How to secure your Continuous Integration Pipeline to improve Software Supply Chain Security
As described in the An In-Depth Guide to Software Supply Chain Security article, it is especially important to secure your implemented application against possible threats and hackers. For that, different topics provide security at a specific point during the software development process (for detailed information, please step back to our first article on software supply chain security).
There are distinct reasons why development teams do not implement security features and mechanisms during their software supply chain. For example, there is a lack of time, knowledge and sometimes there is no budge to buy licenses for security tools.
To prevent software teams from actively accepting security vulnerabilities due to missing licenses or money, we would like to present appropriate open-source tools in this article – with a focus on shift-left security (for detailed information, please step back to our first article on software supply chain security). With these tools, it is possible to make the software supply chain more secure and to make a large part of manual development work superfluous by means of automated processes and tasks within the framework of the CI pipeline.
As described before, we focus on the shift-left security in the supply chain and present one recommendation open-source favorite per topic, if possible. If there are several similarly good tools, they have also been considered in the open-source blueprint.
Before we investigate in detail how you can use the following tools to secure each of the identified topics, we will start with a brief introduction to each tool.
Since each of these tools has a very specific scope, it is necessary to implement a CI pipeline using several tools to take all topics into account. We map the mentioned tools on our identified, necessary topics:
In software development, it is essential to secure your CI pipeline against multiple threats. We can see that it is quite possible to implement a well-secured CI pipeline without buying software licenses and having recurring monetary expenditures. Only for open-source dependency quality was there no fitting tools in our exploration. All these tools provide specific security features and good documentation. But there are also some downsides that should be considered.
A disadvantage of the tools presented, which should not be neglected, is that they must be configured and set up individually for their explicit use in one pipeline. This becomes apparent as we observe that the presented CI pipeline, along with its identified security concerns, requires configuration alignment. This alignment is achieved not merely through one or two tools, but rather by employing a quartet of tools to attain the intended outcome. Furthermore, if you want to monitor multiple pipelines/applications, these tools do not offer a solution out of the box.
Another drawback is that all these tools are easy to configure for developers, but they don’t provide oversight for less technically involved team members. If it is necessary to provide appropriate functionality in the team, it requires implementing a custom solution or the using of paid tools.
As we can see, it is possible to secure the software security chain accordingly with open-source tools to minimize potential dangers. To point out, one of the highest threads mentioned by the OWASP Top 10 risks “Vulnerable and Outdated Components” can easily be defused by the implementation of Renovate Bot in your CI pipeline. This is already a major improvement in software supply chain security for most projects and should therefore be more than adequate. Furthermore, we got a blueprint with state-of-the-art open-source tools to achieve good security in CI pipelines. In our next blog article, we will describe how we analyzed and compared those tools to each other and the key indicators for each topic.