Contributor
Stephen Sadowski, Head of Cloud Engineering
Over the past decade, I’ve worked with all sorts of teams with all sorts of names, and while the names change, the roles are similar – what we have been calling DevOps for quite some time now. One of the functions of DevOps teams is to manage the CI/CD process, even in cases where it is neither Continuous Integration (CI) nor Continuous Delivery (CD). For most teams, Python is the name of the game, but whether one is using python or any other language, just getting the application built, configured, and pushed to its target environment isn’t enough. Those deployments should be evaluating the code for security purposes as well.
There are important pieces that may not currently be implemented by your DevOps teams. The goal for this article is to introduce the concepts and align them with specific tools that you can easily implement. We’ll go over how to set up a GitLab CI/CD pipeline and how to automate deployments with GitLab CI/CD. We’ll also touch on code security with SAST, DAST, and IAST as well as using Bandit and Snyk to perform security scans on your code. Finally, we’ll talk about best practices for DevSecOps and integrating security into your pipeline. We’ll also look at monitoring security issues with GitLab CI/CD.
Introduction to DevSecOps
DevSecOps is a combination of development and security practices that are focused on streamlining the software development process while also including a high measure of security. The goal is to ensure that security is integrated into the software development lifecycle from the very beginning. By including security early in the process, developers are able to identify and address security issues early on, which reduces the cost,complexity, and business impact of addressing them at a later stage.
DevSecOps is built on a number of core principles, including:
- Automation: Automation is key to DevSecOps, as it allows for quick and efficient development and deployment of applications.
- Collaboration: DevSecOps encourages collaboration between development, security, and infrastructure/operations, to ensure that the best security practices are being followed.
- Continuous improvement: DevSecOps strives to continuously improve the software development process, by constantly monitoring and addressing security vulnerabilities and providing appropriate feedback to development and security teams.
By following these maxims, organizations are able to streamline their development process while also ensuring that their applications are secure.
What is GitLab CI/CD
GitLab CI/CD is a continuous integration and continuous delivery platform that helps organizations streamline their software development process. It provides tooling to automate the building, testing, and deploying of applications. GitLab CI/CD is built on top of the open source Git version control system, which allows developers to easily collaborate and manage their code.
Gitlab CI/CD pipelines generally consist of multiple stages, frequently including building, testing, and deploying. Each stage is automated, allowing developers to quickly and easily deploy their applications with minimal effort.
Setting up a GitLab CI/CD Pipeline
To get started with GitLab CI/CD, you will need a GitLab account. Once you have that and have created a repository, you’ll need to create a .gitlab-ci.yml file in that repository. This file contains the instructions for GitLab CI/CD to follow when running your pipeline. After you have created this file, the stages of your pipeline can be defined along with the tasks that need to be performed in each stage.
For example, if you’re using Python, you could define a “Build” stage to run your tests and a “Deploy” stage to push your application to a server. You can also define environment variables to pass in additional configuration parameters.
Once you have defined your stages and tasks, you can commit the .gitlab-ci.yml file to your repository. This will trigger the pipeline to run and your application will be built, tested, and deployed.
Automating Deployments with GitLab CI/CD
Once you have set up your pipeline, you can automate your deployments with GitLab CI/CD. This means that you don’t have to manually deploy your application each time you make a change. Instead, you can simply commit your changes to your repository and GitLab CI/CD will automatically build, test, and deploy your application.
This makes it much easier to deploy applications, as you don’t have to manually run the steps of the pipeline each time you make a change. It also ensures that your applications are always up to date, as any changes you make will be deployed instantly.
Code Security with SAST, DAST, and IAST
One of the key benefits of using GitLab CI/CD is that it allows you to secure your code with SAST, DAST, and IAST. These are all forms of Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST).
SAST is a form of automated testing that scans your source code for potential security vulnerabilities. It looks for issues such as insecure coding practices, hard-coded credentials, and SQL injection. DAST is a form of automated testing that scans your application for potential security vulnerabilities. It looks for issues such as cross-site scripting, open redirects, and broken access control. IAST is a form of automated testing that scans your application as it is running. It looks for issues such as memory leaks, buffer overflows, and race conditions.
By running SAST, DAST, and IAST tests in your GitLab CI/CD pipeline, you can quickly identify and address any potential security issues in your code.
Best Practices for DevSecOps
When it comes to DevSecOps, there are a few best practices that you should follow to ensure a secure development process.
You should always automate your security testing. This means that you should run SAST, DAST, and IAST tests as part of your GitLab CI/CD pipeline. This will ensure that any potential security issues are identified and addressed early on in the development process.
Consider using tools such as Bandit and Snyk to secure your code. This will help you identify and address any potential security issues in your code.
Doing these things will allow you to monitor your applications for security issues. Using tools such as GitLab CI/CD to monitor for any security vulnerabilities reduces the overall
Basic Security Tools: Bandit and Snyk
GitLab CI/CD also allows you to use Bandit and Snyk to analyze your code. Bandit is an open source SAST tool that looks for security vulnerabilities in Python code. It looks for issues such as insecure coding practices, hard-coded credentials, and SQL injection.
Snyk is a security scanner that looks for vulnerabilities in open source packages. It looks for issues such as outdated dependencies, vulnerable code libraries, and insecure configuration settings.
Other tools like these exist with different functionality. I recommend you review what tools work best with the language you are working with and select the ones that make the most sense.By using these tools in your GitLab CI/CD pipeline, you increase the likelihood of detecting security issues before they enter a production environment.
Integrating DevSecOps into Your Pipeline
Once you have identified the right tools, you will need to integrate them into your pipeline. This means that you should set up your GitLab CI/CD pipeline to run your selected tools such as Bandit and Snyk to scan your code.
You should also set up your pipeline to monitor for any security issues that may arise. This means that you should set up appropriate notifications to notify you if any security issues are identified.
GitLab CI/CD allows you to set up alerts and notifications to notify you if any security issues are identified. This allows you to quickly address those issues before they become a problem.
Conclusion
GitLab CI/CD is a great tool DevSecOps is an important paradigm for limiting security impact for your application deployments. Together they allow you to automate your security testing, use tools such as Bandit and Snyk to scan your code, and monitor for any security issues. By following the best practices for DevSecOps and integrating them into your pipeline, you can ensure that your applications are significantly more secure than they would be without those best practices.