Published Oct 9, 2023

The Strategy and Execution Behind Enhanced Product Security

Rama Rao Kuppanadi

Rama Rao Kuppanadi

At Celigo, we’ve always been committed to staying ahead of the curve regarding security. In an era of ever-evolving cyber threats, our belief in integrating security into every facet of our development processes has never been stronger.

In this post, we’ll share our journey about how we implement strong security principles across our development process, adopt DevSecOps practices, and how we built a robust product security program.

Security first and shifting left are at the core of our values. This means that security is always a top priority in every decision we make and that we integrate security activities into the software development lifecycle from the beginning. Security is embedded in our design, development, and continuous integration processes.

Our commitment to DevSecOps is a testament to our committed focus on security.

Laying the Foundation – SonarLint and SonarQube

Our security story starts with proactive security measures. We’ve equipped our developers with the SonarLint IDE plugin, which empowers them to identify and fix security issues right during the coding process. It’s like having a real-time security assistant.

But we didn’t stop there. We use SonarQube for code quality in our DevSecOps pipeline. It is an integral part of our pre-commit and post-commit processes and acts as a gatekeeper. This tool allows us to continuously inspect our codebase, unearthing bugs, vulnerabilities, and coding practice improvements. With SonarLint and SonarQube, we’re not just being reactive but proactive. That’s how we ensure our code is consistently secure.

Guarding Against Unseen Threats – npm Audit for Third-party Libraries

We know the lurking dangers in third-party libraries (TPLs). To combat these, we’ve employed npm Audit, a tool that scans these libraries, spotting potential vulnerabilities before they cause issues. But it’s not just about spotting; we also act. With the guidance provided by npm Audit, developers fix identified vulnerabilities, cementing the security of our software ecosystem.

To take it a step further, we’ve embraced npm Audit into our Continuous Integration (CI) pipeline, where it acts as a crucial gate. High or critical vulnerabilities aren’t just detected and promptly addressed before code advances. It’s all part of our commitment to strict security standards.

The Container Saga – ECR and Qualys for Ultimate Security

Container security is essential in our DevSecOps journey. We’ve harnessed the power of Amazon Elastic Container Registry (ECR) and Qualys to scan our Docker images for software vulnerabilities, ensuring our containers are rock-solid.

Base Image Hardening: We’ve introduced a base image hardening pipeline to guarantee secure containers. We scrutinize base images for high or critical vulnerabilities using the Qualys plugin. When these issues are resolved, they earn a spot in our ECR repositories, ready for use by our applications.

ECR Scanning and Qualys Integration: By bringing ECR scanning and Qualys into our CI pipeline, we proactively identify and address security issues before they reach production. This not only ensures our containers are secure but also safeguards our applications.

Runtime Container Vulnerability Detection: With Qualys, we detect runtime container vulnerabilities in our staging environments, which are replicas of our production setup. This agile approach helps us patch the latest vulnerabilities quickly.

Unmasking Hidden Vulnerabilities – ZAP for Application Penetration Testing

We go beyond automated security checks by using OWASP ZAP (Zed Attack Proxy) for active penetration testing of our applications. Integrating ZAP with our UI automation enables us to simulate real-world attacks and find vulnerabilities that automated scans might miss.

Trust No One – The Zero Trust Architecture

Our infrastructure security strategy is built on the foundation of the Zero Trust approach. We trust no one, whether they are inside or outside our network. We check every request carefully as if it came from an open network. This applies to all traffic, both north-south and east-west. This approach gives us tight control over who can access what, making it harder for attackers to spread within our network if they do get in.

Guardians of the Digital Realm – AWS WAF and Qualys

To safeguard our application and AWS infrastructure, we’ve enlisted the help of the AWS Web Application Firewall (WAF) and Qualys, respectively. AWS WAF is our guardian, shielding our applications against common web exploits. Qualys provides us with continuous visibility into our AWS infrastructure security and compliance posture by identifying and helping remediate vulnerabilities, enforcing security policies, and maintaining compliance.

Building Community Strength – HackerOne Bug Bounty Programs

We’re firm believers in the power of transparency regarding security. That’s why we’ve initiated bug bounty programs through HackerOne, inviting white-hat hackers to test our application. This openness gives us a fresh perspective and allows us to learn from the global security community, continuously reinforcing our defenses.

Partners in Security – Third-party Vendor Assessments

In addition to our extensive toolset and procedures, we actively collaborate with third-party security assessment vendors. Annually, they perform application penetration testing internally and externally, ensuring our staging and production environments remain watertight. In addition, we are annually audited for meeting SOC 2 type 2 requirements for security and availability.

Our Journey to Holistic Security

At Celigo, DevSecOps is more than just a cultural shift; it’s a holistic practice woven into every step of our software delivery process. We take immense pride in our robust product security, ensuring we deliver reliable and secure software solutions to our valued customers.

As cyber threats continue to evolve, so do our strategies and tools. We’re committed to staying at the forefront of security practices, ensuring that Celigo remains a beacon of safety in the ever-changing digital landscape.

About the Author

Rama Rao Kuppanadi is a Senior Director of Engineering at Celigo, where he is leading the cloud-native transformation of the company’s iPaaS platform. He has a proven track record of developing and transitioning cloud-native SaaS products.

With deep expertise in platform engineering, infrastructure, product security, and DevSecOps/SRE, he is also skilled in building and nurturing engineering teams, forging collaborations, and crafting unified visions and roadmaps. A strong advocate for quality and security, Rama emphasizes shift-left and security-first practices to embed these priorities early in the development process.