Software research and development is a complex project, not only requires software design, development, testing, operation and maintenance, but also involves a lot of human and material resources management. The main character of today’s discussion, “security”, is a subject that is easily ignored in software research and development. But compared with code bugs, once security problems appear, they are more destructive and even fatal. Let me give you some examples to get a feel for it.

On May 7, The Colonial Pipeline, which supplies 45 per cent of petrol, diesel and jet fuel to the US East Coast, was hit by the largest ransomware attack in history and was forced to shut down on May 8 local time before resuming “normal operations” on May 16.

On June 30, a drop quietly went public in the United States. On July 9, CNCN reported that “some 25 apps have serious problems in collecting personal information in violation of laws and regulations”. On July 10, the Cyberspace Administration of China (CAC) issued a notice soliciting public comments on the Revised Draft measures for Internet Security Examination. The draft includes the provision that “operators with personal information of more than one million users who wish to list in foreign countries must apply to the Cyber security review Office for cyber security review.”

Why is security a difficulty

Security problems, like code bugs, generally exist in the whole software life cycle. The Computer Security Council (CSI) has surveyed businesses, government agencies, financial institutions, medical institutions, universities and more to find out how they are affected by security threats. Among the 522 professional responses it received, the answer was surprisingly consistent, “from within”… And it’s up to 80%. So don’t be upset, most of the time you are just a part of that 80%.

CSI Computer Crime & Security Survey: http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf

There are many manifestations and solutions to security problems related to software. Common security issues are very patchy:

  1. How to allocate authority reasonably and manage efficiently
  2. How to guarantee code permissions and quality
  3. How to provide the Open API to the Public network securely
  4. How do I use HTTPS
  5. How to keep private data safe
  6. How to quickly find and fix security vulnerabilities

As a software development platform, the security challenges are more complex:

  1. Multi-tenant isolation: How can resources hosted by multiple projects and enterprises on the platform be effectively isolated and efficiently shared?
  2. Dependency management: now that everything is connected, how to manage external dependencies (such as cloud database, tripartite system login information) to avoid disclosure of key authentication information, to prevent paid services from being abused to cause capital loss?
  3. Microservice Management: How do thousands of microservices scan for security vulnerabilities? How can hundreds of domains be managed to keep the door open?

In many projects, security is the responsibility of an independent team, often after the software development is complete. Such a cooperative approach leads to late exposure of security problems, high repair costs, and cross-team gaps that increase collaboration costs and even culture conflicts. In today’s agile r&d projects, this organizational structure needs to be upgraded. Security is the most important thing for enterprise customers, no one, it is the lifeline of the enterprise, no more emphasis can be blamed. Fixing any security issues is a top priority for every customer we serve. All in all, in an era of DevOps, microservices, and cloud native, conventional, marginal security will limit the speed and quality of software being produced. Where is the solution?

DevSecOps

Back in 2012, Gartner proposed DevSecOps as a new model combining development, security, and operations. In 2016, Gartner further published DevSecOps: How to Seamlessly Integrate Security into DevOps, highlighting the need to Seamlessly Integrate Security into DevOps while maintaining agile development. The RSA Conference has been offering DevSecOps workshops since 2017 on topics ranging from technology practices to cultural integration.

– the DevOpsSec: Creating the Agile Triangle “: _https: / / www.gartner.com/en/documents/1896617/devopssec-creating-the-agile-triangle _

– the DevSecOps: Seamlessly Integrate Security into DevOps: https://cdn2.hubspot.net/hubfs/1958393/White_Papers/devsecops_how_to_seamlessly__315283.pdf

The path to DevSecOps

First of all, DevSecOps has established the basic consensus of Shift Left security. Security should be embedded in the entire existing software r&d operation and maintenance process system, which requires the joint efforts of development, testing, operation and maintenance, and security teams to realize software value.

The second is technology, which requires a sophisticated tool chain to ensure that any security access point linked to the DevOps process is highly automated, stable, and secure. Embedding should be done in a way that is efficient and smooth, and not slow down the efficiency of software development by increasing the flow. The third is the integration of teams. DevSecOps advocates not only limited technology construction and innovation, but also the integration of security personnel into every RESEARCH and development organization, and the integration of security awareness and quick solution of security problems into the software delivery process. Finally, it is people-oriented culture and organizational construction. Human behavior is interwoven with data, threats, risks, privacy, management and other factors from beginning to end. A new security technology culture that can balance technical framework and management strategy is needed to build or transform DevSecOps organization. Next, let’s take a look at Erda’s DevSecOps practices.

DevSecOps practices for Erda

As an enterprise-level software development platform, Erda takes into account the high security requirements of enterprises at the beginning of its design, and pays full attention to DevSecOps from both technical and management perspectives.

Technical side

First, we provide a lot of technical capabilities from the technical side of the Erda platform to help development teams quickly make software secure.

1) Continuous integration pipeline

Sonar Action is built into Erda Pipeline to perform quality checks on code. “Defects” can be created for checked quality problems and entered into the project collaboration process to track the repair status. Pipeline Action also has the flexibility to expand and integrate paid services from third-party security companies to check for code quality, security vulnerabilities, and configuration leaks.

2) Deployment resource restrictions

Erda allows applications to configure CPU and Memory quotas based on cloud native technology, limiting the amount of resources that can be used by a single microservice. Further, Erda supports project allocation of resource quotas. In this way, the project team can not only avoid occupying each other when multiple projects share the cluster, but also urge the project team to evaluate resources reasonably, and timely clean up to avoid abuse when limited.

3) API gateway

The API gateway provided by Erda implements rich API protection policies, as shown below:

  1. IP interception: support to configure API user source IP black/white list to deny/allow requests from certain source IP addresses; At the same time, CC protection is supported and rate limiting is implemented for requests from source IP addresses.
  2. Service load protection (traffic limiting) : According to the configured maximum throughput of services, the system eliminates the peak throughput of service traffic to ensure that the rate of requests to back-end services is within the limit throughput. When the received request exceeds the throughput rate, the system calculates the penalty delay according to the degree of the delay. If the penalty delay is smaller than the maximum additional delay, the system increases the penalty delay before sending the request to the service. If the penalty delay exceeds the maximum additional delay, the request is rejected immediately.
  3. Cross-site defense: If cross-site defense is enabled, the CSRF Token will be planted after the user logs in successfully, and the CSRF Token will be added to all requests in coordination with front-end renovation. After receiving the request, the gateway verifies the CSRF Token to verify that it belongs to the current user’s Token and forwards the request to the backend.
  4. Open authentication: Provides various AuthN plug-ins for authentication, including OAuth2, Key Auth, and HMAC Auth, in the scenario where apis are open to partners. You can manage the authorization of the caller and configure the authorization scope.
  5. Caller audit: Monitor caller traffic, analyze hot apis, and count error rates.

4) Domain name governance

  1. Erda’s API gateway provides domain name forwarding capability that converges multiple microservice domains within a project.
  2. Erda provides enterprise-level full domain name management, which allows you to quickly query domain names and access the corresponding micro-service applications for management.
  3. Erda provides the site-wide HTTPS service and enables HTTP strong forwarding by default. Custom domain names and certificate configurations are also supported.

5) Connect to cloud security products

Erda has successfully connected with a large number of cloud vendor security products, such as DDoS protection, cloud firewall, Web application firewall, fortress machine, key management services, etc.

Leveraging the power of cloud vendors, Erda places business systems in a powerful protective cover without any intrusion into business systems.

6) Privatization security

Erda has carried out dozens of successful privatisations. Erda provides VPN, JumperServer, operating system hardening and other security solutions to ensure the security of the private environment. On the other hand, security products can benefit the old customer environment, including firewall, fortress machine, F5, WAF, security log audit, MFA authentication, encrypted storage, etc.

Management side

Secondly, from the management side, Erda also provides many management methods to help the R&D team to govern the R&D process and avoid security problems.

1) Permission management

Erda uses role-based access Control (RBAC) to implement enterprise-level user rights management and establish a three-tier enterprise – project – application organizational structure. With application as the center, multiple applications constitute a project. An enterprise can build multiple projects and be equipped with different roles to participate in enterprise software development.

Erda has a variety of r&d roles, including project manager, R&D lead, and so on, and each role has permissions that are pre-defined by the platform to strictly define what it can do. Each Erda user does not belong to any enterprise after registration. The enterprise administrator adds the user to the enterprise and assigns him/her roles. Similarly, the project manager will add project members to the project and set roles. According to their different functions in the project, project members will assume different roles (that is, they have different functional permissions) and cooperate to complete the whole project research and development. Erda records all user modifications and supports security compliance audits. At the same time, the platform eliminates weak passwords, uses salt value encryption storage, and freezes accounts for multiple login failures to prevent password brute force cracking.

2) Resource management

Each enterprise can use Erda to host multiple clusters physically isolated from each other. In particular, multiple enterprises can share a cluster and be isolated by grouping machines. Each project in the enterprise has four built-in R&D environments, each of which can choose to deploy clusters. As shown in the figure above, enterprise A manages two clusters, under which the R&D environments of project 1, 2 and 3 belong to two clusters respectively. Enterprise B manages two clusters, with projects 4 and 5 using one cluster respectively. Enterprises C and D share cluster three, but they use two sets of machines that are isolated from each other. With different isolation policies, Erda supports flexible security isolation requirements while accommodating flexible sharing business scenarios.

3) Configuration management

A common security risk is that hard-coded configurations are copied everywhere. In extreme cases, your password appears on Github; Enterprise A will send the buried data to enterprise B’s Umeng account. Once the configuration is leaked, enterprises will be in great distress and worry. Erda’s best practice is to keep the configuration on the platform, and the tool code is restricted to use by the configuration name in the corresponding environment. The r&d lead configures the RDS-PROd plug-in in the production environment, and the development engineer references rDS-PROd through erda.yaml to get the database configuration. The configuration information is known only to the r&d director and not to the development engineer, so as to minimize exposure.

Similarly, head of research and development for configuration testing parameters such as clusterName, test engineers through the parameter name ${{config. This. ClusterName}} reference for interface testing. Test engineers are not exposed to specific configuration parameter values.

In particular, the platform management configuration also binds configuration parameters to the r&d environment, avoiding misuse caused by parameter and environment mismatch.

Write in the last

Erda’s approach to security lies in its commitment to DevSecOps as a platform for companies to build high-quality software. We will continue to improve the automated tool chain, promote the safety of the front while paying attention to the safety of landing soft and low intrusion. As a DevSecOps advocate, Erda Cloud continues to focus on people, balancing technical frameworks and management strategies from a people-centered perspective, and building a safe and agile organizational culture.

If you have any questions, welcome to add a small assistant wechat (Erda202106) to join the exchange group, participate in the exchange and discussion!

  • Erda Github: github.com/erda-projec…
  • Erda Cloud website: www.erda.cloud/