DevSecOps Series – Part 2: Integrating IaC and Monitoring

Table of Contents:

Tags:

In the first blog post, we shortly introduced DevOps and CI/CD. Before we dive into the details, we want to continue this discussion, this time about IaC in general and monitoring.

Infrastructure as Code (IaC) allows infrastructure to be provisioned through code, eliminating the need for manual setup. This process uses a configuration file that specifies the infrastructure, making it easier to modify and distribute. This approach ensures consistent environments every time infrastructure is deployed.

Version Control Systems (VCS) are crucial for IaC, treating infrastructure code like any other code that needs to be versioned. IaC should utilize modular components to enable automation for specific scenarios. Automating infrastructure provisioning through an IaC pipeline, integrated into the CI/CD pipeline, saves developers from manual setups. This automation covers servers, operating systems, storage, network, and more.

Declarative vs. Imperative IaC Approaches

There are two main approaches to IaC:

  1. Declarative Approach: Specifies the desired state of the infrastructure, letting the IaC tool determine the path to achieve it. This method maintains a list of current object states to manage the infrastructure.
  2. Imperative Approach: Requires explicit commands for each step to achieve the desired state, ensuring the correct order of execution.

Most IaC tools favor the declarative approach, simplifying infrastructure changes by defining the end goal rather than individual steps. In cloud computing, Terraform has become a defacto standard.

Benefits of IaC

IaC is ideal for infrastructure provisioning, shifting from manual setups to code-based configurations. This practice is essential in modern IT environments, which rely heavily on virtualization, containers, and cloud computing. IaC enhances the ability to manage the growing number of infrastructure components efficiently, enabling tasks like scaling and system management with ease.

So as summary, IaC improves IT infrastructure management by enhancing consistency, reducing costs, and eliminating configuration errors. Tools like Terraform, Ansible, and Bicep facilitate practical IaC implementation. IaC is integral to DevOps practices and CI/CD pipelines, offloading much of the infrastructure setup from developers. This approach ensures that test and production environments use the same deployment processes, maintaining uniformity and reducing discrepancies.

Enhancing DevOps with Effective Lifecycle Monitoring

One important component for implementing DevOps is a comprehensive way of monitoring the DevOps lifecycle, covering all phases from planning to deployment. This monitoring allows for the visibility of application and service data, enabling proactive responses to potential customer impact.

Understanding DevSecOps and the Software Supply Chain

DevSecOps stands for Development, Security, and Operations. It evolves from DevOps by integrating information security, ensuring not only reliable and high-quality code but also enhancing security. With rapid development speeds, addressing vulnerabilities becomes crucial without compromising agility. Security is embedded throughout the lifecycle, highlighting the need to involve the security team from the beginning of DevOps. This end-to-end security approach encourages developers to adopt security-oriented programming, sharing insights on known threats, identifying potential risks, and conducting risk analyses. This method aims to minimize interruptions in frequent development cycles by automating security measures, particularly for containers and microservices.

Software Supply Chain

The Software Supply Chain mirrors the traditional supply chain, which involves suppliers providing materials, manufacturing, packaging, distribution to retailers, and finally reaching customers. In the software context, dependencies and sources are utilized in development to create the final product, which is then distributed through networks to repositories and eventually deployed in production.

The image compares a traditional supply chain with a software supply chain.

Traditional Supply Chain:

Depicted with icons of gears, factories, trucks, stores, and customers.
Follows a sequence from gears (representing raw materials) to factories (production), trucks (distribution), stores (retail), and finally to customers.
Software Supply Chain:

Depicted with icons representing GitHub (source/dependencies), Jenkins (build systems/engineers), a globe (network), a repository shelf (application repository), and cloud infrastructure (deployed systems).
Follows a sequence from source/dependencies to build systems/engineers, network, application repository, and deployed systems.
The image illustrates how traditional manufacturing and distribution processes are paralleled in the software development and deployment lifecycle.

The software supply chain includes all elements that interact with the code during development. Modern software often comprises various artifacts, including open-source components. While these facilitate quicker development, they may introduce security vulnerabilities. Developers have limited control over these vulnerabilities due to continuous updates by providers and the lack of time to review all code changes.

Each stage of the supply chain not directly controlled by the company is a potential attack point. Therefore, consumers must trust that producers implement security measures to prevent attacks. The CNCF STAG outlines four principles to secure the software supply chain:

  1. Trust: Ensure every stage of the supply chain is trustworthy, using cryptography to maintain trustworthiness.
  2. Automation: Automate processes to enhance security and reduce human errors.
  3. Clarity: Clearly define and limit the scope of the supply chain within the build environment.
  4. Mutual Authentication: Employ authentication mechanisms and regular key rotations among all participating companies.

Adhering to these principles ensures a secure software supply chain, maintaining trust and integrity throughout the development and deployment processes.

Ensuring Software Supply Chain Security in DevSecOps

Software Supply Chain Security is a critical aspect of the DevOps approach, focusing on protecting the entire supply chain from potential vulnerabilities. If not properly secured, attackers can infiltrate the development cycle, manipulate code libraries or components, and introduce malicious code, which can then reach customers through software or updates. Such breaches can lead to the execution of harmful code, exposing customer passwords or extracting system data, thereby damaging a company’s reputation and customer trust.

The image is a table from the "2021 State of the Software Supply Chain Report" showing data on various programming ecosystems: Java, JavaScript, Python, and .NET. The table includes columns for the total number of projects, total project versions, annual download volume, year-over-year (YoY) download growth, ecosystem project utilization, and vulnerability density for utilized versions (10% most popular and 90% least popular). Key insights show JavaScript with the highest total projects and versions, Java with the highest annual download volume, and Python with the highest YoY download growth. The vulnerability density is higher in the most popular versions across all ecosystems.

Importance of Security in the Supply Chain

Given that code libraries, container images, and IaC modules are integral parts of the CI/CD pipeline, they must be rigorously checked for malicious code from the integration phase onwards. According to Sonatype’s 2021 report, 37 million project versions were identified, with popular languages like Java, JavaScript, Python, and .NET being predominant. Alarmingly, 29% of these versions contained vulnerabilities, highlighting the widespread presence of security flaws in publicly available open-source projects.

Common Security Risks

Open-source projects often depend on other projects, which can propagate vulnerabilities across multiple software. A notable tactic used by attackers is typosquatting, where they create malicious packages with names similar to popular ones, tricking developers into inadvertently incorporating them.

A significant example is the Log4j vulnerability discovered in late 2021, affecting versions 2.0 to 2.14.1 of the Java library used for logging. This critical flaw allowed attackers to execute remote code by modifying the Log4j configuration file, resulting in substantial damage to many companies.

Best Practices for Supply Chain Security

To mitigate such risks, it is crucial to implement security measures in the CI/CD pipeline, particularly when using open-source projects. Here are key practices:

  1. Automated Security Checks: Use tools like Software Bill of Materials (SBOM) to check all code libraries for vulnerabilities before the build phase. SBOM compares included libraries against an online database to identify security issues.
  2. Prioritize Security in Library Selection: Avoid using libraries with known vulnerabilities, even if they offer faster development. Ensure all libraries are vetted for security.
  3. Regular Training: Developers responsible for CI/CD pipelines and code should undergo continuous training to stay updated on secure coding practices.
  4. Continuous Monitoring and Testing: Regularly monitor and test third-party libraries used in development to catch potential vulnerabilities early.
  5. Utilize DevSecOps Tools: Leverage built-in security features from platforms like GitHub and GitLab to integrate security seamlessly into the development process.

Autor

Dr. Guido Söldner

Geschäftsführer

Guido Söldner ist Geschäftsführer und Principal Consultant bei Söldner Consult. Sein Themenfeld umfasst Cloud Infrastruktur, Automatisierung und DevOps, Kubernetes, Machine Learning und Enterprise Programmierung mit Spring.

Driving IT Excellence for Tomorrow