By: Derek Handova, Senior Technical Writer at Synopsys Software Integrity Group
With more software developers working remotely every day, development organisations have to make sure that those developers can stay productive while also working securely. Initially, you might think all you need to do is put your CI/CD pipeline, Jira issue tracker, Confluence collaboration tools, and other associated systems on the VPN. An encrypted, end-to-end connection will wrap up everything tight, then voilà, you’re done! In reality, things are not so cut and dried.
Sudden, sustained increases in developer remote activity can bring an enterprise VPN to a crawl. Part of the solution is to rethink how you implement your online resources. But you’ll have to make some decisions about the nature of those resources.
“For applications classified as low risk and which don’t handle data covered by any regulations, the organization can decide to have their Confluence and Jira instances in the cloud,” said Meera Rao, senior principal consultant at Synopsys. “However, once an application is classified as business or mission critical — those that handle highly restricted data — you need to make sure the tools are installed inside a proper VPN/firewall for developers.”
Developers and their associates
Of course, developers are not the only ones working from home these days. The people they need to interact with to do their jobs are also online. When you restructure access to systems that touch the development environment, you must consider these associates and how they’re using these systems.
“In several circumstances, it’s challenging to secure tools if they’re hosted outside the VPN,” said Fawad Ahmad, IT manager at Synopsys. “In our case, Jira and Confluence were not only used by developers but several other non-developer groups such as product development, customer support, application engineering, and the project management office (PMO). We decided to provision Jira and Confluence through Microsoft’s DirectAccess technology, which would help alleviate some load on the VPN and make user life easier while working remote.”
DirectAccess clients are secured with a certificate issued by the organisation’s private internal public key infrastructure (PKI). Essentially, it serves as a type of multifactor authentication (MFA) for the connecting device.
Whether you’re a developer, one of their associates, or another involved party, working online has always been a balancing act of access versus security. But when it comes to developer-centric communities, technology cannot be the only solution. Those solutions have to be examined and architected for a specific use case.
“It’s not about having tons of tools to be in a secure environment; it’s about adapting your preferred tools and integrating these into your ecosystem, people, culture, and processes,” said Alexios Fakos, managing consultant at Synopsys. “In my experience, security is a trade-off; it’s about finding the right balance between risk acceptance/appetite, usability, and time/money. The result is usually the acceptable ‘secure’ solution.”
Just as development organisations make trade-offs between security and access for Jira and Confluence, they might need to do the same for CI/CD environments within their VPN infrastructure. All CI/CD environments are not created equal. And their security may depend on which tools attach to them.
“Based on the risk classification of your applications, you may have to build several different environments for CI/CD,” Rao said, “and also have different layers of security implemented to secure your CI/CD pipeline.”
But beyond the VPN, there are other considerations for securing development workflows online. If developers work with cloud assets, security might be easier to some degree. Depending on company strategy, you could use a cloud CI/CD environment in Azure, AWS, GPC, or other platforms that do not require a VPN, according to Fakos. He refers to this as the “digital nomad environment.”
Going beyond the VPN
Working in a CI/CD environment connected to a code repository, cloud service, Kubernetes, or other containers can become complicated. It may require a security solution beyond a VPN. Other tools that help maintain security in a CI/CD environment off the VPN include two-factor authentication (2FA), single sign-on, and TLS/SSL.
“Because there are several tools which don’t support single sign-on, having two-factor authentication is the best way to secure your most valuable asset in your organisation,” Rao said. “There are several tools and technologies that are used to build a working functional CI/CD pipeline. For an automation engineer, it becomes a challenge to keep track of all the tools that don’t support single sign-on, individually manage access, and revoke access when someone goes off a project or leaves the company. Having the CI/CD pipeline secured and locked down is the best way to avoid any loss or damage to the organisation’s reputation.”
Monitoring, external threats, risk analysis, and threat modeling
Developers are often heads-down on coding and, depending on the pace of their release cycle, constantly checking in code. They tend to give lower priority to tasks they don’t believe are core to that mission — even when it comes to security. Your software security initiative needs to anticipate and resolve this problem. To keep developers from skipping security steps, you’ll need to log and audit all developer actions and continuously monitor those logs, according to Rao.
Of course, the personnel in the CI/CD environment are only one internal point of potential weakness. Development organisations also need to look out for external threats. Top-of-mind issues include social engineering and business email compromise. But you need to know where the hackers find the information that enables them to give their assaults a chance of success, because they will stop at nothing to access your codebase.
“Attackers are on the lookout for CI/CD environments because they have source code, your libraries, secrets, access to your cloud environments, defect reports on your dashboards, and keys for your cloud environments,” Rao said. “Attackers can simply browse through your posted jobs to get access to all the assets listed above. Having proper access control to the pipelines, managing secrets, logging, and auditing are key to keep your pipelines secure and out of the hands of attackers.”
Find out what you don’t know
Perhaps the greatest threats to any CI/CD environment are the ones you don’t know you don’t know about. If you are forewarned, you can be forearmed. And as CI/CD deployments go further afield, you should plan for contingencies to keep your CI/CD environments secure and effective for remote developers.
“CI/CD environments enable faster deployments to production but also pose a great threat to your organisation if not properly secured,” Rao said. “Treat it as any other asset in your organisation. Perform a risk analysis and threat model to understand all the involved assets, different attack surfaces, and everyone who has access to the environments. Building a threat model effectively arms you with the knowledge to address weaknesses by adding additional security controls to your CI/CD pipeline.”