Overcoming Open Source Vulnerabilities and Compliance Challenges

It’s one thing to create a platform to support software development. But it requires special expertise to build out one that specifically employs AWS best practices and meets rigorous compliance requirements.

The challenge is further intensified when the software development process relies on open-source libraries to accelerate time-to-market. With open-source libraries come open-source vulnerabilities.

The Assignment – New AWS Environment

When a life sciences organization requested ClearScale’s assistance in creating infrastructure for a new software project, the ClearScale team knew a multi-faceted approach would be required. In addition to being built to AWS best-practice standards, the infrastructure the client wanted had to comply with HIPAA regulations and standards. Security processes and technologies would be essential for meeting the compliance requirements, as well as for mitigating potential vulnerabilities arising from the open-source libraries. The solution also needed to encompass continuous integration and continuous deployments.

The ClearScale Solution

As an AWS Premier Consulting Partner, ClearScale drew upon its AWS expertise to select the appropriate services to meet the client’s needs and for cost-effectiveness and efficiencies. The solution also incorporates various open-source components, further reducing overall costs and helping to speed up the software development process.

At the application tier, key services include Amazon Elastic Container Service (Amazon ECS), a highly scalable, fast container management service that makes it easy to run, stop, and manage Docker containers running on AWS infrastructure.

Amazon Fargate, a compute engine for Amazon ECS, enables running containers without having to manage servers or clusters. This allows for focusing on designing and building applications instead of managing the infrastructure that runs them.

At the database tier, Amazon Relational Database Service (Amazon RDS) provides cost-efficient, resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, and backups. It’s used with MySQL engine, an open-source relational database management system (RDBMS).

At the storage tier, S3 buckets store AnglarJS site content, private repositories, ALB access logs, and AWS Config trails logs.

Among the many other services is AWS CloudFormation, with CloudFormation stacks configured to allow for deploying multiple applications in the same VPC and subnets. Amazon CloudWatch serves as a monitoring service for the AWS Cloud resources and applications. AWS Key Management Service (KMS) provides an easy way to create and control the encryption keys used for data encryption. It’s integrated with other AWS services to help protect the data stored with them. AWS CloudTrail provides logs of all AWS usage to help meet regulatory and compliance needs.

Architecture Diagram

The Snyk Component

To address the issue of vulnerabilities arising from the open-source libraries, ClearScale selected Snyk, an open-source security platform. The commercial service focuses on JavaScript (software library) dependencies. This helps ensure that third-party libraries in the client’s software are secure.

In the ClearScale solution, Snyk scans the software every time it’s committed to the GitHub repository. It also allows for scanning Docker containers during the build process.

All code and software are scanned against Snyk’s vulnerability database, which gets its data from the National Institute of Standards and Technology National Vulnerability Database (NIST NVD) and Node Security Project (NSP). Notification of any issues is sent in near real-time. This gives the client a full report so it can make immediate fixes to meet and maintain compliance requirements.

Results

Thanks to the comprehensive solution developed by ClearScale, the client now has a robust, reliable infrastructure to support software development. Mechanisms are in place to mitigate vulnerabilities arising from the open-source libraries the company uses in its software development process. Cost-effective and efficient, the solution also helps the client meet a variety of compliance requirements — and maintain compliance — without interrupting or delaying any aspect of its software development process.

What Can We Do for You?

Whether you need specially designed infrastructure or customized security solutions, ClearScale can help. Tell us what your security and compliance challenges are. We can devise a solution to meet them.