<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WKXBVFF" height="0" width="0" style="display:none;visibility:hidden"></iframe>

Automated cybersecurity ecosystem

To develop a secure software product for our client, we implemented a set of security measures during the software development and testing stages. Our cybersecurity approach allowed us to:

  • Perform static and dynamic security testing

  • Prevent leaks of secret encryption keys

  • Detect vulnerable open-source frameworks and libraries

  • Check the security of Docker images

  • Verify the safety of the cloud environment

  • Run checks for secure Kubernetes deployment

  • Define vulnerabilities directly in the CI/CD pipeline

Brief solution description

Our client asked us to ensure a secure software development process. To serve the client’s needs, we established a secure software development lifecycle (S-SDLC). Eventually, our security approach evolved into a cybersecurity ecosystem for automated detection and management of software vulnerabilities.

This ecosystem is integrated into the client’s CI/CD platform and supports the programming languages and frameworks used during the software development process. We also ensured that the ecosystem:

Was customizable for the client’s business procedures

Managed the fix process of software vulnerabilities in a timely manner

Enabled visibility of the application’s security level with dashboards

Provided accountability for vulnerability fixes during development

Protected the CI/CD pipeline from pushing vulnerabilities to production

Security controls we used

Security controls integrated into our S-SDLC are part of the security by design approach we chose for this project. They allowed us to detect security vulnerabilities early and release secure software at the production stage.

Security testing

Static application security testing (SAST) use cases:

  • Checking source code for known vulnerabilities and sorting the results by vulnerability priority

  • Running software checks when the CI/CD pipeline branch is merged with the default branch

Infrastructure as code (IaC) security scanning use cases:

  • Decreasing the time for deployment and detection of possible misconfigurations using Terraform as IaC technology

  • Scanning Terraform templates and ensuring that security issues can be detected before infrastructure changes take effect

  • Configuring security issues detection for other languages like Ansible, AWS CloudFormation, and Google Deployment Manager for IaC security scanning

Dynamic application security testing (DAST) use cases:

  • Detecting software vulnerabilities when an application is running

  • Addressing common vulnerabilities and payloads for API endpoints using a third-party SaaS tool for vulnerability management. This tool can be integrated with Postman to import it directly into the scanner so that each API request parameter will be tested

Vulnerability scanning

Secret detection use cases:

  • Detecting unintentional commit of secrets like encryption keys (PKCS8, RSA, SSH, PGP and etc.), passwords, API tokens (Amazon, GCP, Heroku, Facebook, Twitter, Slack, GitHub, GitLab, and generic), and Social Security Numbers

  • Performing a single or recurring scan of the full repository history for secrets

Dependency scanning use cases:

  • Checking an application for use of external (open-source) libraries that are known to be vulnerable in order to take action to protect the application

  • Providing up-to-date information about vulnerable packages and libraries using a third-party tool that has a great number of rulesets and numerous integrations with security organizations

Docker image scanning use cases:

  • Vulnerability scanning of Docker images in CI/CD with Trivy scanner

  • Customization thanks to flexible integration support and the many configurations that Trivy scanner provides

Security audits

Cloud security audit use case:

  • Finding vulnerabilities and misconfigurations in AWS according to the CIS (Center for Internet Security) Benchmarks (the organization specialized in establishing security requirements for different environments and technologies)

Kubernetes (K8s) security audit use case:

  • Running checks to verify node security, Kubernetes API’s security, network integrity and policies, pod security with RBAC policies, security contexts, and data protection based on the CIS benchmark for K8s

Want us to find vulnerabilities and security imperfections in your software product?

Our cybersecurity experts will roadmap and implement best practices and advanced technologies for top-grade security of your system

Security ecosystem architecture

Our ecosystem architecture included five main elements:

Implementation into the GitLab CI/CD pipeline

Vulnerability orchestration module on AWS Lambda

AWS storage

Jira tickets creation

Slack notifications

Implementation in CI/CD

We used standard DevOps approaches to implement our security ecosystem in GitLab. The implementation of GitLab CI/CD is described in YAML, which is commonly used for configuration files and applications. CI/CD is about continuously building, testing, and deploying iterative code changes. The whole workflow looks like this:

In the YAML file, scripts are grouped into jobs, and jobs run as part of a larger pipeline. Multiple independent jobs can be grouped into stages that run in a defined order. We added security jobs to control the security of developed features on different branches and in numerous projects at the same time.

Vulnerability orchestration module

We built a security module and deployed it on AWS Lambda to automate Jira ticket creation, security vulnerabilities analysis and management as well as notifications.

As a result of this automation, we created an ecosystem that supports the following functionality:

  • Creating tickets

  • Checking for ticket duplicates

  • Closing irrelevant tickets (those that were no longer present in the artifact)

  • Reopening tickets (those that were transferred to Done but not completely fixed, so the vulnerability is still present)

  • Checking for a false-positive result (the ticket will not be created and the status will not be changed)

  • Adding explanatory comments when the ticket status is changed

In the ticket, you can find the following information:

  • Description of the vulnerability

  • Location of the vulnerability with code line and project (if such information is available)

  • Threat level (also in the priority field, which allows us to sort by this value)

  • Tags with the project name and scanner tool

Additionally, we can group software vulnerability tickets to have a better understanding of the current security level for management using:

  • Dashboards with severity percentage of current tickets

  • Dashboards with the number of tickets divided by status

  • Notifications to Slack about newly created vulnerabilities and their severity

Storage and processing on AWS

After execution of a specific job like SAST, the artifacts (output results) are saved in the AWS S3 bucket. This allows us to have a history of files, upload as many files as we need, and separate projects by folders. The results of such scanning are processed by AWS Lambda, which is triggered by the creation event.

Value Delivered

Customization

Our solution is easily customizable for any project and can be integrated into diverse business procedures. And if the software system changes, we can modify our cybersecurity ecosystem.

Cost-efficiency

Similar out-of-the-box solutions may cost around $100 per developer per month, while with a tailored solution our client doesn’t have to pay any monthly or annual fees.

Scalability

We chose industry-proven technologies and tools that helped us develop a flexible security ecosystem that can scale in the future and won’t require much additional reconfigurations.

Need cybersecurity experts for your project?

Rely on our experience in automating security processes in development and testing for companies in the FinTech, healthcare, and supply chain industries.

contact us