How To Make Continuous Security Work For You

Source:- forbes.com

Accelerating app release cycles is a top challenge for organizations in the cloud-native era. The most competitive companies are shipping software in minutes, which means developers are creating code at speeds never seen before. Those on the production side of this rapid software release cycle have to manage these new software updates with a continuous production pipeline that never stops. This approach calls for continuous integration (CI) and continuous delivery (CD), enabling engineering teams to ship software to production with speed, safety and reliability.

Speed aside, reliability and safety are not easily achieved. As Kubernetes deployments have grown exponentially, so have the hackers targeting it. The rapid adoption has resulted in K8s deployments often outpacing security measures, as companies are learning as they go and putting their faith primarily in cloud-native provider security tools. This may not be sufficient, as evidenced by our recent research finding that 89% of Kubernetes programmers are leaving sensitive information exposed in their production code; and as (ISC)² has observed, data exposures are the most common cloud security incidents reported in their 2019 Cloud Security Report.

Thus, companies need to think more comprehensively about their security solutions, finding the right approach to not only analyze code continuously during build (CI) but also perform security analysis during the CD portion of the software life cycle. Often, the answer might require a combination of security solutions.

A recent study of more than 392 IT professionals across a range of industries concluded that security continues to top the list of container strategy concerns. Most organizations worry about misconfigurations and runtime risks, and many have no robust security plan in place. What this study exposes is a little-known secret in CI/CD circles: Most security measures today focus on applying security in the  CI portion of the pipeline, while CD remains largely uncovered.

Extending Security Into The CD Pipeline

Many current security tools are labeled as CI/CD, but the reality is that CI and CD are very distinct processes. On the CI side, software is compiled, tested and built into deployable components, whereas in the CD phase, the artifacts are shipped and delivered with a specific set of configurations and settings onto a target environment. Kubernetes makes for a perfect companion to CD. Although there is some overlap, the reality is that many solutions are inadequate when it comes to meeting the needs of both processes. It may look like there is an equivalent coverage for CI and CD in the marketplace, but many listed CI/CD tools are actually CI tools that are not purpose-built for the needs and workflows of CD.

PROMOTED

Insights – Teradata BRANDVOICEDeepMap Is Helping Autonomous Cars Find Their Place In The WorldGoogle Cloud BRANDVOICEHow The Cloud Transformed Our Systems—And My CareerTeradata BRANDVOICEBuilding a Better World through Data

In the context of a modern cloud-native application infrastructure like Kubernetes, there are security checks that must be validated against a live Kubernetes cluster as part of the CD pipeline. These validations are either not required or are inaccurate in CI. For example, if security teams want to establish guardrails for engineering teams pertaining to the security of application secrets provisioned for Kubernetes workloads, they need to automate that in CD to achieve that. They need to ascertain whether pods and containers are communicating the way they were intended or if these pods and containers are behaving in a way that might indicate a security breach. Automating and integrating cluster hygiene into the CD process natively to arm DevOps teams with information about potential and emerging vulnerabilities, security configuration drifts and threats is critical to preserving agility and security simultaneously.

A New Continuous CD Approach

The multitude of security risks, challenges and mitigation needs in this landscape require a fundamentally different approach to continuous CI and CD security. In this new, Kubernetes-driven, cloud-native world, continuously supporting software velocity is the name of the game. With the “Dev” side of DevOps becoming increasingly responsible for security before software goes into production and after it has been deployed, Dev and Ops need as little friction as possible. This can only be delivered via an automated, simple and continuous security framework that extends what CI tools offer and confidently covers the CD portion of the continuous pipeline. Such a fast, easy-to-use and automated security framework needs to work for cross-functional teams and has to be capable of supporting scalable environments without compromising the security of the software delivery cycle, or your business.

Emerging into this space is a new wave of solutions purpose-built to extend the continuous security of Kubernetes-based applications, through integration into the delivery pipeline and through integration into Kubernetes resource admission controllers.

Some third-party solutions are similar to my company’s solution, which is a Kubernetes multicluster security and vulnerability scanner that supports Kubernetes and Istio security best practices and compliance checks. This includes vulnerability scanning, hunting for misplaced secrets and identifying excessively used secrets. It’s important for solutions as such to be lightweight and API-based.

Another example is the Open Policy Agent (OPA). This is an open-source engine that can help organizations enable context-aware policies across their entire stack, with uses ranging from authorization and admission control to data filtering. According to their website, “OPA provides a high-level declarative language for authoring policies and simple APIs,” which can help organizations answer their policy queries.

CircleCI is another popular platform that gives users the speed and configurability to build and deploy software projects rapidly. CircleCI integrates with GitHub and Bitbucket, and with every code commit, CircleCI creates a build and automates testing and deployment with many “ready-to-wear” security integrations for various pipeline stages.

Don’t Leave Your CD Exposed

Responsible developers will recognize the limitations of CI solutions for security when it comes to the unique requirements and needs of CD. Don’t try to use a hammer to drill a screw. Look for and integrate solutions that are purpose-built for the needs of CD — whether you opt for an open-source option or a solution from a third party — and add them to your software mix to achieve a true continuous and unified security approach for your organization.