Skip to main content
SpringerLink
Log in

Securing Build Systems for DevOps

  • Chapter
  • First Online:
DevSecOps for .NET Core

Abstract

Our infrastructure takes our deployment jobs and CI servers as the agents that deploy the applications on the servers. Previous chapters have laid the foundation of what we will be covering in this chapter. The meat of this chapter will be the security, efficiency, and trust over the build systems. Throughout the chapter, I will explore several DevOps tools that we have covered and build on what you have learned. This chapter is about improving what we built previously to make it a secure and usable infrastructure. A good solution depends on the security practices and test cases that are added to the CI/CD pipeline. Manual testing and configuration add a layer of friction to the deployment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Most third-party DevOps tools, version control systems, and CI/CD systems are offered by competitors. Some organizations take their code privacy very seriously. When Microsoft bought GitHub, there was a huge trend of projects that migrated from GitHub to GitLab. The concerns were primarily of “trust” and “privacy.” Check out a blog by GitLab at https://about.gitlab.com/blog/2018/06/03/movingtogitlab/.

  2. 2.

    The hacker was kind enough to offer an early bird offer of 50% discount to the student. This left him with a payment of $450 USD.

  3. 3.

    You can find out more details about the installable version of GitLab instance on their website at https://about.gitlab.com/install/.

  4. 4.

    Tagging a Docker image is a process in which you can create a copy or clone of a Docker image but with a different name. This helps you upload the images to your own repository by tagging the copy with your name.

  5. 5.

    It might take longer for you depending on your network speed, machine specification, CPU, and RAM performance. I am using a high-performance machine, so it took only five minutes.

  6. 6.

    Read more on this at https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/.

  7. 7.

    A tenant-based software offering is a common concept used by SaaS vendors. In this approach, multiple clients use a software product hosted by the company on the same resources. Clients receive their own credentials and use them to access the underlying service. The resource-sharing model in this subscription option makes it a “tenant” like offer.

  8. 8.

    Learn more about the product offering at https://cloud.google.com/jenkins/.

  9. 9.

    Learn more at https://bitnami.com/stack/jenkins/cloud.

  10. 10.

    Read about Azure Key Vault integration with Azure DevOps at https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops.

  11. 11.

    Read more about how Azure DevOps asks for location information at https://docs.microsoft.com/en-us/azure/devops/organizations/security/data-location?view=azure-devops.

  12. 12.

    Yes, there are others too. BitBucket, SourceForge, AWS CodeCommit, etc.

  13. 13.

    You can add terms such as “Development” and “Production” to the filename and change the environment variables at runtime.

  14. 14.

    You can use feature flags in this scenario and store the API keys on your Feature Flag database, where it is possible for your device to access the information. Feature flags can be easily updated without any changes to the code.

  15. 15.

    Read more about GitLab CI environment variables at https://gitlab.com/help/ci/variables/README#variables.

  16. 16.

    Serverless infrastructure in this sense means that your virtual machines are created on demand and removed once the build finishes. This infrastructure is disposable in the sense that you do not need to manage the virtual machines. They are provided to you without any overhead management.

  17. 17.

    Learn more about the schema in their reference at https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema#pool.

  18. 18.

    Visit the official repository at https://hub.docker.com/_/microsoft-dotnet-core-sdk/.

  19. 19.

    Docker Enterprise edition offers a vulnerability test that you can use to secure your build environment as well as the software packages produced. Read more at https://docs.docker.com/ee/dtr/user/manage-images/scan-images-for-vulnerabilities/.

  20. 20.

    Learn more about the most widely used tools to verify the Docker images at https://techbeacon.com/security/10-top-open-source-tools-docker-security.

  21. 21.

    You can try more commands to test Docker installations, especially remote installations. Explore this GitHub repository for more on this, at https://github.com/kost/dockscan.

  22. 22.

    Most of the excerpts are from the open source project by Microsoft, available on GitHub at https://github.com/MicrosoftDocs/pipelines-xamarin.

  23. 23.

    Firebase Test Lab provides a comprehensive list of virtual and physical devices to test your Android and iOS applications; learn more at https://firebase.google.com/docs/test-lab.

  24. 24.

    You can learn more about how to import the security keys and connect to the online stores on Microsoft documentation for App Center. Learn more about the Android Play Store at https://docs.microsoft.com/en-us/appcenter/distribution/stores/googleplay, and about the Apple Store at https://docs.microsoft.com/en-us/appcenter/distribution/stores/apple.

  25. 25.

    Learn more about the keystore object at https://developer.android.com/reference/java/security/KeyStore.

  26. 26.

    Learn how Google Play Store uses the keystore values to validate the uploaded package at https://developer.android.com/studio/publish/app-signing.

Author information

Authors and Affiliations

  1. Rabwah, Pakistan

    Afzaal Ahmad Zeeshan

Authors
  1. Afzaal Ahmad Zeeshan
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Afzaal Ahmad Zeeshan

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Zeeshan, A.A. (2020). Securing Build Systems for DevOps. In: DevSecOps for .NET Core. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-5850-7_5

Download citation

Publish with us

Policies and ethics

Search

Navigation