Idea of Security in DevOps
In Azure DevOps, CI/CD forms the cornerstone of modern software delivery. With Continuous Integration (CI), code changes are automatically merged and verified multiple times a day, ensuring early detection of issues. This seamless integration is followed by Continuous Deployment (CD), where these validated changes are swiftly and reliably deployed to production or testing environments. Azure DevOps empowers teams to automate and streamline the entire software delivery process, from code writing to deployment, encouraging agility and quality throughout the development lifecycle.
Problem Statement
Now , a big question pops up: how do we make sure this code is secure? And how does the security team review the code when it’s moving through the different stages of development? Usually, the security team looks at the code right before it’s released, giving feedback at that final point. But now, things are moving really fast with daily or even hourly updates in the development process. As things in software development speed up, the old way of checking security just before releasing isn’t as good anymore. Nowadays, we need to think about security earlier and more often. This means instead of waiting until the end, the security team should be involved throughout the whole process. With quick updates happening daily or even hourly, security needs to be a continuous part of how we work.
Solution
The answer to this issue involves a concept called “shifting left.” This means we focus on security checks much earlier in the process. Instead of checking security just before releasing something, we do these checks with each small change in the code. So, the security team’s main focus shifts to checking how the code is being built and reviewing the results of that process. These results are carefully examined. This adjustment helps make sure that security remains a top priority, even with the speedy updates in modern development processes.
Tools
There are many tools out there that can check code for problems, and you can easily add them to your development process. I will share few which I worked on.
- SonarQube
- Mend (formerly WhiteSource)
- WhiteSource Bolt
- CredScan
SonarQube
SonarQube is a tool used in software development to help make sure that the code being written is of good quality. It checks the code for things that might cause problems, like bugs or security issues. SonarQube gives developers feedback on these issues, so they can fix them early on and have better, safer code. It’s like having a helper that reviews your code and points out things that could be improved or might cause trouble later.
WhiteSource (MEND)
WhiteSource is a software solution designed to help developers manage the security and compliance of open-source components used in their projects. It scans the codebase to identify open-source libraries and components and then checks them against known security vulnerabilities and licensing issues. This helps development teams ensure that the third-party code they use is safe and compliant with legal requirements. WhiteSource provides insights and tools to proactively manage and remediate any vulnerabilities or licensing concerns in the open-source components, contributing to the overall security and quality of the software being developed.
WhiteSource Bolt
WhiteSource Bolt is a software tool that focuses on security and open-source components in the development process. It’s like a guard for your code, specifically looking for vulnerabilities in the open-source parts you use. It scans your code to find any known security weaknesses in the open-source components you’ve included. By identifying these vulnerabilities early on, WhiteSource Bolt helps you fix them before they become serious issues. It’s a way to make sure that the open-source parts of your project are safe and won’t cause problems down the line.
CredScan
CredScan is a tool used in software development to find and handle a specific type of issue: hardcoded credentials. These are like secret codes or passwords that are directly written into the code. CredScan scans the code to spot these credentials and alerts developers about them. This is important because having passwords and other sensitive information in the code can be risky. CredScan helps catch these issues early, so developers can fix them and keep the sensitive information safe from being accidentally exposed. It’s a way to make sure that sensitive data is handled properly in the code.
Overall, Incorporating security tools into the DevOps pipeline involves integrating specialized software that actively scans, identifies, and rectifies vulnerabilities in the code and its components throughout the development process. This proactive approach ensures that security concerns are addressed at every stage, promoting the creation of robust and secure software products.