Overview: Integrate automate security testing into your CI/CD Azure Pipelines, this area is of expertise is sometimes refered to as DevSecOps. Azure DevOps provides build and automation servers. In the OSAWP 2021, number 8 is Software and Data integrity failures. This covers securing CI/CD pipelines.
CI/CD Pipeline hardening - Code is written and committed to source code repository, Linting (SonarQube), build , test, and deploy. Can also include infrastructure and networking setup. YAML & JSON are common for building pipelines. All these steps need to be hardened.
Ensure only authorized intended actors can run/use the pipeline or part within the pipeline. Eg. ensure only developers can check in code, they must have permissions.
- Harden but you have to be pragmatic so developer can do there work but also don't over allow access.
- Ensure logging is running.
- Keep plugins and reference frameworks up to date to avoid weaknesses being exploited. Ensure OS and containers are up to date.
- Use dedicate build/service accounts.
- Using Azure DevOps (ADO) does a lot of hardening automatically.
- Don't expose sensitive information in you logs like pswds as if the logs are hacked you have a problem.
- Ensure artifacts are correctly locked down. To get artifacts the pipeline only needs read access.
- Verify SaaS service you use are secure. Integrate external security SaaS software.
- For security there are native tools for security, plugins or external service as mentioned above. Mend/WhiteSource Bolt is a tool used for scanning packages for vulnerabilities. AzureDevOps has Mend Bolt as a add-in. There is a free service but it is fairly limited. Can also run these scans from Developer level and not just in the pipeline.
Azure DevOps Series Posts:
- Azure DevOps Series - Overview
- Azure DevOps Series - Azure Boards
- Missing
- Azure DevOps Series - Azure Pipelines
- Azure DevOps Series - DevSecOps (This Post)
No comments:
Post a Comment