In the previous chapters, we've looked at continuous integration (CI) and continuous deployment/delivery (CD). Both concepts, and the tooling surrounding them, help us deliver better software faster. However, one of the most critical aspects of technology is security. Though security was not considered in DevOps' initial days, with the advent of DevSecOps, modern DevOps now places a great emphasis on security. In this chapter, we'll try to understand concepts surrounding container applications' security and how we can apply them within the realms of CI and CD.

In this chapter, we're going to cover the following main topics:

• Securing CI/CD pipelines
• Managing secrets
• Container vulnerability scanning
• Binary authorization
• Security of modern DevOps pipelines

For this chapter, we will spin up a cloud-based Kubernetes cluster, Google Kubernetes Engine (GKE), for the exercises. Currently, Google Cloud Platform (GCP) provides a free US dollars (USD) $300 trial for 90 days, so you can go ahead and sign up for one at https://console.cloud.google.com/.

You will also need to clone the following GitHub repository for some of the exercises:

https://github.com/PacktPublishing/Modern-DevOps-Practices

You can use the Cloud Shell offering available on GCP to follow this chapter. Go to Cloud Shell and start a new session. Run the following commands to clone the repository into your home directory, and cd into the ch12 directory to access the required resources:

$ git clone https://github.com/PacktPublishing/Modern-DevOps-\
Practices.git modern-devops $ cd modern-devops/ch12

As the repository contains files with placeholders, you will have to replace the <your_dockerhub_user> string with the your actual Docker...

Security has always been the top priority for most organizations, and it also forms a significant part of a mature organization's investment. However, security comes with its own costs. Most organizations have cybersecurity teams that audit their code regularly and give feedback. However, that process is generally slow and happens when most of the code is already developed and difficult to modify.

Therefore, embedding security at the early stages of development is an important goal for modern DevOps. Embedding security with DevOps has led to the concept of DevSecOps, where developers, cybersecurity experts, and operations teams work together toward a common goal of creating better and more secure software faster.

There are many ways of embedding security within the software supply chain. Some of these might include static code analysis, security testing, and applying organization-specific security policies within the process, but the idea of security...

Most application code requires access to sensitive information. These are called secrets in the DevOps world. A secret is any data that helps someone prove their identity, authenticate, and authorize privileged accounts, applications, and services. Some of the potential candidates that constitute secrets are listed here:

• Passwords
• API tokens, GitHub tokens, and any other application key
• Secure Shell (SSH) keys
• Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Pretty Good Privacy (PGP) private keys
• One-time passwords

A good example could be a container running within Kubernetes that requires access to an API key to authenticate with a third-party API or username and password to authenticate with a backend database. Developers need to understand where and how to store secrets so that they are not exposed inadvertently to people who are not supposed to view them.

When we run a CI/CD pipeline, it becomes imperative to understand...

Perfect software is costly to write and maintain, and every time someone makes changes to running software, the chances of breaking something are high. Apart from other bugs, changes also add a lot of software vulnerabilities. You cannot avoid these as software developers. Cybersecurity experts and cybercriminals are at constant war with each other, and they evolve with time. Every day, a new set of vulnerabilities is found and reported.

In containers, vulnerabilities can exist on multiple fronts and may be completely unrelated to what you're responsible for. Well, developers write code, and excellent ones do it securely. Still, you never know whether a base image may also contain many vulnerabilities that your developers might completely overlook. In modern DevOps, vulnerabilities are expected, and the idea is to mitigate them as much as possible. We should reduce vulnerabilities, but doing so in a manual way is time-consuming, leading to toil...

Binary authorization is a deploy-time security mechanism that ensures that only trusted binary files are deployed within your environments. In the context of containers and Kubernetes, binary authorization uses signature validation and ensures that only container images signed by a trusted authority are deployed within your Kubernetes cluster.

Using binary authorization provides you with tighter control over what is deployed in your cluster. It ensures that only tested containers and those approved and verified by a particular authority (such as security tooling or personnel) are present in your cluster.

Binary authorization works by enforcing rules within your cluster via an admission controller. This means that you can create rulesets only to allow images signed by an attestation authority to be deployed in your cluster. Your quality assurance (QA) team can be a good attestor in a practical scenario. You can also embed the attestation within your CI/CD...

Tooling is not the only thing that will help you in your DevSecOps journey. Here are some helpful tips that can help you address security risks and have a more secure culture within your organization.

Adopt a DevSecOps culture

Adopting a DevSecOps approach is critical in implementing modern DevOps. Therefore, it is vital to embed security within an organization's culture. You can achieve that by implementing effective communication and collaboration between the development, operations, and security teams. While most organizations have a security policy, it mustn't be followed just to comply with rules and regulations. Instead, employees should cross-skill and upskill themselves to adopt a DevSecOps approach and embed security early on during development. Security teams need to learn to write code and work with APIs, while developers need to understand security and use automation to achieve this.

Establish access control

You...

This chapter has covered CI/CD pipeline security, and we have understood various tools, techniques, and best practices surrounding it. We looked at a secure CI/CD workflow for reference. We then understood, using hands-on exercises, the aspects that made it secure, such as secret management, container vulnerability scanning, and binary authorization.

Using the skills learned in this chapter, you can now appropriately secure your CI/CD pipelines and make your application more secure.

In the next chapter, we will explore an alternative method of doing DevOps—GitOps.

1. Which of these is the recommended place for storing secrets?

   a. Private Git repository

   b. Public Git repository

   c. Docker image

   d. Secret management system

2. Which one of the following is an open source secret management system?

   a. Cloud KMS

   b. HashiCorp Vault

   c. Anchore Grype

3. Is it a good practice to download a secret within your CD pipeline's filesystem?
4. Which base image is generally considered more secure and consists of the fewest vulnerabilities?

   a. Alpine

   b. Slim

   c. Buster

   d. Default

5. Which of the following answers are true about binary authorization? (Multiple answers are possible.)

   a. It scans your images for vulnerabilities.

   b. It allows only attested images to be deployed.

   c. It prevents people from bypassing your CI/CD pipeline.

1. d
2. b
3. No
4. d
5. b and c