Discover how a leading healthcare platform, staffed by a team of 700 engineers, harnesses StepSecurity's solutions in their enterprise GitHub Actions environment. This initiative fortifies against CI/CD security threats without compromising developer productivity.
Runners: Self-Hosted & GitHub-Hosted
A pioneer in cloud technology for the healthcare sector, this company caters to numerous top-tier healthcare enterprises. Their platform, crucial for processing and storing sensitive healthcare data, demands unparalleled security. Due to their industry regulatory requirements, any data breach can have severe consequences. Therefore, maintaining the highest level of security is not just a matter of company policy, but a critical necessity in safeguarding patient trust and complying with stringent industry regulations. This company has a security conscious culture where everyone in engineering understands that security is everyone’s responsibility.
Transitioning from Jenkins, the company was looking for a robust security framework for its new GitHub Actions environment. These were the key security challenges:
1. As most of the code in a typical GitHub Actions workflow comes from third-party components, the DevSecOps team was worried about supply chain attacks and other security risks due to the use of untrusted third-party code.
2. The company uses GitHub Actions to continuously deploy to their cloud environment which substantially increased their CI/CD risk.
3. Given the company wanted to use self-hosted and GitHub-hosted runners, they wanted to secure their runner environments.
4. The team had performed risk assessment of a few third-party GitHub Actions, they realized that the review process was time consuming. In addition, they were also concerned about the third-party review process causing developer friction due to delays. They were looking for a holistic solution to secure the use of third-party GitHub Actions in their pipelines without impacting developer productivity.
The DevSecOps team was looking for an effective solution that could provide static as well as runtime security, specifically tailored to address GitHub Actions-related. They tried to use their existing application and cloud security services in their GitHub Actions environment, but these solutions failed to meet their requirements.
The company selected StepSecurity as a solution to:
1. Setup a third-party GitHub Actions review process.
2. Implement network and runtime security across GitHub-hosted and self-hosted runners.
3. Setup consistent and standard set of workflows across repositories.
4. Comply with GitHub Actions security best practices
The journey began with a lead DevSecOps engineer discovering StepSecurity due to its wide-spread open-source adoption. They did the initial evaluation of StepSecurity in their private GitHub account using StepSecurity’s self-signup capabilities.
The lead engineer then reached out to StepSecurity to begin a PoC with their enterprise GitHub account. They worked with their DevOps team to install the StepSecurity App in their enterprise GitHub account and deployed the first StepSecurity control within minutes after that. The StepSecurity GitHub App only needs access to GitHub Actions build logs and Actions & secrets metadata, it does not require access to source code or any other proprietary data. This made it easier for the DevSecOps engineer to get buy-ins from other internal stakeholders. After trying out StepSecurity for 30-days, the team decided to acquire a StepSecurity license.
In under two months, StepSecurity's security controls were implemented across all workflows. The company uses reusable workflows extensively and StepSecurity controls natively integrates with reusable workflows, extending control coverage across a large number of workflows with the least amount of code changes.
The company employs StepSecurity harden-runner across hundreds of their enterprise private code repositories and thousands of GitHub Actions workflows. Using Harden-Runner, the team restricted network traffic for all sensitive workflows such as the ones for deployment and building container images. In addition, the team has setup a security response process for real-time Harden-Runner alerts.
They use StepSecurity’s automated remediation platform to implement GitHub Actions security best practices in all their GitHub Actions workflows. It protects thousands of CI/CD pipeline runs every day. The StepSecurity platform helps them discover deviations from their GitHub Actions security baseline and remediates them with ease through StepSecurity automation.
With StepSecurity Maintained Actions and Action Advisor, the company has implemented a proactive process for managing new third-party actions being introduced in their pipelines. They use StepSecurity Actions Advisor for analyzing risks associated with the GitHub Actions their developers are requesting to be introduced. For risky third-party actions being requested, they use StepSecurity Maintained Actions instead.
The DevSecOps team has created internal engineering documentation so that developers can use StepSecurity services and troubleshoot occasional issues on their own without any assistance from the DevSecOps team.
With StepSecurity, the company could implement:
1. Paved path for developers to use safe and reliable StepSecurity Maintained actions which reduces risk and improves developer productivity.
2. Real-time network and runtime security to actively block CI/CD supply chain attacks.
3. Standardization of GitHub Actions workflows across repositories.
4. Continuous monitoring of compliance with GitHub Actions best practices and auto-mated remediation.
StepSecurity provides security observability and preventative security controls for GitHub Actions that the company was lacking earlier. The company secures approximately 3,000 GitHub Actions workflows across more than 800 different repositories using StepSecurity. In addition, the company is projecting to save 200 developer hours/year on third-party actions security review and maintenance of forked Actions. StepSecurity was pivotal in encouraging the company transition to GitHub Actions from their legacy CI/CD platform as they could accelerate developer velocity while having better security controls compared to their legacy CI/CD provider.
Google Automates GitHub Actions Security for their Open-Source Projects with StepSecurity
This case study talks about how Google leverages StepSecurity’s GitHub Actions security platform to harden their GitHub-hosted runners and automate various GitHub Actions security best practices in several of their open-source projects.
CISA Enforces Network Egress Control and CI/CD Infrastructure Security to Harden their GitHub-hosted Runners
CISA’s case study talks about how it leverages StepSecurity Harden-Runner 's network egress control and runtime security in over 175 GitHub repositories to prevent Codecov and SolarWinds-style attacks.