Deployment Firewall

What is a deployment firewall and how does it work?

OpsMx Deployment firewall is a feature to enforce application security at the point of deployment, across all environments such as staging and production. The firewall adds a gating mechanism to your existing CI/CD tools to ensure compliance and prevent any vulnerabilities from breaching the application.

The deployment firewall can be seamlessly integrated with the Continuous Deployment (CD) system or installed directly within the Kubernetes cluster. When a deployment occurs, the firewall is automatically triggered. It leverages Secure Software Delivery intelligence to analyze data collected throughout the development cycle. The firewall then evaluates this data against predefined policies. Based on this evaluation and any detected vulnerabilities or alerts, the firewall either allows or denies the deployment, effectively preventing insecure code from merging into production. This robust approach ensures that your application remains secure and resilient.

Predefined deployment firewall policies with examples

The deployment firewall policies can be predefined based on your need and how you want them to be enforced for the deployments. Some of the polices that can be defined are mandatory code scanning, no critical CVEs, approved change request ticket, or security review. The deployment firewall when triggered runs in the background to automatically verify at the time of deployment that the defined policies have been followed. The deployment of application releases that are out of compliance is blocked.

The following table lists examples of few deployment firewalls policies along with their description and severity level:

Viewing Allowed and Blocked Deployments

The deployment firewall page gives a statistical representation of all the deployments for a given application. The graph displays the blocked or allowed deployments of the application.

Select the environment type from the top panel; staging, production or dev. The graph is displayed with the appropriate data as per the selected environment.

You can also select the services and frequency for which you want the deployments to be displayed from the Show Data For drop down. The time frequency ranges to display the deployments are as follows:

• Last 1 Day - Displays the list of deployments that were deployed in the last 1 day.

• Last 7 Days - Displays the deployments that were deployed in the last 7 days.

• Last 1 Month - Displays the deployments that were deployed in the last 1 month.

• Last 6 Months - Displays the deployments that were deployed in the last 6 months.

• Since Last Successful Deployment - Displays all the deployments that happened since the last successful deployment.

• All - Displays the entire list of deployments that took place for the selected application.

The Most Frequent Security Issues panel displays the list of the frequently occurring alerts along with the count of occurrence. Click View More to view the complete list of all the frequent alerts based on the category and occurrence ratio.

To View Allowed / Blocked Deployments

Select the Allowed tab or Blocked tab to view the complete details of the deployments. On clicking the required tab, the following details of the deployments are displayed:

• Service : Displays the name of the service related to the deployment.

• Version : Displays the version of the deployment.

• Image : Displays the name of the image deployed.

• Risk Status : Displays the risk status of the deployment in the order of criticality namely

  • Scanning - When a deployment is triggered, Delivery Shield is scanning your application for any risks and then groups it as high, medium or low.

  • High - The risk status of the deployment is high.

  • Medium - The risk status of the deployment is medium.

  • Low - The risk status of the deployment is low.

• Deployed At : Displays the date and time of when it was deployed.

• Status : Displays the status of the deployment; Active or Overridden.

• Cluster : Displays the cluster name of the deployment.