DevOps Teams: Automate Container Security to Protect CI/CD Pipelines

Automation can help lead DevOps teams to the true path to having optimum container security

DevOps is one of the most efficient ways of developing apps and programs, as it allows for real-time adjustments that guarantee excellent results for clients and enterprises. It’s highly versatile, makes targeted changes easy and can be modulated to a high degree.

However, with such an advanced level of connectedness, security threats abound. There has been a steady rise of cyberattacks over the previous years, with this year hitting a record number because of a high number of organizations and users shifting online due in large part to the pandemic.

Continuous integration and deployment pipelines (CI/CD) can be particularly vulnerable as they are primarily designed for speed rather than security. This means that while they can go through a development cycle quickly, they can afford to take little precautions and handle security as an afterthought. This is reflected in data, as a report states that while some Kubernetes users feel safe from hacking, nearly 50% of Kubernetes users believe that there are countless vulnerabilities present throughout the pipeline.

In this article, we’ll dive into how DevOps has become a lifeline for struggling businesses who have had to pivot due to the global pandemic, what open source DevOps tools can do to support teams in integrating new systems, the benefits of streamlining and automating pipelines, and the importance of tightening up container security.

DevOps Can Save Businesses From COVID-19

The uncertainty brought on by the pandemic means that no one can predict if they will be working from home or in the office next week. DevOps is highly resilient because it is primarily built for remote operations but can likewise be perfectly used from a regular workplace, making it a lifesaver for struggling businesses that have had to adapt due to the COVID-19 pandemic.

However, organizations and teams that are new to DevOps will find it challenging to implement. It takes planning, training and finding the right people for the job. Fortunately, there are many open source options available, so it’s important to consider the current and future needs of the business and systems.

For example, popular open source DevOps tools such as Jenkins or Docker rely on CI/CD to help development teams become more efficient and focused when producing, integrating, deploying and monitoring new systems and apps.

The Problem With Containers and Kubernetes

According to a recent survey, 92% of IT professionals use containers in production environments and 83% employ Kubernetes for these environments. There is little wonder in this, as they allow for rapid deployment and help manage the issues of running the program in various computing environments.

Even though containers are lightweight and usually have a short lifespan that almost guarantees that any potential hacker will not be able to steal anything, they still present a potential gateway for further intrusions.

That’s because containers seldom can be fully customized for a specific app and can contain leftover code and important keys for other parts of the pipeline. These problems can usually be avoided by downloading only from trusted sources and implementing a robust security system.

Streamlining and Automating Pipelines

In essence, DevOps has prioritized speed and automation over security and compliance. For this reason, moving toward DevSecOps can be a challenging process, even with the best tools available.

A lack of reliable, fully automated and fully integrated security testing tools are often cited as the biggest challenge in CI/CD workflows. However, while safety checks can be both time-consuming and give false positives, implementing application security tools in the CI/CD pipeline correctly can yield excellent results in tackling potential security risks.

Streamlining the pipeline is a great way to solve this problem. Ensuring that an automated system is sending all reports to the same dashboard can grant much-needed visibility and assurance so there is little confusion. It also saves a great deal of work when it comes to fixing issues as fewer code corrections and plug-ins need to be written.

It is also important to make sure that new code isn’t affecting the other parts of the pipeline too much; otherwise, a lot of changes will have to be made that could break the entire infrastructure.

A lesson in compartmentalization certainly applies when it comes to container security—particularly because of the aforementioned leftover code and SSH keys that impose risks. Scanning container images can yield early warnings for potential issues. Apart from the SSH keys, these can be unnecessarily privileged containers. This primarily relates to their ability to access other parts of the pipeline, which should be tightly monitored for both tool-to-human and tool-to-tool interaction.

This is another example of why streamlining the pipeline is highly useful. Security tools will have an easier time identifying threats and avoiding false positives if there is normal behavior to use as a baseline.

Another point of high vulnerability is during the cloud migration. Numerous containers that have been safely stored in a closed network are suddenly open and exposed even before reaching deployment.

Additional Considerations for DevOps Teams

No matter the technology being used, the impact of humans should never be underestimated. DevOps and security teams tend to have a different vision of the priorities. DevOps are trained for speed and innovation and leave protection mostly out of the picture, which can foster a culture of mistrust among the teams.

It’s essential to set common goals for the two teams as well as ensure transparency and communication. This will help security teams bridge the divide, empower DevOps and remove the paradox between speed and protection while moving teams closer to efficient DevSecOps.

Another overlooked component in securing containers, and the entire pipeline, are virtual protection networks (VPNs). A VPN can play a crucial role in container security by keeping communications private, avoiding censorship and restricting access to the network.

Containers are built with high mobility in mind but sometimes various outside circumstances can impair this ability. VPNs fit perfectly here as they help to circumvent region-locks and various similar restrictions. In general, they represent a really valuable layer in any defensive infrastructure.

VPNs use protocols to operate, and not all protocols are created equal. VPN protocols all aim to perform the same function of securing online traffic, but they do so through different encryption methods, so it’s important to choose wisely to determine how secure and reliable the solution really is.

The old PPTP protocol, while still offered by some providers, has several serious vulnerabilities so it has mostly fallen out of favor. On the other hand, SSTP is considered highly secure but is only available for Windows computers, which can be a major shortcoming. IKEv2/IPsec is also regarded as very secure, but certain mobile phones lack support for it.

Needless to say, as with every other aspect of CI/CD and container security, VPNs are a powerful tool for automated protection but require thought and planning to successfully implement and integrate. However, doing so can save a lot of time and trouble in the long run.

Leading DevOps Teams to the Path of Secure Success

CI/CD pipelines present a wide field for potential attacks and have a large area that requires defending. Automation presents a solution that can lead DevOps teams to the true path to having optimum container security. Full integration that has been implemented cleverly along with strategic planning can shorten the time it takes to make a security scan and empower teams to be truly agile and efficient in the high-speed and high-pressure environment of the digital age.

Gary Stevens

Gary Stevens is a technical copywriter and a front-end developer focused on the open-source/software community.

Gary Stevens has 6 posts and counting. See all posts by Gary Stevens