1. Localize componentsStudies agree that 80-90% of your app is comprised of third-party components. Too often these components are loaded at run-time from external sites and excluded from existing source code analysis scans. One of the ways in which the runc vulnerability could be exploited is by poisoning a container that is subsequently pulled and used in an application. The same is true for UX components loaded from third-party sources. Whenever possible, host third-party components on your own site to reduce the risk of tampering. If you think this isn't really a risk, may I suggest reading about the compromised ESLint packages discovered in 2018?
2. Scan componentsThird-party components can – and do – contain vulnerabilities. If it's part of your app, it should be part of your security process. And now that you've followed step one, you can easily include scanning those components in your CI/CD pipeline. When scanning components for vulnerabilities, don't forget this important point. All code – no matter where it executes – should be scanned for potential risks.
3. Lock the doorThis is a simple but effective means of deterring attackers from easily gaining control over your environment. Whether it's a web, app, database or middleware server or a container orchestration environment, do not forget to require credentials to access administrative consoles. This includes any public repositories you might be using. This isn't just important for containers that tend to grab headlines these days. Plenty of compromises are thanks to the failure to secure cloud consoles and storage buckets.
4. Hide the keyNow that you've locked the door, don't leave the key on top of the doormat. Secret management is hard when done right, but it's essential to secure applications and operations from unauthorized access. Don't hardcode credentials and other secrets (like keys and certs) into files you commit to a repository. And don't use your repository as a key management store. Again, if you need a public example of what happens when you aren't careful with your secrets, read up on the Uber breach.
5. Include APIsAPIS – even façades – takes user input. That means it falls under Security Rule Zero: Thou shalt never trust user input. Make sure you aren't using APIs to simply pass data on to internal applications or microservices. Scan and secure APIs with the same zealousness as that of your applications. For a list of high-profile breaches involving APIs, give this Forbes article a read. Now it's true that there's a lot more you can – and should – be doing to secure applications and the environments in which they are running. But many of them are rendered ineffective by failing to follow these five, simple steps. Because they span the breadth of the CI/CD pipeline, it's important to get DevOps on board and adding these steps to their security checklist.