Shift Left Inline – Integration with Atlassian Bitbucket CI/CD Pipes

By on Apr 14, 2020

Infrastructure-as-a-Service (IaaS) is used by organizations of all sizes as the new default IT environment to build and host internal and customer-facing applications. To leverage numerous capabilities offered by IaaS providers for faster adoption, many organizations overlook the cloud shared-responsibility model and assume that security is taken care of completely by the cloud provider. At the end of the day, the security of what cloud customers put in the cloud, most importantly sensitive data, is their responsibility. According to leading analyst Gartner,Through 2025, 99% of cloud security failures will be the customer’s fault 

Per McAfee CARR reportabout 99% of misconfigurations go unnoticed by companies using IaaS. On an average, companies were aware of about 37 misconfiguration incidents per month, but real-world data shows that companies actually experience closer to 3,500 such incidents – about ~100 times more! 

It is possible that the speed of IaaS adoption is putting a lot of security practitioners behind, and in the never ending catch-up game. And, as expected, the flexibility offered by IaaS providers helps to change the infrastructure rapidly based on ever-changing demands, leaving the door open through misconfigurations happens all the time. More so, as the changes are done through Infrastructure as Code (IaCin Continuous Integration/ Continuous Delivery (CI/CD) fashion. While MVISION Cloud’s IaaS config audit reports and helps to ensure that deployed infrastructure is compliant and pristine, as new resources are deployed through DevOps templates, similar compliance issues keep getting reported over and over. 

Integration with Atlassian Bitbucket pipes performs ‘inline’ evaluation of the DevOps templates such that any DevOps template push to the Bitbucket code repo which is configured to trigger a build, in turn automatically evaluates them to check for vulnerabilities present. And, any misconfiguration errors are reported right in the developer’s console highlighting all specific policies in question. 

This helps the DevOps personnel analyze and remediate misconfiguration issues at source such that any further deployment using those templates don’t create further and similar issues in the IaaS environments. Hence, the Security team enforces the process and sets the guidelines avoiding the issue of dealing with an impossible task of keeping up with the ever growing non-compliant issues. The ability to enforce these checks earlier in the DevOps cycle immensely helps so that they can delegate enforcement for any new resources that are deployed, and stop the deployment of any non-complaint DevOps templates. By adding security earlier into the DevOps process, security professionals can catch risky configurations before they become a threat in production.  

The integration setup is simple where the YAML file is configured to use the McAfee MVISION Cloud Docker image along with few environment variables. Setup completes once pipelines is enabled. The scans support AWS CloudFormation, Azure ARM and Terraform templates.  

MVISION Cloud also integrates with Atlassian Code Insights as below 

Code Insights provides APIs to send detailed information to provide context for developers. The reports display important information directly on pull requests inside Bitbucket. McAfee’s MVISION Cloud integration with Code Insights as part of Bitbucket pipelines helps to provide security scan results for analysis to DevOps team indicating why the build failed and lists specific policies that were violated per template. This helps the developer to rectify the issue at source and therefore not percolate it to IaaS infrastructure.  

 All the issues are also reported as incidents in MVISION Cloud’s dashboard as below  

It is imperative for enterprises to better align developers and security. The end goal is a state where developers aren’t seeing security as just a check box or something to throw over the fence to the security team during production, but as an essential part of their daily development process. As a maker of tools for development teams, Atlassian wants to make it easier for developers to build and operate secure products, while responding to security incidents more quickly and effectively. The partnership between Atlassian and McAfee combines the joint strengths to deliver an optimized security solution for customers.  Join us to learn more at the Atlassian 2020 Summit. 

1 Source is: “Smarter With Gartner” Blog, Is the Cloud SecureOctober 10, 2019 Kasey Panetta 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose 


About the Author

Amit Agrawal

Amit Agrawal has 20+ years of experience in Product Management and Engineering development. Passionate about identifying underlying end-user problems and use cases and then leading the specification and development of products to solve and provide value. Manage entire product line life cycle from strategic planning to tactical activities. Strong decision-making with imperfect information, knack of ...

Read more posts from Amit Agrawal

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs