Introduction to Security Deployment

When implementing security in the DevOps process, there are various ways to apply it at different stages of the product lifecycle.

1. User Management and Access Control

  • Use Two-Factor Authentication (2FA): Require users to enable 2FA to enhance account security.
  • Access Control Management: Strictly manage permissions based on roles (Owner, Maintainer, Developer, etc.) to ensure users only have access to what they need.
  • Use Private Groups and Projects: Set projects and groups to private mode to prevent unauthorized external access.

2. Source Code Protection

  • Encrypt the Repository: Ensure that the source code in repositories is encrypted, especially when stored on external storage systems.
  • Use Git Hooks: Set up Git hooks to perform security checks, such as preventing the push of passwords or sensitive information into the repository.

3. CI/CD Pipeline Security

  • Use Self-Hosted Runners: This helps to better control the execution environment and avoid risks when using public runners.
  • Set Up Secure Environment Variables: Use environment variables in the CI/CD pipeline and protect them by marking them as “protected” or “masked.”
  • Automated Security Testing: Integrate security testing tools (such as SAST, DAST, Dependency Scanning) into the pipeline to automatically detect security vulnerabilities in the source code.

4. Monitoring and Auditing

  • Enable Logging and Auditing: Record all important actions in GitLab so that they can be tracked and audited when necessary.
  • Set Up Security Alerts: Use monitoring tools to receive alerts when there is unusual activity or when security vulnerabilities are detected.

5. Secure GitLab Configuration

  • Regular Updates: Ensure that GitLab is always updated to the latest version to patch known security vulnerabilities.
  • Use HTTPS and SSL/TLS: Ensure that all connections to GitLab are encrypted via HTTPS.
  • Configure Firewall and IP Whitelisting: Limit GitLab access only to trusted IP addresses.

In this lab, we will delve into CI/CD Pipeline Security, specifically focusing on Automated Security Testing using GitLab Templates or open-source tools.

GitLab Templates:

  • Convenience and Ease of Use: GitLab templates are pre-configured settings provided by GitLab, making it easy to integrate security tools into the CI/CD pipeline. These templates are optimized and tested to work seamlessly with GitLab, reducing configuration and deployment time.
  • Built-in Integration: GitLab templates often come with security features such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Dependency Scanning, and Secret Detection. These can be added to the pipeline simply by referencing these templates in the .gitlab-ci.yml file.
  • Support and Updates: As an official GitLab product, these templates often receive timely technical support and security updates from GitLab, ensuring that you are always using the latest and most secure version of the security tools.
  • Limited Customization: While GitLab templates are convenient, the ability to customize them may be limited if you need a very specific configuration or need to integrate security tools that are not directly supported by GitLab.

Open-Source Security Tools:

  • High Flexibility and Customization: Open-source tools allow you to fully customize according to the specific needs of the project. You can choose, configure, and integrate security tools in detail according to your requirements.
  • Diversity and Scalability: There are many open-source tools available for software security, such as SonarQube for code analysis, OWASP ZAP for web application security testing, Trivy for container vulnerability scanning, etc. You can choose the most suitable tool for each specific use case.
  • Cost: Open-source tools often do not require licensing fees, reducing deployment costs, which is particularly useful for small projects or non-profit organizations.
  • Complex Integration: Integrating open-source security tools requires a deeper understanding of how they work, as well as technical skills to configure them in GitLab CI/CD. This may take more time and require support from the development team.
  • Updates and Maintenance: With open-source tools, you need to monitor and apply updates yourself, as well as be responsible for maintenance and bug fixes if necessary. This may require additional resources and time.