DEMICON Insights

Securing Success: DEMICON's Journey with GitLab's DevSecOps Integration

Written by DEMICON | Jul 9, 2024 9:28:28 AM

 

A good example of this is the birth of the DevOps methodology. DevOps emerged to bridge the significant gap between teams working on different aspects of the same project. Previously, discovering bugs, incorporating feedback, and releasing updates took longer, with no new work starting until the previous phase was complete. DevOps methodologies transformed this by cultivating better collaboration between teams, enhancing communication, improving resource management, and accelerating time to market. DevOps became a game changer, making numerous advancements possible.


However, it is a well known fact that every new solution brings its own set of problems. Even with the better practices of DevOps, there was still an aspect of application development that was not being fulfilled properly. That aspect was security. Security testing involves thorough inspections to identify vulnerabilities or issues that could leave the application open to attacks. Traditionally, security testing occurred in the final phases of the SDLC, after development and other testing phases were completed. By then, it was often too late to eliminate all vulnerabilities. We caught some, we lost some. This raised a need in the software community to make security testing a bigger priority. So why not prioritise it from the start? Why not implement it earlier? From this moment onwards, the concept of DevSecOps was born.

DevSecOps integrates security into every stage of the software development process, from inception to production. This approach makes security a shared responsibility across all teams, ensuring that everyone, regardless of their role, is running proper security checks on their end of the work. This makes for good collaboration among different teams. It also shifts security testing, of development and deployment pipelines, to the left - conducting checks after each development phase before progressing to the next. By automating these security tests, vulnerabilities can be caught early on, reducing the overhead of late feedback loops and ensuring that security issues are identified and addressed early in the development process without us having to start over from the beginning. By making security testing a priority, running it after each phase of the development process, we ensure the least amount of vulnerabilities into our final product.

 

DevSecOps with GitLab

 

GitLab stands out as a complete-in-itself DevSecOps platform, seamlessly weaving security into every aspect of the DevOps lifecycle. By integrating security measures directly into the CI/CD pipeline, GitLab ensures that vulnerabilities are caught and addressed early, thus reducing the risk of security breaches. It offers automated security tests, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and dependency scanning, that provide continuous insights into how secure the code truly is. These tools run alongside regular development processes, catching issues before they can become significant problems.

Furthermore, GitLab’s security dashboards offer a detailed view of potential risks, making it easier for teams to prioritise and manage security tasks. The platform's built-in vulnerability management system not only detects but also helps in understanding, tracking and remediating security issues. Depending on an organisation’s hierarchy and structure, approval rules as well as roles can be set up to look into, verify and approve security findings. This comprehensive approach allows for better collaboration among development, security, and operations teams thus fostering a culture of shared responsibility. By integrating security deeply into the development process, GitLab not only speeds up the time to market but also ensures that the software delivered is secure and reliable from the get go.

 

Demicon GmbH & GitLab:  A Story of Success

Next up, let’s discuss GitLab’s Partner Program which is designed to empower businesses with tools and resources to integrate and enhance GitLab’s platform. It offers various partnership tiers with a multitude of benefits. The program aims to foster collaboration, drive innovation, and support partners in growing their business with GitLab's solutions.

DEMICON is proud to present itself as a GitLab Partner. By entering this partnership with GitLab, we commit to provide streamlined development workflows for our clients. By leveraging GitLab’s capabilities, DEMICON addresses challenges such as complex pipelines, scalability, and high operating costs. This partnership enhances software development quality, efficiency, and collaboration, while also offering cost savings and competitive advantages. Through this collaboration, DEMICON integrates GitLab's automation and standardisation features to optimise clients’ development processes.
To learn more about DEMICON’s partnership with GitLab, please check this announcement.

As a GitLab partner, we are committed to embodying the same best practices that we recommend to our clients. Today, we're excited to share how we've leveraged GitLab's DevSecOps capabilities to integrate robust security measures across our projects.

 

Implementing DevSecOps: A Case Study

Our main story for today is one of our internal projects which focuses on vehicle validation, simulation, and testing of automotive components. This project benefited from the implementation of DevSecOps using GitLab.

So let’s talk about what we did. 

A good DevSecOps pipeline should, in principle, implement the following stages:

 

Keeping in mind that use cases can vary across different applications, we implemented most of the stages of the DevSecOps pipeline in our project.

In the first step of our pipeline, code quality checks are performed using GitLab's Code Quality feature. Using this feature we have been able to do automated analysis of code to assess adherence to coding standards, identify potential bugs, and improve maintainability. It helped us integrate static code analysis tools to review code syntax, complexity, and style consistency, offering insights and actionable feedback to developers. This helped us ensure higher quality code and facilitated collaboration within development teams by promoting best practices.

Unit tests are run as part of the CI/CD pipeline which has helped us to detect bugs earlier as well as debug code faster. You can easily view the test cases run in the GitLab UI. On top of that, we have code coverage reported for how much code is actually covered by the unit tests. This enabled us to identify parts of code which remained untested and how we can improve them.

During the build stage, artefacts are generated which enable efficient distribution of build outputs, such as compiled binaries, packages, container images, or documentation. GitLab also provides a centralised location where these artefacts are stored and can be easily accessed by team members or deployment processes.

With SAST, we run multiple jobs that cover different areas of SAST testing. We perform SAST on our infrastructure configuration files (like Terraform or CloudFormation scripts) to analyse security vulnerabilities and implement best practices. It has helped us identify any potential issues such as insecure configurations, hardcoded credentials, and misconfigurations in the code that could lead to security breaches or operational risks. This scanning process helps ensure that IaC scripts adhere to security standards and mitigate potential security threats before deployment.

The second SAST job runs a scanner which checks the code for security issues without actually running it. This scanner looks through the code files and finds patterns that might indicate vulnerabilities or bugs that could be exploited by attackers. This way we are able to catch potential problems early in the development process, allowing us to fix issues before they become bigger problems in production.

Next we perform Secret Detection. It is integrated into our CI/CD pipeline to automatically scan for sensitive information, such as API keys and passwords, using predefined and custom patterns. It runs as part of our pipeline, analysing the entire codebase and repository history. Detected secrets are reported in the pipeline job logs and the security dashboard, with notifications sent to our team. Along with this, GitLab also provides recommendations for remediation, such as revoking and rotating keys and removing secrets from the codebase.

Next up, we decided to include the feature of dependency scanning offered by GitLab. By using it we are able to automatically identify and flag known vulnerabilities in third-party dependencies used within our project. It checks libraries, frameworks, and other external components used by our project for security issues by comparing them against a database of known vulnerabilities. This has helped us mitigate risks associated with using outdated or insecure dependencies, ensuring our applications are built and deployed with fewer security vulnerabilities.

Last but not least, we use the release feature offered by GitLab to release our application code. This feature simplifies the management and delivery of our product releases by allowing us to define, track, and coordinate releases directly within the platform. It automates the generation of release notes based on included merge requests, supports versioning for different releases, and facilitates the upload and attachment of release assets such as binaries and documentation. Integrated with CI/CD pipelines, it provides visibility into deployment status and changelogs, streamlining the release process while ensuring transparency and traceability of changes across versions.

One of the biggest advantages of using these features is that they come built right out of the box. With only a few customisations, we can use pre-built templates to run SAST, DAST testing and all types of scanners. This has been certainly advantageous for us, here at DEMICON, and we have enjoyed the usage of these tools without the complexity of integrating and managing standalone tools. By using these features, our project has come a long way when it comes to following security best practices.

 

Conclusion

In summary, GitLab's DevSecOps features offer a smooth approach to integrating security within the software development lifecycle. These built-in tools promote effective collaboration between development, security, and operations teams, fostering a unified and efficient workflow. This all-in-one platform reduces the need for multiple tools, simplifying the process of identifying security issues earlier in the development cycle, reducing time and saving rework. Ultimately, adopting GitLab's DevSecOps features has enhanced our ability to deliver secure, reliable software to our clients while also allowing us to concentrate on innovation and productivity. 

Here’s to good collaborations and following of best practices in the future! 

CONTACT US!