Deployment Firewall
Last updated
Last updated
OpsMx Deployment firewall is a feature to enforce application security at the point of deployment, across all environments such as staging and production. The firewall adds a gating mechanism to your existing CI/CD tools to ensure compliance and prevent any vulnerabilities from breaching the application.
The deployment firewall can be seamlessly integrated with the Continuous Deployment (CD) system or installed directly within the Kubernetes cluster. When a deployment occurs, the firewall is automatically triggered. It leverages Secure Software Delivery intelligence to analyze data collected throughout the development cycle. The firewall then evaluates this data against predefined policies. Based on this evaluation and any detected vulnerabilities or alerts, the firewall either allows or denies the deployment, effectively preventing insecure code from merging into production. This robust approach ensures that your application remains secure and resilient.
The deployment firewall policies can be predefined based on your need and how you want them to be enforced for the deployments. Some of the polices that can be defined are mandatory code scanning, no critical CVEs, approved change request ticket, or security review. The deployment firewall when triggered runs in the background to automatically verify at the time of deployment that the defined policies have been followed. The deployment of application releases that are out of compliance is blocked.
The following table lists examples of few deployment firewalls policies along with their description and severity level:
Category
Policy
Description
Severity
GIT
Branch Protection policy
Repositories should have branch protection enabled requiring all code
Critical
Build Server
Use tokens with minimum permissions in workflows.
Use minimal-permission tokens in workflows to prevent unauthorized access. GitHub Workflows use temporary tokens that can be stolen by attackers and used to access the repository and bypass restrictions such as requiring a reviewer. Reducing the permissions of the workflow would limit the actions of a potential attacker.
High
Container Security
Avoid critical security issues in containers.
Critical Container Security issues should not be present based on the container security scan
Critical
Artifact Integrity
Cloud Artifact should match the artifact in the artifact repo by hash.
An image running in your cloud that does not match an artifact in your repo may signal a cloud account compromise. Someone may be running an unauthorized app in your cloud, such as a crypto miner.
Critical
Cloud Security
Use the latest image for cloud services
A service running in your cloud should always have the latest version available in the registry.
Medium
The deployment firewall page gives a statistical representation of all the deployments for a given application. The graph displays the blocked or allowed deployments of the application.
Select the environment type from the top panel; staging, production or dev. The graph is displayed with the appropriate data as per the selected environment.
You can also select the services and frequency for which you want the deployments to be displayed from the Show Data For drop down. The time frequency ranges to display the deployments are as follows:
Last 1 Day - Displays the list of deployments that were deployed in the last 1 day.
Last 7 Days - Displays the deployments that were deployed in the last 7 days.
Last 1 Month - Displays the deployments that were deployed in the last 1 month.
Last 6 Months - Displays the deployments that were deployed in the last 6 months.
Since Last Successful Deployment - Displays all the deployments that happened since the last successful deployment.
All - Displays the entire list of deployments that took place for the selected application.
The Most Frequent Security Issues panel displays the list of the frequently occurring alerts along with the count of occurrence. Click View More to view the complete list of all the frequent alerts based on the category and occurrence ratio.
On clicking the individual alerts, the View Open Security Issues page is displayed which gives a detailed summary of the alert.
Select the Allowed tab or Blocked tab to view the complete details of the deployments. On clicking the required tab, the following details of the deployments are displayed:
Service : Displays the name of the service related to the deployment.
Version : Displays the version of the deployment.
Image : Displays the name of the image deployed.
Risk Status : Displays the risk status of the deployment in the order of criticality namely
Scanning - When a deployment is triggered, Delivery Shield is scanning your application for any risks and then groups it as high, medium or low.
High - The risk status of the deployment is high.
Medium - The risk status of the deployment is medium.
Low - The risk status of the deployment is low.
Open Security Issues : Displays the count of alerts identified for the given deployment. On clicking the alerts, the View Open Security Issues page is displayed which gives a detailed summary of the alert.
Deployed At : Displays the date and time of when it was deployed.
Status : Displays the status of the deployment; Active or Overridden.
Actions : Click View DBOM to view the detailed report of the deployment. Refer Delivery Bill of Materials for more details.
Cluster : Displays the cluster name of the deployment.