline can be quite complex , Especially for the team that is new to this method . In the early stage , You can try to break the process into small steps that are easy to implement , Familiarize the team DevSecOps Tools 、 Principles and practices , So as to change the team concept and personal way of thinking .
