Security in CI/CD with Tufin: Automating DevSecOps for Kubernetes and Containers

In the era of rapid development and continuous integration/continuous deployment (CI/CD), maintaining robust security is becoming an increasingly complex task. The increase in the number of containers, dynamic Kubernetes environments, and the growing Infrastructure as Code (IaC) necessitate novel strategies for security. Traditional methods of ensuring security often fail to keep pace with the speed and scale of modern CI/CD pipelines, potentially leading to critical vulnerabilities and compliance breaches. For example, misconfigured database access rules or insecure container images can serve as entry points for attackers. This is where Tufin comes to the rescue, offering a powerful solution for automating DevSecOps and providing comprehensive visibility and control over security at every stage of the CI/CD cycle.

Why is CI/CD Security Critical?

The CI/CD pipeline is a complex chain of operations involving application development, testing, integration, and deployment. Vulnerabilities may arise at each stage, and if left unchecked, can be exploited by attackers. A lack of security in the CI/CD can lead to the following consequences:

• Vulnerabilities in code and configurations that make it into production. For example, SQL injection or cross-site scripting (XSS).
• Unauthorized access to critical resources and data. Leakage of API keys, insecure storage of passwords.
• Violation of compliance with regulatory requirements (e.g., PCI DSS, GDPR).
• Downtime and disruptions in service.
• Reputational damage and financial losses.

Modern CI/CD pipelines often involve complex microservices architectures, containers, serverless functions, and dynamically scalable cloud resources. Ensuring security in such an environment requires a comprehensive approach that includes automation, integration with various tools and platforms, and a deep understanding of security policies. Tufin implements this comprehensive approach by providing tools for automatically verifying security policies, analyzing risks, managing changes, and integrating with existing CI/CD tools, providing continuous feedback and “shift-left security”.

Tufin: A Comprehensive Solution for CI/CD Security

Tufin Orchestration Suite provides a platform for automating security in CI/CD pipelines, providing visibility, control, and compliance at every stage of the software development lifecycle. Tufin enables organizations to integrate security into CI/CD processes, reducing risks and accelerating time to market. For example, reducing vulnerability remediation time by 30% and accelerating the development cycle by 15%.

Key Capabilities of Tufin for CI/CD Security

• Automated Security Policy Verification: Tufin automatically verifies compliance of changes in infrastructure and applications against security policies, identifying potential vulnerabilities and violations before they reach production. Tufin can check compliance with PCI DSS, GDPR, internal company policies, using declarative rules defined in Security as Code. Violations are detected by comparing network and application configurations against these rules.
• Risk Analysis and Change Modeling: Tufin provides tools for risk analysis and change modeling, allowing you to assess the impact of changes on security and minimize potential risks. Tufin analyzes risks associated with firewall rule changes, adding new cloud resources, vulnerabilities in code and configurations. Change modeling allows you to conduct “what-if” scenarios, for example, what happens if a new firewall policy allows traffic from an untrusted network.
• Integration with CI/CD Tools: Tufin easily integrates with popular CI/CD tools such as Jenkins (version X and above), GitLab CI (version Y and above), Azure DevOps (version Z and above), as well as with IaC platforms such as Terraform (version 1.0 and above) and Ansible (version 2.9 and above). Integration with Terraform allows Tufin to scan Terraform plans for insecure configurations before they are applied. Integration with Ansible allows you to automate the application of security policies based on Tufin scan results.
• Security as Code: Tufin allows you to describe security policies as code, which simplifies their automation, version control, and audit. Tufin uses its own declarative language to describe security policies, which allows you to define access rules, configuration parameters, and other security attributes.

  policy "allow_ssh_from_trusted_network" {
   description = "Allow SSH access from trusted network"
   source {
   network = "10.0.0.0/24"
   port = 22
   protocol = "tcp"
   }
   destination {
   network = "any"
   }
   action = "allow"
  }

• Kubernetes and Container Security: Tufin provides visibility and control over network traffic in Kubernetes and containerized environments, allowing you to apply granular access rules and segment the network to protect critical applications and data. Tufin allows you to visualize network flows between containers in Kubernetes and create Network Policies for microsegmentation.

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
   name: allow-from-namespace
  spec:
   podSelector:
   matchLabels:
   app: myapp
   ingress:
  
  
  from:
  namespaceSelector:
   matchLabels:
   name: mynamespace
   ports:
  protocol: TCP
   port: 80

Security Change Management: Tufin SecureChange automates the security change management process, ensuring compliance with security policies and minimizing risks. Tufin SecureChange allows you to automate the change approval process with customizable workflows that include security policy compliance checks, risk analysis, and change modeling.

Automated Firewall Rule Testing: Tufin allows you to automatically test firewall rules to ensure that they are correct and effective. Tests are performed for compliance with security policies, verification of resource availability, and modeling of various attack scenarios. Tufin determines that a firewall rule is correct and effective if it complies with security policies, provides access to the necessary resources, and does not create new vulnerabilities.

Compliance: Tufin helps organizations comply with regulatory requirements such as PCI DSS and GDPR by providing tools for auditing, reporting, and compliance management. Tufin provides reports showing compliance of network and application configurations with PCI DSS and GDPR requirements, as well as tools for automatically verifying compliance with security policies.

Integrating Tufin with CI/CD: A Step-by-Step Guide

Integrating Tufin with a CI/CD pipeline can be done in a variety of ways, depending on the tools and platforms used. Let’s consider a general process and provide examples of integration with some popular CI/CD tools.

Step 1: Install and Configure Tufin Orchestration Suite

The first step is to install and configure Tufin Orchestration Suite. Minimum system requirements include: 8 GB RAM, 4 CPU cores, 100 GB disk space. Supported platforms: Red Hat Enterprise Linux, CentOS, Ubuntu. Supported databases: MySQL, PostgreSQL. You must install all the necessary components and configure integration with the firewalls, cloud resources, and other systems you use. The initial configuration process includes configuring network interfaces, installing the license, and configuring the connection to the databases.

Step 2: Integrate with the CI/CD Tool

Tufin provides APIs and CLIs for integration with various CI/CD tools. Consider an example of integration with Jenkins:

Example: Integrating Tufin with Jenkins

1. Install the Tufin plugin for Jenkins: Go to “Manage Jenkins” -> “Manage Plugins” and install the “Tufin Security Policy Enforcement” plugin.
2. Configure the connection to Tufin Orchestration Suite: In “Manage Jenkins” -> “Configure System” find the “Tufin Security Policy Enforcement” section. Specify the Tufin Orchestration Suite URL, username, and password (or API key).
3. Add a Tufin step to the Jenkins pipeline: In your `Jenkinsfile` add a step to call the Tufin API:

   pipeline {
    agent any
    stages {
    stage('Security Scan') {
    steps {
    tufinEnforceSecurityPolicy(
    policyName: 'PCI-DSS Compliance',
    environment: 'Production',
    failBuildOnPolicyViolation: true
    )
    }
    }
    }
   }

4. Configure step parameters:
   • `policyName`: Specify the name of the security policy defined in Tufin Orchestration Suite.
   • `environment`: Specify the environment (e.g., “Production”, “Staging”).
   • `failBuildOnPolicyViolation`: If set to `true`, the Jenkins build will be aborted if the security policy is violated.

Example of Jenkins console output in case of policy violation:

[Tufin] Checking policy 'PCI-DSS Compliance' in environment 'Production'...
[Tufin] Policy violation detected: Firewall rule allows access to database server from untrusted network.
[Tufin] Build failed due to security policy violation.

Similar steps can be performed to integrate with other CI/CD tools such as GitLab CI and Azure DevOps.

Step 3: Configure Security Policies as Code (Security as Code)

Tufin allows you to describe security policies as code using a declarative language. This allows you to automate the process of creating, deploying, and managing security policies. For example, you can use the following code to define a policy that prohibits access to the database from the external network:

policy "deny_external_db_access" {
 description = "Deny access to database from external network"
 source {
 network = "0.0.0.0/0"
 port = 3306
 protocol = "tcp"
 }
 destination {
 network = "10.0.1.0/24" // Database network
 }
 action = "deny"
}

This code can be used to automatically apply the policy using the Tufin API.

Step 4: Automate Risk Analysis and Change Modeling

Tufin provides tools for risk analysis and change modeling that allow you to assess the impact of changes on security and minimize potential risks. These tools can be integrated into the CI/CD pipeline for automatic risk analysis before deploying changes. To configure Tufin to automatically run a risk analysis on every code commit, you need to configure integration with the git repository and configure rules that will trigger the risk analysis on certain events.

Step 5: Monitor and Manage Security Incidents

After deploying changes, it is important to monitor network traffic and event logs for anomalies and vulnerabilities. Tufin integrates with SIEM systems (e.g., Splunk, QRadar, Sentinel) and other incident management tools, allowing you to quickly respond to emerging security issues. Tufin sends security incident notifications to the SIEM system, which contain information about the security policy violation, the affected resources, and recommended actions to resolve the issue.

Benefits of Using Tufin for CI/CD Security

Implementing Tufin to provide security in CI/CD provides the following benefits:

• Enhanced Security: Tufin allows you to identify and eliminate vulnerabilities early in the CI/CD cycle, reducing the risk of attacks and data breaches. For example, automated code and configuration scanning has reduced the number of vulnerabilities found in production by 40%.
• Accelerated Development: Automating security allows developers to focus on writing code without worrying about security policies. New application deployment time has been reduced by 25% due to automatic compliance checks.
• Improved Compliance: Tufin helps organizations comply with regulatory requirements and security standards. PCI DSS audit preparation time has been reduced by 50% due to automatic generation of security policy compliance reports.
• Reduced Operating Costs: Automating security reduces the need for manual labor and reduces the number of errors, resulting in lower operating costs. Reduction in firewall management costs by 30% due to automatic rule optimization.
• Improved Visibility and Control: Tufin provides complete visibility and control over security in the CI/CD pipeline, allowing you to quickly respond to emerging issues. Automatic detection and remediation of security incidents has reduced downtime caused by security incidents by 50%.

Tufin SecureChange: Automating Security Change Management in CI/CD

Tufin SecureChange plays a key role in ensuring the security of CI/CD pipelines by automating the process of security change management. This enables teams to rapidly and efficiently make changes to infrastructure and applications while adhering to strict security policies and compliance requirements.

Benefits of Tufin SecureChange in CI/CD:

• Automated Workflow: Tufin SecureChange provides a workflow for managing security changes, automating the approval, implementation, and verification stages. For example, a workflow may include the following stages: change request, automatic compliance check, risk analysis, change approval, automatic change implementation, change verification.
• Risk Analysis and Modeling: Before making any changes, Tufin SecureChange allows you to conduct risk analysis and change modeling to assess the potential impact on security. Assessing the impact on security includes checking whether the change will lead to a violation of any security policies, as well as assessing the likelihood of new vulnerabilities.
• Integration with CI/CD Tools: Tufin SecureChange integrates with popular CI/CD tools such as Jenkins, GitLab CI, and Azure DevOps, providing a smooth workflow.
• Compliance and Audit: Tufin SecureChange simplifies the audit and compliance process by providing detailed reports on all security changes.

Tufin Orchestration Suite: Centralized Network Security Management

Tufin Orchestration Suite provides centralized network security management, providing a single dashboard to visualize network traffic, security policies, and access rules. This allows organizations to effectively manage the security of firewalls, cloud resources, and Kubernetes environments.

Key Capabilities of Tufin Orchestration Suite:

• Network Visibility: Tufin Orchestration Suite provides complete visibility of network traffic and access rules, allowing you to quickly identify and resolve security issues. The dashboard displays real-time network traffic data, as well as information about current security policies and access rules.
• Security Policy Automation: Tufin Orchestration Suite automates the process of creating, deploying, and managing security policies, reducing the risk of errors and improving security posture.
• Compliance Management: Tufin Orchestration Suite helps organizations comply with regulatory requirements and security standards by providing tools for auditing, reporting, and compliance management.
• Ecosystem Integration: Tufin Orchestration Suite integrates with a wide range of network security tools and cloud platforms to ensure the security of the entire enterprise infrastructure.

In conclusion, Tufin is a powerful solution that enables organizations to effectively manage security in modern CI/CD pipelines. Through automation, integration, and deep visibility, Tufin helps reduce risks, speed up development, and improve compliance. Implementing Tufin enables companies to implement a full-fledged DevSecOps approach and ensure reliable protection of their applications and data.

Interested in learning more about how Tufin can enhance the security of your CI/CD pipeline? Contact us today to request a free trial, personalized consultation, and demo.