Vulnerability Remediation in the CI/CD Pipeline - Not Just a Coding Issue

Posted by Roy Horev on Apr 4, 2019 7:27:24 AM

Vulnerability remediation was once considered a straightforward process. Scanning software identified potential vulnerabilities and notified the system administrator, who took over from there. “Vulnerability” was seen as a coding issue, so manually checking and patching code became the standard method of remediation despite being slow and not always effective.

Today, new technologies bring new vulnerabilities, originating from coding or configuration issues. Online systems are continuously exposed to advanced and persistent threats. Due to CI/CD practices, new vulnerabilities are now entering production much faster than they used to. As Myrna Soto, SVP former CISO at Comcast put it, “The evolution of technologies has required an evolution of assessment needs and ultimately audit practices.”

Post-breach manual remediation is no longer enough. Instead, robust security requires a continuous remediation platform featuring an automated collection of multiple data sources enabling you to determine which CI/CD pipeline vulnerabilities are the most dangerous to your network. Once you have identified those key problems, you can remediate them more efficiently, using automation wherever possible. It  can take weeks to fix a catastrophic security breach resulting from inadequate vulnerability detection and remediation.

Download our eBook  'Why Continuous Software Exposure   Demands Continuous Remediation'


Recommended Tools for Remediating Vulnerabilities in your Pipeline

The following section lists five open source vulnerability remediation tools that can be easily integrated into a larger continuous remediation system.

OWASP ZAP

An open source DAST tool, OWASP ZAP is intended for testing web applications in the development and testing stages. It is easy to install, fully supported, under active development, and runs on multiple platforms. ZAP is designed to automatically find vulnerabilities in running web applications. Users with minimal knowledge can run automated tests, whereas experienced pen-testers can run customized tests. Functions include intercepting proxy automated scanners, dynamic SSL certificates, smartcard, and CDS support. The Jenkins plugin adds functions such as interactive report generation, false positive removal, and customized fail criteria.

shutterstock_519305032

Archery

A popular open source DAST tool, Archery is useful to development teams for managing scans and prioritizing vulnerability in a CI/CD pipeline. Archery uses multiple open source scanning tools (including ZAP) to implement web and network scans. Scans are correlated and results are clearly displayed on a color-coded dashboard for easy interpretation and vulnerability assessment, to facilitate catching and patching vulnerabilities. Like ZAP, Archery is under active development and provides false positive removal, vulnerability prioritization, remediation, and tracking. Archery requires a Selenium Python Firefox Web driver but integrates easily with other systems and CI/CD pipelines for optimal pre-release testing.

Bandit

Unlike ZAP and Archery, Bandit is a static AST tool, designed to help developers find common security issues in Python code. It is available free, under the Apache license. Bandit is managed by PCQA and distributed over PYPI. It can be used to scan Python code during development, compare the scanned code to a library of known vulnerabilities, and generate a report. Bandit allows users to define custom tests and can be used for gateway testing with full or baseline gates. However, using Bandit requires a thorough knowledge of the system being tested and the Python code in particular.

Hawkeye

An open source CLI project security/vulnerability/risk scanning tool, Hawkeye scanner is maintained by GitHub. It is designed to be integrated into pre-commit hooks and pipelines. DevOps teams can use Hawkeye modules to run on projects written in a variety of programming languages (Node.js, Ruby, Python, etc.). Hawkeye includes scan modules for credit card numbers, passwords, and other protected information. It features a docker build for easy implementation of pipeline scanning. Some features, such as modules to run, writers to use, and failure thresholds may be configured using the CLI.

Clair

Clair is an open source infrastructure scanning tool maintained by the GitHub project. It is designed for developers to perform static analysis of vulnerabilities in apps and docker containers during the development process. Clair compares indexed contents of container images with data from a known set of sources to compile a list of potential threats and assure that patches or upgrades have been properly applied. Clair can also detect changes to vulnerability metadata, and alerts users to the changes. As with all open source tools, Clair is under active development and provides extensive online documentation.

The Importance of Integrating Security in the CI/CD pipeline

New technologies necessitate new security measures and new remediation strategies. More vulnerabilities are being pushed into production and measures need to be taken to protect the CI/CD pipeline. Safeguarding the pipeline must be a continuous, comprehensive and fully automated process, culminating in quick, thorough remediation.

There are several open source tools designed to protect CI/CD pipelines, some reviewed here and others in a recent whitepaper. These tools can help assess ongoing security needs and integrate well into dedicated vulnerability remediation platforms.

To find out more about protecting your system from advanced, persistent threats using a continuous remediation platform offering smart analytics, simple automation, and closed-loop remediation planning and orchestration, contact us to schedule a consultation.

Topics: vulnerability remediation

Written by Roy Horev