Let’s be honest, most companies have either moved or are moving to a continuous integration/continuous delivery (CI/CD) application development model. With the move to this model, the need to integrate security into the process is paramount. Faster code deployments mean less time for code reviews.
So, how do you perform a public cloud misconfiguration check for an app you’re deploying through a pipeline? Glad you asked.
In this blog, we’ll show how we integrated CloudHealth Secure State with VMware’s Code Stream, our own SaaS CI/CD tool, in order to check for and prevent any potential cloud misconfigurations in your application development pipeline.
Pipeline, App, and Security Checks
For our example, we’re using VMware Cloud Assembly, VMware Code Stream, and CloudHealth Secure State (CHSS) to deploy a simple application to AWS and check for any risky misconfiguration in the deployment. The application design was done using Cloud Assembly. It consists of a front end web server, a backend MySQL server, and a couple of S3 buckets thrown in just for fun.
In order to integrate a security tool like CHSS into a pipeline, it must return the findings back quickly. CHSS’ unique architecture, which does not rely on a polling interval to get up-to-date info, shines. Depending on the provider, CHSS can return results in under two minutes from an object being created in a public cloud. That means developers aren’t waiting to find out if their application can continue down the pipeline or not.
Speed is critical because we all want to go faster. As noted in the Atlassian and CITE 2020 DevOps Trends Survey, deployment frequency is the most common measurement for success in DevOps. If you’re waiting, then you aren’t deploying. Some of VMware’s more advanced customers are making hundreds of deployments a week.
Deploying the App
With Cloud Assembly, we can easily design and deploy an application. For this example, the code will attach two EC2 instances, sized medium, to an Ubuntu image and then place them on an existing network (aws-main).
From there, it will run a few commands on each image to set up the web front page and the MySQL back end. I also have it set to deploy two random S3 buckets into the us-east-2 region. You can see that code here.
With the application blueprint created in Cloud Assembly, we created a pipeline in Code Stream that would deploy it. Not only that, we needed to add a few extra steps to call CloudHealth Secure State (CHSS) to check for any risks. Within Code Steam, a pipeline deployment was created that first called Cloud Assembly and deployed our blueprint/template. This also contained some variables that we need to pass to Cloud Assembly.
Once the template was deployed, four tasks were created.
1. The first task was to get an access token from the VMware Cloud Services Portal (CSP) so that we could access our CHSS API.
2. Next, a RestAPI call was done to the Finding API to see if any of the deployed objects had a risk score above 75. See the below payload that was sent to gather this information. You can see that we filtered on both the tag and risk score. You can customize what you want to filter. There are lots of filtering options found on the Swagger page for the Finding API page found here.
The idea here is that you aren’t going to get 100% clean deployments, or at least not on day one. So set a bar that both security and dev are comfortable with, and then improve over time.
3. After returning the findings, we had to query the Rules API to get back the DisplayNames of the rules since the Finding API results reference the ruleID number only. Code Stream passes the variable from the Finding API results to the Rules API query, which we filtered for. See below.
(The pipeline stage to check CHSS is called Initiate Secure State Scan and the variable we want is ruleID)
4. The last step is the approval task. Here, we bring back all the results and present it to the user, including all the findings with a risk score over 75 and the rules associated with them. At which point, the user can either approve or reject the build.
If the task is approved, an email is sent to the user letting them know. If rejected, a rollback script is run to destroy all the objects that were deployed.
Cloud Security: Early and Often
With Code Stream and Cloud Assembly, it’s relatively easy to get your applications and pipeline set up and going, even for non-programmers. This is just a simple example of how you can integrate CHSS into your pipeline and protect your deployments from potential misconfigurations and cloud security risks.
There are tools in the marketplace that can scan your code before it’s deployed, but these tools don’t consider what might already be deployed in your cloud. That means that a template might pass the test, but once deployed, a shared key or attached gateway could create a high risk in your environment. The CHSS data model looks for those risks due to its unique graph model.
Lastly, if you haven’t gone 100% CI/CD, that is ok too. CHSS has the capability to remediate findings and misconfigurations for you. For example, in our app, we deployed two S3 buckets. Their risk score was below 75, so they didn’t need to be approved. However, you may want all S3 buckets to be encrypted and logging enabled. With CHSS remediation capabilities, you can enable auto or manual remediation for these findings and more. You can see a list of our ever-growing remediation jobs here in our GitHub repo.
To learn more, we recommend you check out the below resources, or feel free to reach out to us directly. Our team of cloud security experts will be happy to discuss your unique needs and walk you through the CloudHealth Secure State solution.
[Guide] Navigating the Shift to Public Cloud Security With a DevSecOps Mindset: Learn how to implement a model of continuous security into your deployment processes with a DevSecOps mindset.
[Guide] 7 Best Practices for Cloud Security Posture Management: Learn seven actionable best practices that will improve your organization’s cloud security posture without inhibiting productivity.
[Solution Overview] CloudHealth Secure State: See how CloudHealth Secure State helps cloud teams mitigate security and compliance risk through intelligent, real-time security insight.