Automated cybersecurity ecosystem
To develop a secure software product for our client, we implemented a set of security measures during the software development and testing stages. Our cybersecurity approach allowed us to:
Perform static and dynamic security testing
Prevent leaks of secret encryption keys
Detect vulnerable open-source frameworks and libraries
Check the security of Docker images
Verify the safety of the cloud environment
Run checks for secure Kubernetes deployment
Define vulnerabilities directly in the CI/CD pipeline
Brief solution description
Our client asked us to ensure a secure software development process. To serve the client’s needs, we established a secure software development lifecycle (S-SDLC). Eventually, our security approach evolved into a cybersecurity ecosystem for automated detection and management of software vulnerabilities.
This ecosystem is integrated into the client’s CI/CD platform and supports the programming languages and frameworks used during the software development process. We also ensured that the ecosystem:
Was customizable for the client’s business procedures
Managed the fix process of software vulnerabilities in a timely manner
Enabled visibility of the application’s security level with dashboards
Provided accountability for vulnerability fixes during development
Protected the CI/CD pipeline from pushing vulnerabilities to production
Security controls we used
Security controls integrated into our S-SDLC are part of the security by design approach we chose for this project. They allowed us to detect security vulnerabilities early and release secure software at the production stage.
Static application security testing (SAST) use cases:
Checking source code for known vulnerabilities and sorting the results by vulnerability priority
Running software checks when the CI/CD pipeline branch is merged with the default branch
Infrastructure as code (IaC) security scanning use cases:
Decreasing the time for deployment and detection of possible misconfigurations using Terraform as IaC technology
Scanning Terraform templates and ensuring that security issues can be detected before infrastructure changes take effect
Configuring security issues detection for other languages like Ansible, AWS CloudFormation, and Google Deployment Manager for IaC security scanning
Dynamic application security testing (DAST) use cases:
Detecting software vulnerabilities when an application is running
Addressing common vulnerabilities and payloads for API endpoints using a third-party SaaS tool for vulnerability management. This tool can be integrated with Postman to import it directly into the scanner so that each API request parameter will be tested
Secret detection use cases:
Detecting unintentional commit of secrets like encryption keys (PKCS8, RSA, SSH, PGP and etc.), passwords, API tokens (Amazon, GCP, Heroku, Facebook, Twitter, Slack, GitHub, GitLab, and generic), and Social Security Numbers
Performing a single or recurring scan of the full repository history for secrets
Dependency scanning use cases:
Checking an application for use of external (open-source) libraries that are known to be vulnerable in order to take action to protect the application
Providing up-to-date information about vulnerable packages and libraries using a third-party tool that has a great number of rulesets and numerous integrations with security organizations
Docker image scanning use cases:
Vulnerability scanning of Docker images in CI/CD with Trivy scanner
Customization thanks to flexible integration support and the many configurations that Trivy scanner provides
Cloud security audit use case:
Finding vulnerabilities and misconfigurations in AWS according to the CIS (Center for Internet Security) Benchmarks (the organization specialized in establishing security requirements for different environments and technologies)
Kubernetes (K8s) security audit use case:
Running checks to verify node security, Kubernetes API’s security, network integrity and policies, pod security with RBAC policies, security contexts, and data protection based on the CIS benchmark for K8s
Want us to find vulnerabilities and security imperfections in your software product?
Our cybersecurity experts will roadmap and implement best practices and advanced technologies for top-grade security of your system
Security ecosystem architecture
Our ecosystem architecture included five main elements:
Implementation into the GitLab CI/CD pipeline
Vulnerability orchestration module on AWS Lambda
Jira tickets creation
Implementation in CI/CD
We used standard DevOps approaches to implement our security ecosystem in GitLab. The implementation of GitLab CI/CD is described in YAML, which is commonly used for configuration files and applications. CI/CD is about continuously building, testing, and deploying iterative code changes. The whole workflow looks like this:
In the YAML file, scripts are grouped into jobs, and jobs run as part of a larger pipeline. Multiple independent jobs can be grouped into stages that run in a defined order. We added security jobs to control the security of developed features on different branches and in numerous projects at the same time.
Vulnerability orchestration module
We built a security module and deployed it on AWS Lambda to automate Jira ticket creation, security vulnerabilities analysis and management as well as notifications.
As a result of this automation, we created an ecosystem that supports the following functionality:
Checking for ticket duplicates
Closing irrelevant tickets (those that were no longer present in the artifact)
Reopening tickets (those that were transferred to Done but not completely fixed, so the vulnerability is still present)
Checking for a false-positive result (the ticket will not be created and the status will not be changed)
Adding explanatory comments when the ticket status is changed
In the ticket, you can find the following information:
Description of the vulnerability
Location of the vulnerability with code line and project (if such information is available)
Threat level (also in the priority field, which allows us to sort by this value)
Tags with the project name and scanner tool
Additionally, we can group software vulnerability tickets to have a better understanding of the current security level for management using:
Dashboards with severity percentage of current tickets
Dashboards with the number of tickets divided by status
Notifications to Slack about newly created vulnerabilities and their severity
Storage and processing on AWS
After execution of a specific job like SAST, the artifacts (output results) are saved in the AWS S3 bucket. This allows us to have a history of files, upload as many files as we need, and separate projects by folders. The results of such scanning are processed by AWS Lambda, which is triggered by the creation event.
Our solution is easily customizable for any project and can be integrated into diverse business procedures. And if the software system changes, we can modify our cybersecurity ecosystem.
Similar out-of-the-box solutions may cost around $100 per developer per month, while with a tailored solution our client doesn’t have to pay any monthly or annual fees.
We chose industry-proven technologies and tools that helped us develop a flexible security ecosystem that can scale in the future and won’t require much additional reconfigurations.