AWS Public Sector Blog

Episode 4: Code is Not Static – App Care

Created in conjunction with a five-part Twitch mini series (March 28 – April 25), these weekly blog posts provide resources and guidance to support the 60-minute live videos. To sign up and learn more about the series, click here.

A post by Yuriko Horvath, Sr. Solutions Architect; Justin Stanley, Sr. Solutions Architect; Mike Colson, Solutions Architect Manager; and Sai Madineni, Consultant, at Amazon Web Services

DevOps isn’t just a buzz word. Ok, it’s a little buzzwordy, but the movement is real.

The purpose of DevOps is to provide a framework through which organizations can approach application development and operational excellence. It’s part of a strategy to help align culture, people, and processes for success with digital transformation.

From a business perspective, DevOps accelerates time to market, new customer capture, larger revenue gains, and increased user adoption. These metrics are important to leadership and help drive IT modernization. In this post, we outline the DevOps value chain, how it helps with continuous integration and continuous deployment (CI/CD), and the critical role of security.

Below are some important concepts to know for the purpose of this post:

CI/CD: Continuous integration and continuous deployment covers all things related to the automation of application development and the deployment pipeline. This includes a developer’s changes to a central repository so that code winds up in production.

DevSecOps: If you have ever developed applications in a traditional waterfall environment, then you know that security is one of the last gates of an already cumbersome process. It’s in this vein that we introduce DevSecOps, which integrates security as part of the development process. DevSecOps covers security of and in the CI/CD pipeline, including automating security operations and auditing.

DevSecOps is a combination of cultural philosophies, practices, and tools that emphasizes collaboration and communication between software developers, IT infrastructure, and security teams. It helps organizations deliver applications and services rapidly, frequently, reliably, and securely.

Security in and of the pipeline

The following details how to prepare security requirements before you begin building your pipeline, what to think about during the build stage, how to test it, and what comes next. Our previous blog posts (Episode 1, Episode 2, and Episode 3) offer foundational information to consider before you begin to build.

Building Pre-Requisites

The easiest way to start is to break things down into requirements. For example, work with your security team to understand your compliance needs – a Security Requirements Traceability Matrix (SRTM) can help. The matrix should be comprehensive and it should document security requirements for all aspects of the pipeline. A sample template is shown below.

Watch your access roles
Make certain that the IAM roles attached to your build server, Jenkins or AWS CodePipeline, have only fine-grained access based on the minimum privilege policy.

Harden your build servers and nodes
Check that the underlying OS used for building your code is always patched and hardened. Managed services like AWS CodeBuild can handle this for you.

Build Stage

In a typical CI/CD pipeline, after code commit build tests are executed, it is important to implement static application security testing (SAST). This is in addition to security tests in the build stage that help identify vulnerabilities early and alert developers. One of the popular tools to implement SAST is Checkmarx.

Library scanning and vulnerability analysis should also be implemented in the build stage. The idea is to automatically execute all of the steps right after a code commit. Releasing code in small and frequent batches is recommended to find any vulnerabilities. These issues are easier to fix in the early stages.

As we’ve also discussed in a previous blog post, secret-keeping is key. This entails using the AWS Secrets Manager to safely store details about your application. To keep your keys concealed, use AWS Key Management Service.

Test Stage

Post build, it’s testing time. Deploying the artifact into a testing environment and running integration tests are another important part of the CI/CD pipeline. During this phase, you can implement a dynamic application security testing and vulnerability scanning.

Following a successful test stage, the process is repeated to deploy the application to the staging and production environment. In this phase, it is important to continuously monitor the infrastructure for any vulnerabilities.

Post-Release Stage

Once you’ve released your code into production, you should have a strategy set up for incident response. For example, what is your patching strategy? What happens if you introduce a vulnerability? Can you easily roll back your application?

Embracing a continuous integration and deployment system ensures that security is always situated between development and operation, or DevSecOps. This keeps security at the forefront and helps you get ready for operating secure applications.

Our next post in our five-part series, “Episode 5: Audit-tastic,” will discuss steps to take when your app is ready for a compliance audit, including building your security documentation.