1 Mitigate application dependency risks
There might be vulnerabilities in the software components used to build your applications that need to be managed. Software composition analysis (SCA) tools can be used to mitigate software supply chain risks, particularly when using open source software components. Look for SCA tools that can:
- Scan application dependencies to make sure they are free of known vulnerabilities.
- Help to automate software licensing compliance by identifying the components and their licenses, flagging licenses that might not be compatible.
- Confirm that application dependencies are current and that they come from a community that is still active and producing updates.
- Be an automated part of the application build process, as well as part of the development environment. This gives developers a chance to resolve issues before integration, reducing the number of application build failures.
2 Unify code and configuration management
The GitOps paradigm, popular in Kubernetes and containerized environments, includes practices that can greatly improve your security posture, starting in development:
Apply development best practices for source code management (SCM) to configuration. Using the same controls for check in, merge, and approval allows infrastructure configuration changes to be tracked to a specific person and time.
Rather than relying on Ops, developers should consider configuration early in the process and establish a vision for the application’s intended production environment. Using the same type of environment and security controls for development, testing, and production makes it easier to manage configuration throughout the life cycle.
Use an automated build pipeline to build container images and binary artifacts for continuous integration/continuous delivery (CI/CD). No ad hoc changes should be necessary when deploying these images to production.
Do not store sensitive data in an SCM system. Use tools to scan configuration and container images to make sure they do not contain embedded secrets.
3 Protect application secrets
It is important to manage identities and secrets like passwords, tokens, and keys throughout the application life cycle. Access to SCM systems, container registries, and binary repositories need to be controlled. Credentials used by applications to access databases and services, as well as those needed for automated builds and testing processes, also need to be secured. Secrets can be accidentally disclosed if stored in SCM systems or configuration files. To protect application secrets:
- Establish identity management and access control infrastructure early in the life cycle.
- Consider using a secrets vault, or a hardware security module (HSM) to manage and safeguard secrets while at rest and in transit. Secrets vaults are typically software solutions, while HSMs use specialized hardware to provide increased levels of protection. Either should be integrated into the identity management infrastructure.
4 Use trusted base images
Container base images are highly minimized Linux® distributions. Hundreds of packages can be preinstalled and might contain potential vulnerabilities. To mitigate container image risk:
- Choose trusted images with reliable, regular, and well-tested updates. Investigate the image sources and the available support options.
- Use image tools to check for known vulnerabilities. Images should also be scanned to verify configurations are secure and there are no embedded secrets.
- Reduce attack vectors by removing unnecessary binaries, including operating system (OS) tools, that could be used during an exploit.
5 Address compliance and audit concerns early
To reduce delays when moving to production, it is important to understand the compliance frameworks and technical controls that are required early in development. Automated checks to enforce compliance and security requirements can be inserted into the build pipeline.
Start documenting proactively, as documentation for procedures and policies can be at least 50% of an audit. Policy documentation should include access controls, change controls, backups, and data retention. Security checks, like application security testing and SCA, should be included when documenting procedures.
Using the same type of environment in development and production allows automation and documentation to start earlier. Mechanisms required in production for logging, tracing, and auditing can be established sooner. These steps can reduce the effort required to complete audit and compliance checks.
6 Start with a strong platform and ecosystem
As security threats continue to increase it is vital to use a platform with a comprehensive security ecosystem that offers integrated and supported solutions. Red Hat® OpenShift® is an enterprise-grade Kubernetes platform with extensive features to support development as well as operations. The powerful build and deployment pipelines in Red Hat OpenShift provide an ideal place to implement automated security checks and controls. Security checks can be inserted anywhere in the process, from building source code into images through production deployment.
Red Hat has an ecosystem of security partners that enhance and extend the security capabilities in Red Hat OpenShift. These partners work with Red Hat to provide supported solutions that are integrated with Red Hat OpenShift. You can choose from a range of solutions to match your specific security and organizational requirements.
To accelerate the development of container-based applications, Red Hat CodeReady Workspaces is a Kubernetes-native development environment that runs on Red Hat OpenShift. Red Hat Universal Base Images and Red Hat Runtimes provide a strong foundation from a trusted source for your applications.