Old-fashioned, one-directional security approaches in the past have opened organizations to nefarious attacks. It’s not just the attackers that deserve the credit for finding the tiniest chink in the armor at the least trouble. We’ve played our part too. Truth is, it’s not so much the solutions that are installed to guard the gates that are the weak links as those that provide fortification from within, as well as the security stance on the whole.
At KubeCon North America 2022, we had the chance to catch up with Fortinet to talk about this, and CI/CD security in particular, that was their subject of focus in KubeCon. Ali Bidabadi, Director of Global Cloud Architecture at Fortinet talked to us about what Fortinet is doing in the DevOps world and how they’re thinking ahead of other vendors in cyber security.
Fortifying the Software Pipeline
Stephen Foskett dispelled the ambiguity about Fortinet’s appearance at KubeCon with the opening question which set the scene for Fortinet – what does Fortinet bring to the DevOps crowd?
Fortinet presents to the K8s community a suite of highly effective and integrated CI/CD security solutions for software development lifecycle that furthers the model that is DevSecOps. That maybe surprising to some who only know Fortinet with respect to network security. It’s remarkable, and in fact pleasantly surprising that Fortinet’s portfolio also encompasses security tools that work inside the CI/CD pipelines.
“We really acknowledge the fact that security for software development lifecycle needs to be comprehensive. It needs to cover the entire CI/CD pipeline from the time that developers start writing code to the time they check in their code into common repositories like GitHub, and further towards the right side of the CI/CD pipeline where they build it into container image and deploy that into orchestration and runtime environments. A comprehensive security for CI/CD needs to cover all of that,” said Bidabadi.
Fortinet Tightens Security from Inside the Pipeline
Fortinet offers a full spectrum of security solutions covering the pipeline start to end. “For each stage of the CI/CD pipeline, we have a product that alleviates customers’ pain points,” said Bidabadi.
A big part of the focus is applications security testing because as Bidabadi pointed out, app security testing is “a key aspect of any comprehensive CI/CD security solution”. That includes continuous static and dynamic testing with things like software composition analysis so as to scan not just the application source code but also libraries and packages.
A Prevention-First Approach
Fortinet embraces a prevention-first strategy when it comes to CI/CD security. The sooner a threat is spotted and quarantined in the pipeline, the better it is, vis-à-vis discovering it at the final stages where it has proliferated into something much worse and has wrecked a lot more on its way to that point.
In the face of rising cases of cyber-attacks, lately the industry has been feeling “the need for an integrated approach to cyber security”, and Fortinet’s position on this is aligned with that of Gartner. According to Gartner, a comprehensive cyber security solution needs to be “distributed, integrated and collaborative”, says Bidabadi, and that’s what Fortinet seeks to deliver.
So while on one hand, organizations need to hire professionals with deep familiarity with not just the tools of the trade but also knowledge of the threat landscape at large, what completes the picture is an intelligent solution that protects the environment and the components equally. Fortinet taps into this by bringing to the market solutions that elevate the level of awareness of anomalies in the environment.
Bidabadi said, to Fortinet “an integrated, collaborative, composable and distributed solution” means one that can “continuously leverage the intelligence that different components of the overall solution can share”. Only then can engineers have total visibility of the environment and its assets.
Fabric of Security
About a decade ago, Fortinet put together the Fortinet Security Fabric – a holistic security platform to fight off threats – long before the newer concepts around cyber security took hold. The idea was to create a fabric of solutions that work together collaboratively by sharing intelligence among themselves not just in cloud but also in hybrid multi-cloud environments. The platform was designed to provide that unified single pane of glass policy management control across infrastructures.
Fortinet’s suite of products for CI/CD security integrates tightly with this fabric. A couple of solutions that Bidabadi named especially in the context of CI/CD security are FortiGate 80C firewall and FortiGate-VM. While FortiGate 80C offers broad protection from the latest strains of threats, FortiGate-VM offers context-rich data about applications on Kubernetes. Fortinet has a team of consultants that helps customers examine their security situation and choose solutions from the Fortinet catalogue based on where they are and what they need, so that they can avail the best set of products that work for them.
An integrated CI/CD security solution has two key advantages – first, it adds security checks at every stage of the pipeline so that all elements in it are protected at all times, and secondly, it responds to threats dynamically, effectively and speedily, thus minimizing damage. Fortinet’s solutions deliver these outcomes by locking down the CI/CD workflow pipeline from the first stage of coding to the final stages of deployment in the runtime environment, thus delivering a blanket protection to the applications, end to end.