Security Best Practices

Learn how to build and maintain secure DevSecOps pipelines using CXRay and industry best practices.

Shift Left Security

Integrate security early in the development lifecycle:

1. Developer Workstations

Enable pre-commit scanning to catch issues before code is committed:

# .git/hooks/pre-commit
#!/bin/bash
cxray scan --type cve,cce --severity high,critical --fail-fast .

2. Pull Request Checks

Automate security scanning in PR workflows:

# .github/workflows/pr-check.yml
name: Security Check
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run CXRay Scan
        run: cxray scan --fail-on critical .

3. CI/CD Pipeline

Integrate comprehensive scanning in your pipeline:

stage('Security Scan') {
    steps {
        cxrayScan(
            scanTypes: ['cve', 'cce', 'sbom'],
            failOnSeverity: 'high'
        )
    }
}

Vulnerability Management

Define Clear Policies

Establish and enforce vulnerability thresholds:

# .cxray.yml
policies:
  critical:
    action: fail
    sla: 24h  # Must fix within 24 hours

  high:
    action: warn
    sla: 7d   # Must fix within 7 days

  medium:
    action: monitor
    sla: 30d

  low:
    action: monitor
    sla: 90d

Prioritize Remediation

Focus on:

1. Exploitability: Is the vulnerability actively exploited?
2. Exposure: Is the vulnerable component exposed to untrusted input?
3. Impact: What's the potential damage?
4. Fix Availability: Is a patch available?

Track and Monitor

# Generate trending reports
cxray report --type trend --period 30d

# Compare scans
cxray diff scan-v1.json scan-v2.json

Dependency Management

Keep Dependencies Updated

# Check for outdated dependencies
cxray scan --type cve --check-updates .

# Generate update recommendations
cxray recommend --priority security .

Pin Dependency Versions

{
  "dependencies": {
    "express": "4.18.2",  // ✅ Pinned version
    "lodash": "^4.17.0"   // ❌ Unpinned (allows updates)
  }
}

Use Lock Files

Always commit lock files:

• package-lock.json (npm)
• yarn.lock (Yarn)
• Pipfile.lock (Python)
• Gemfile.lock (Ruby)
• go.sum (Go)

Minimize Dependencies

# Analyze dependency tree
cxray sbom tree --depth all .

# Identify unused dependencies
cxray analyze --unused .

Configuration Security

Never Hardcode Secrets

# ❌ Bad
database:
  password: "admin123"
  api_key: "sk_live_abc123"

# ✅ Good
database:
  password: ${DB_PASSWORD}
  api_key: ${API_KEY}

Use Secret Management

• Cloud: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
• Self-hosted: HashiCorp Vault, Doppler
• CI/CD: GitHub Secrets, GitLab CI Variables

Scan for Exposed Secrets

# Detect secrets in code
cxray scan --type cce --rules secrets .

# Scan git history
cxray scan --type secrets --git-history .

Supply Chain Security

Verify Package Integrity

# Generate checksums
cxray sbom generate --checksums sha256,sha512 .

# Verify package authenticity
cxray verify --sbom sbom.json .

Monitor for Typosquatting

# Check for suspicious package names
cxray analyze --typosquat .

Use Private Registries

Configure trusted sources:

# .npmrc
registry=https://registry.npmjs.org/
@mycompany:registry=https://npm.mycompany.com/

Generate and Track SBOMs

# Generate SBOM for each release
cxray scan --type sbom --output sbom-v1.2.3.json .

# Compare SBOMs between releases
cxray sbom diff sbom-v1.2.2.json sbom-v1.2.3.json

Container Security

Use Minimal Base Images

# ❌ Full OS image
FROM ubuntu:latest

# ✅ Minimal distroless image
FROM gcr.io/distroless/nodejs:18

Scan Container Images

# Scan Dockerfile
cxray scan --type cce Dockerfile

# Scan built image
cxray scan --type cve docker://myapp:latest

# Scan during build
docker build -t myapp . && cxray scan docker://myapp:latest

Don't Run as Root

# Create non-root user
RUN useradd -m -u 1000 appuser
USER appuser

Multi-stage Builds

# Build stage
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:18-slim
COPY --from=builder /app/dist /app
USER node
CMD ["node", "app/index.js"]

Cloud Security

Infrastructure as Code Scanning

# Scan Terraform
cxray scan --type cce terraform/

# Scan CloudFormation
cxray scan --type cce --cloud aws cloudformation.yml

# Scan Kubernetes manifests
cxray scan --type cce k8s/

Follow Least Privilege Principle

# ❌ Overly permissive
iam_policy:
  effect: Allow
  actions: ["*"]
  resources: ["*"]

# ✅ Minimal permissions
iam_policy:
  effect: Allow
  actions: ["s3:GetObject"]
  resources: ["arn:aws:s3:::my-bucket/*"]

Enable Security Monitoring

# Enable AWS CloudTrail
# Enable Azure Security Center
# Enable GCP Security Command Center

Compliance and Governance

Automate Compliance Checks

# Check CIS compliance
cxray scan --type cce --standard cis .

# Check PCI-DSS requirements
cxray scan --type cce --standard pci-dss .

# Generate compliance report
cxray report --compliance sox,hipaa .

Maintain Audit Trail

# Export scan history
cxray export --scans --from 2023-01-01 --to 2023-12-31

# Generate audit report
cxray audit --project myapp --output audit-2023.pdf

Regular Security Reviews

Schedule periodic reviews:

• Weekly: Review new vulnerabilities
• Monthly: Audit dependencies and configurations
• Quarterly: Comprehensive security assessment
• Annually: Third-party security audit

Continuous Improvement

Measure Security Metrics

Track key indicators:

• Mean time to remediate (MTTR)
• Vulnerability density
• Scan coverage percentage
• Policy violation trends

# Generate metrics dashboard
cxray metrics --dashboard --output metrics.html

Stay Informed

• Subscribe to security advisories
• Monitor CVE databases
• Follow security researchers
• Attend security conferences

Team Training

• Conduct security awareness training
• Share vulnerability findings and learnings
• Practice incident response scenarios
• Encourage security champions

Next Steps

• Vulnerability Remediation
• Secrets Management
• Container Security Guide
• Cloud Security Guide