How GitOps Can Promote Open Source Security
What Is Open Source Security?
Open source software facilitates rapid software development. It provides ready-made components that you can use as-is or modify for your purposes instead of writing functionality from scratch. Typically open source projects are maintained by a community that helps ensure the software is continuously updated and improved.
Open source software provides many advantages but also introduces security risks and challenges. Once threat actors discover that the open source project is exposed to a publicly known vulnerability, they can attack all applications developed using this code. The Apache Struts and Log4j vulnerabilities, for example, allowed actors to attack numerous applications.
Open source security practices help you protect against open source risks. It involves using open source security tools and best practices to manage open source components and ensure compliance with organizational and regulatory requirements.
There are various open source security tools, each offering different functionality. Here are important features to look for in open source security tools:
- Automated identification of open source dependencies in applications.
Offers versioning and usage information. - Triggers alerts when detecting policy violations and risks across the SDLC.
- Automatically monitors, blocks, and alerts on attacks targeting open source vulnerabilities.
A few examples of tools that can help identify open source security issues are software composition analysis (SCA) and dynamic application security testing (DAST).
The Dangers of Open Source
Open source software is a key driver in rapid software development. It provides operating systems, software, applications, and code libraries at scale and low costs. It introduces flexibility and helps accelerate delivery times. However, open source components also introduce security risks.
Open source projects are publicly available. This means vulnerabilities, flaws, and any security concerns are discovered and reported. As a result, not only affected developers and organizations are made aware of an exploitable vulnerability - threat actors also learn about them and can exploit them before you get the chance to patch the issue.
Tracking vulnerabilities in open source is also a challenge. If you don’t have visibility into all components, you use or an inventory that you keep continuously updated, chances are you’ll miss vulnerabilities. You may also not be aware of newly discovered vulnerabilities. Either way, these issues slip through the cracks and expose you to attacks.
Cybercriminals actively look for attack vectors to help them breach applications and networks. Unpatched and vulnerable open source components offer an abundance of exploitable vulnerabilities. Recent reports reveal that 28,695 flaws were disclosed in 2021, and the number increases each year.
What Is GitOps?
GitOps is a work process that enables developers to treat the infrastructure as code. It involves applying development best practices and tools to operations, including CI/CD tools and version control systems. These tools and practices help facilitate collaboration, compliance, and infrastructure automation.
GitOps helps bring operations into the modern development lifecycle, turning the DevOps pipeline into a truly unified one. It is the next evolution of software development—after automating the software development lifecycle, it is time to automate the infrastructure. Taking automation a step further, GitOps enables declarative automation, ensuring that developers can effectively manage the various resources needed for continuous deployment.
A mature DevOps culture that implements GitOps can deploy code to production numerous times per day using version control, code reviews, and automated CI/CD pipelines that utilize GitOps to automate infrastructure provisioning. GitOps enables DevOps teams to use Infrastructure as Code (IaC)—essentially configuration files stored as code to automatically generate the infrastructure, just as application source code generates application binaries.
How GitOps Can Promote Open Source Security
Policy as Code (PaC)
PaC is a new approach to manage security in software projects. It refers to rules encoded as a human-readable configuration file, which is checked in a source code repository. These rules encapsulate and enforce an organization's policies regarding security, compliance, and coding standards.
PaC can only work if the entire pipeline is automated. With Kubernetes and GitOps, this can be easy to achieve.
How it promotes open source security: Open source security policies can be encoded into PaC. For example, a policy can specify that open source packages in a project must be scanned for vulnerabilities, and only promote a build in the pipeline if these scans passed successfully.
Improved Auditability
The unique ability of GitOps tools to handle everything as code has a direct impact on security. For example, if all configuration and security policies are handled in code, everything can be kept in version control. Any changes can be made, reviewed, and entered into an automated pipeline. The pipeline then validates, deploys, and monitors the changes.
How it promotes open source security: It is critical to know where and by whom open source components were introduced into a project. GitOps provides a full audit trail showing when any open source module was introduced, updated, or modified, making it easy to identify the root cause of security issues.
Faster Response to Incidents
With GitOps, any deviation from desired system configuration, such as errors, can be detected early in the development process. So, when implemented properly, GitOps moves security further to the left and can effectively catch bugs, security flaws, and code quality issues earlier in the process.
Finally, GitOps also speeds up pipeline changes. So, if the pipeline is breached, GitOps enables a quick response to security flaws. For example, is a specific vulnerability was exploited by attackers, you can quickly deploy a fix or roll back to a previous, safe version via GitOps automation.
How it promotes open source security: When zero day vulnerabilities are discovered, the race is on to find the vulnerable component across an organization’s entire portfolio of applications. With GitOps, this can be easy—simply searching the shared Git repository reveals where the component is deployed across multiple applications and Kubernetes clusters.
Improved Visibility
Storing infrastructure as code allows businesses to quickly identify configuration related to a vulnerability or security weakness and understand when and by whom it was implemented. This makes it possible to assess the scale and impact of an attack, quickly remediate affected systems, and recover faster to reduce downtime and disruption.
How it promotes open source security: If an open source component was introduced or modified “ad hoc” outside your regular pipeline, GitOps can detect this immediately and revert the application to its original configuration.
Conclusion
In this article, I explained the basics of GitOps and the growing concern about open source security. I showed how organizations that implement GitOps take a few big steps towards better auditability, visibility, and responsiveness to open source security issues. Instead of flying blind, teams implementing GitOps know exactly what open source components they are running, when they were introduced, and what to do when a vulnerability is discovered.
