This blog is for teams that have already implemented security best practices and are looking for further information on how to continue to monitor security. If you’re looking for information on how to implement automated security practices read our ebook, Vulnerability Management and DevSecOps with CI/CD.
DevSecOps continued in production
If your team has implemented security practices as part of your default development process, it’s vitally important to keep monitoring. Code that is perfectly safe today may contain known security vulnerabilities tomorrow. Monitor the software that’s already running, as well as code that’s actively being developed.
You can do this with tools like Splunk or Prisma Cloud. Generate your reports automatically and in a format that all interested parties understand. Monitoring and logging tools like Honeybadger, Honeycomb, or LogDNA can help significantly — and there are CircleCI orbs that let you quickly integrate them with your pipeline.
When you’re hosting in a cloud environment, make sure to check the monitoring tools of that environment. Azure has Application Insights, and AWS has CloudWatch Application Insights. Put them to good use. They can track malicious login attempts, unauthorized access, and errors coming from your application.
Third-party tools often add value by making it easier to get started, making monitoring accessible for other teams, generating reports, and monitoring additional metrics.
It’s important to patch your software as soon as possible when your tools report a vulnerability. Updates may break software, and that includes updates from open source projects and third-party vendors.
To limit any risks from patching, be sure to follow sound development practices in your patching process, including DevOps principles such as automated unit testing and integration testing. Integration tests, especially, allow you to patch software with confidence that the fix is not causing additional problems.
Automating integration tests will also significantly reduce human efforts on releasing a patch. If you’re sharing standardized assets between teams, you’ll be sure that all teams get the update.
The next level: CircleCI orbs
If you’re using CircleCI for your CI/CD pipelines, you should consider using CircleCI orbs. Orbs are reusable, shareable, open source packages of CircleCI configuration that enable the immediate integration of many third-party services, including valuable security tools such as scanner services.
CircleCI offers many vulnerability scanning orbs that make it easy to integrate vulnerability scanning into your pipeline with minimal time spent on setup. With orbs, you get an out-of-the-box solution for securing your pipeline.
You’ll find scanners for the tools we already mentioned like Alcide, Snyk, and Stackhawk, and more scanners, such as:
- Anchore (for images)
- AWS Parameter Store (for managing and loading environment secrets)
- Checkmarx (for static and interactive application security testing)
- Probely (for scanning your web application for vulnerabilities)
- Secret Hub (to provision passwords and keys to applications)
- SonarCloud(for continuous code quality scans)
If you’d like to use a security scanner that doesn’t yet have an orb, you can create one and push it to the open source CircleCI Orb Registry to contribute to the community.
Moving forward with DevSecOps
The DevSecOps approach to incorporating security awareness into DevOps practices offers a strategic way to leverage CI/CD to add vulnerability scanning and management to your existing deployment pipelines.
You can build this up over time by first introducing basic scanning to get development teams used to DevSecOps, then increasing the number and type of vulnerabilities you scan for over time.
Vulnerability management is just one area where CI/CD acts as a force multiplier for development teams. Building resilient systems allows teams to ship high-quality code in less time with lower risk. By putting your CI pipeline to work for you, you’ve got access to a key differentiator and leverage point for your company. If you’re ready to give it a try, you can create a complete DevSecOps pipeline on CircleCI.
Just looking for more information on security? Read our ebook, Vulnerability Management and DevSecOps with CI/CD.