Business & Technology

Enable Security in the CI/CD Pipeline with DevSecOps

By Ali Bidabadi | October 02, 2020

As more application teams adopt Continuous Integration/Continuous Delivery (CI/CD) workflows to enable application development, it’s increasingly important that organizations have integrated and automated security in place to protect these workflows. 

What is CI/CD Security?

CI/CD pipelines are at the center of daily operations for businesses across industries. When set up properly, they ensure consistency across delivery processes by automating manual tasks and providing visibility into how software is being worked on. It is within these pipelines where a network’s infrastructure has access to various resources, including code signing credentials and analytics keys. 

Since most modern applications are based on a micro-service architecture, DevOps teams have leveraged containers and container orchestration platforms, such as Kubernetes, to build and deploy their applications. As a result, container security must be a critical component of any solution that tries to protect CI/CD workflows. Below are considerations for DevOps teams to ensure their container strategy isn’t compromising security. 

How DevSecOps Teams Can Achieve Security for the Entire Applications Lifecycle 

Security should not be limited to only one part of a DevOps workflow. Instead, it needs to be injected into every stage of a CI/CD workflow pipeline—from the time that a developer checks in code to a code repository, until the time that the application is deployed to a runtime environment. At a high-level, a CI/CD pipeline is comprised of three stages: build, deploy, and run. It is paramount to secure each stage of the pipeline to prevent breaches in the overall lifecycle of an application. Here are four things to keep top of mind during each stage of the CI/CD workflow pipeline:  

  1. Build images securely – Images often consist of source codes and third-party libraries. Before building an image, it is critical to parse packages and libraries to generate a detailed report of all vulnerabilities (CVEs) as well as the libraries/packages in which vulnerabilities are discovered. Additionally, certain libraries should be excluded if they can cause security risks. A vulnerability report may also be able to help detect the presence of credentials and/or secrets in an image.
  2. Plug seamlessly into the CI/CD workflow – Most application teams leverage build tools such as Jenkins to automate their build process. In order to add security to a build pipeline, security solutions need to be integrated into common build frameworks. Such integration allows application teams to learn fast and fail/pass builds based on their organization’s requirements. For example, if an organization has a security requirement that does not allow deployment of an application with critical vulnerabilities, a policy needs to be set to fail builds when a critical vulnerability is found in an image.
  3. Run compliance checks against CIS benchmarks – As container orchestration platforms such as Kubernetes gain popularity, running static checks to detect potential vulnerabilities in those environments has become extremely important. The Center for Internet Security  (CIS) has released recommendations for Kubernetes best security practices. This includes recommendations for configuring Kubernetes to support a strong security posture, such as disabling anonymous requests to the API server and running containers only as a non-root user.
  4. Continuous runtime security – While preventing breaches in an application by shifting security to the earlier stages of a CI/CD pipeline is a key aspect of any comprehensive CI/CD security solution, securing running microservices is equally important. The Fortinet-Calico Enterprise integration, for example, addresses Kubernetes network security challenges for both north-south and east-west traffic.
Figure 1. Security for all stages of a CI/CD pipeline

Fortinet and Calico Extend Enterprise Security to Kubernetes 

Successful integration of container services within the enterprise depends heavily on access to external resources, such as databases, cloud services, third-party application programming interfaces (APIs), and other applications. It’s why Kubernetes is the most widely adopted container orchestration system.

All this egress activity must also be controlled for security and compliance reasons. Therefore, to enable successful application rollouts in production environments, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. Fortinet and Tigera have jointly developed a suite of Calico solutions leveraging the Fortinet Security Fabric. The solutions outlines below deliver both north-south and east-west visibility and protection, as well as compliance enablement for Kubernetes clusters.

  • The Calico Kubernetes Controller for FortiGate – Enables FortiGate Next-Generation Firewalls (NGFWs) to control egress from Kubernetes pods to applications. As shown in Figure 2, the controller does this by automatically populating Kubernetes workload source IPs in FortiGate address group objects. FortiGate can then enforce the access rules. This means that developers who add new containers to a Kubernetes pod can use business-level tags (such as department name or role) to identify them, and then rely on the controller to handle the underlying access rule configurations.
Figure 2. Calico Kubernetes Controller for FortiGate
  • The Calico Kubernetes Controller for FortiManager – Enables Kubernetes cluster management from the FortiManager centralized management platform. This controller translates FortiManager policies into granular Kubernetes network policies and then pushes them out to individual clusters across all Kubernetes environments. Additionally, similar to the FortiGate integration, address groups in FortiManager can be updated with new pod/worker node IP address information, which can then be pushed to the FortiGate devices. 
  • Calico FortiSIEM plug-in event correlation and risk management solution – Addresses compliance implications due to a lack of visibility. Like any on-premises or cloud-based networked services, Kubernetes production containers must fulfill both organizational and regulatory security requirements. If compliance teams can’t trace the history of incidents across the entire infrastructure, they can’t adequately satisfy cluster audits. The FortiSIEM plugin delivers the telemetry (metadata) that Calico Enterprise creates—including DNS logs, flow logs, and audit logs—into the Fortinet security information and event management (SIEM) environment. This helps security operations (SecOps) teams leverage FortiSIEM to better design and automate their workflows for incident response.

Leveraging Automated Security For CI/CD Pipelines 

While there are multiple ways to achieve a secure application lifecycle, automating and integrating a comprehensive security solution with DevOps workflows provides the most effective approach for discovering, reporting on, and remediating security vulnerabilities. Specifically, to secure microservices-based applications running in a Kubernetes environment, a defense in-depth (DiD) architecture, smilar to the one outlined in this blog is recommended. 

By leveraging the Fortinet Security Fabric, the Fortinet-Tigera joint solution enables organizations to extend enterprise security to Kubernetes clusters so they can maintain their overall security posture. As a result, organizations are further able to achieve full visibility and control across their dynamic multi-cloud environments without compromising security. 

Learn more about how Fortinet’s multi-cloud solutions provide visibility and control across cloud infrastructures to secure applications and connectivity.

Read how Fortinet and Tigera are working together to protect organization’s Kubernetes in the enterprise.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.