Introduction to Security in DevOps

Software and Data Integrity

Introduction

The new category for 2023 mostly focuses on assumptions related to critical data, software updates, and Continuous Integration with Continuous Deployment (CI/CD) pipelines without integrity verification.

The Software and Data integrity failures related to the code and infrastructure do not protect against integrity violations.

How to prevent it?

Use digital signatures or similar mechanisms.

Ensure that the libraries and other dependencies, like NPM or Maven, are available in trusted repositories.

Ensure a review process is always completed for the code and configuration changes.

Ensuring the CI/CD pipeline has a proper configuration, segregation, and access control.

Ensuring that unencrypted and unsigned serialized data is only sent to untrusted clients after the integrity check process is completed.

Example scenarios

Update without signing: Unsigned firmware like network routers and set-top boxes is a growing target day by day for attackers and is expected to get worse even further.

Insecure Deserialization: Unknown or untrusted data is used to inflict DoS attacks or DDoS attacks.

Infrastructure as Code

Allows the configuration and deployment of infrastructure.

Components are created faster with consistency by allowing them to be defined as code.

Enables repeatable deployments across environments.

Security Best Practices for IaC:

Deployment

Version control is the practice of tracking and managing changes to software code. Ensure all the changes to the IaC are tracked with the right set of information that helps in any revert operation.

The principle of least privilege defines access management policies based on the principle of least privilege.

Open-Source dependency check – Analyzes the open-source dependencies, such as OS packages, libraries, etc., to identify potential risks.

Managing secrets – Secrets are confidential data and information such as application tokens required for authentication, passwords, and SSH (Secure Shell) keys.

Threat modeling – Build the threat modeling landscape earlier in the development cycle.

IDE plug-ins – Leverage standard security plug-ins in the integrated development environment (IDE).

Commissioning – whenever a resource is deployed, ensure the resource is labeled, tracked, and logged as part of the inventory management.

Decommissioning – Ensure the underlying configurations are erased, data is securely deleted, and the resource is completely removed from the runtime and inventory management.

Tagging -During IaC operations, untagged assets are most likely to result in ghost resources that make detecting, visualizing, and gaining observability difficult.

Runtime

Immutability of infrastructure – The idea behind immutable infrastructure is to build the infrastructure components to an exact set of specifications.

Logging – Both security logs and audit logs – while provisioning infrastructure, as they help assess the security risks related to sensitive assets.

Monitoring – Continuous monitoring assists in looking out for security and compliance violations, helps identify attacks, and provides alerts upon such incidents.

Security Logging and Monitoring Failures 

Introduction

Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and other active response that occurs at any time.

Warnings and errors generate inadequate or unclear log messages.

The applications cannot detect, alert, or escalate active attacks in real-time or near real-time.

How to prevent it?

Ensuring the logs are generated in such a format that the log management solutions can be easily consumed.

Ensuring the log data is properly encoded to prevent injections or attacks over the monitoring or logging systems.

DevSecOps teams should ensure effective alerting and monitoring such that suspicious activities are identified and responded to quickly.

Example Scenarios

An Indian Airline suffered a data breach that involved more than ten years’ worth of personal data of millions of passengers, which included passport and credit card data. The data breach that occurred at the third-party cloud hosting provider notified about the breach to Airline after some time.

Implementation of Security Logging and Monitoring

Most developers use logging for debugging and diagnostic purposes. Security logging is to log security information during the operation runtime of an application.

Benefits of Security Logging

Security logging may be used:

For forensic analysis and applications.

For regulatory compliance requirements.

Best Practices

Follow a specific logging format within and across the system, such as Apache Framework, which helps provide logging consistency among C++, JAVA, and .NET PHP.

We must not log too much information or too little information.

Logging for Intrusion Detection and Response

We must use logging to identify activities when a user is behaving maliciously. Some of the malicious activity scenarios include:

• The submitted data may be outside some numeric range.
• Some requests violate the server-side access rules.

The applications in such use cases must log the activity and mark it as a severe issue. At the same time, the application must respond to a possible identifiable attack by either locking the account or invalidating the user’s session.

Design Approach for Secure Logging Design

Secure Logging can be implemented in the following ways.

• Validate and encode any dangerous characters before logging to prevent Log Injection attacks.
• Prevent logging sensitive information – like passwords, social security numbers, and credit cards.
• Protecting logs integrity – An intruder may tamper with logs; therefore, the permissions for accessing log files must be restricted.
• Migrate the logs from distributed system to a central and secure logging service. This will ensure that log data can be prevented from being lost if one node is compromised.

About CloudThat