Introduction
Skyscanner’s Continuous Integration and Delivery (CI/CD) pipeline is built to support tens of thousands of deployments per day. The frequency of production deployments cannot come at the expense of security. In fact, security processes need to be integrated within the CI/CD pipeline. That’s why we added continuous security validation at each step of the pipeline, from development to production, to help ensure our applications stay secure.
We’ve previously discussed Skyscanner initiatives for improving code security:
As part of the pipeline, we began using SonarQube™ for code quality purposes. This validation happens before the developer commits their code as SonarQube™ is integrated in the developer’s IDE. We decided we could leverage SonarQube™ further by also checking for vulnerable coding patterns. During this process we identified great existing plugins like Findsecbugs for Java, but we also noticed the lack of static code analysis plugins for Python and Node.js. We decided to write the missing plugins in order to achieve full coverage of our standard main languages (Python, Java and Node.js). We started with Sonar Secrets to provide early feedback to developers, alerting them of security risks associated with using hardcoded credentials. Providing developers with feedback early on allowed us to shift our security controls to the left, enabling developers to meet our internally-defined Security Standards before production code goes live. …
This post describes how we improved the query performance for our OpenTSDB cluster and enabled queries that previously were impossible by reducing the resolution of historic data.
Skyscanner’s focus is to drive every decision in Skyscanner by complete, timely and accurate data. As part of this, we’re operating a large metrics and logging platform that enables all engineers in Skyscanner to monitor their service 24 hours a day. We provide application logs and any metrics that our engineers would like to record; for instance, business and operational metrics for their services. …
Introduction
Skyscanner’s products are powered by hundreds of services hosted on AWS. In order to deploy changes and new services to production with zero clicks, we have an automated pipeline that´s responsible for building, testing and deploying new code, and provisioning and configuring new infrastructure. Developers perform these changes by writing CloudFormation templates that model their service’s Infrastructure as Code (IaC).
CloudFormation is an AWS service that essentially allows developers to programmatically provision AWS resources. CloudFormation templates could have security issues similar to regular source code, such as hardcoded secrets, overly permissive permissions, and many more.
Our goal at the Security Automation team is to inject security into the pipeline as early as possible, and to make sure that the relevant security scans and audits are performed at every step, minimising the risk of any vulnerable code getting into production. …
About
