What is Ansible Lightspeed?

Red Hat Ansible Lightspeed, armed with the formidable watsonx Code Assistant, leverages generative artificial intelligence (AI) to transform user prompts into code recommendations built on Red Hat Ansible Automation Platform best practices. Merging the realms of AI and Information Technology (IT), Red Hat Ansible Lightspeed can be used to enhance the productivity of automation developers and extend trust in the automation codebase.

Leveling up the code with Red Hat’s Secure Development Lifecycle

Red Hat’s Secure Development Lifecycle (RH-SDL) focuses on software development with a security mindset throughout the entire lifecycle of the software. It implements a range of security controls during each phase of software development. This blog talks about how Red Hat’s Secure Development Lifecycle is applied to Red Hat Ansible Automation Platform and its outcomes.

The RH-SDL introduces a robust set of controls:

• Secure Development Training: Equipping all engineering teams with fundamental security knowledge.
• Threat Modeling: Integrating security consultants during the architecture and design phase for proactive security considerations.
• Manifesting: Managing and tracking software dependencies to avoid introducing unknown vulnerabilities.
• Static Application Security Testing (SAST): Upholding secure coding practices during implementation and have the ability to catch flaws related to code during the entire lifecycle.
• Penetration Testing: Proactively identifying vulnerabilities through internal testing before potential external threats.
• Dynamic Application Security Testing (DAST): Automating attacks to catch already introduced weaknesses and/or regressions.
• Malware Detection: Safeguarding against supply chain attacks by scanning artifacts for potential malicious elements.
• Security Architecture Review (SAR): Validating implementation against expected security design principles and implementation practices.
• Vulnerability Management: The final phase of secure development focuses on vulnerability management and the necessary steps Red Hat must take to remediate and respond to vulnerabilities in our products and supported services.

Ansible Lightspeed is one of Red Hat’s software tools that has fully embraced secure development lifecycle concepts from its inception.

Harmony in Collaboration: Engineering and Security teams unite

The integration of a secure development lifecycle into the Ansible Lightspeed development process presented several challenges, with collaboration between the Red Hat Product Security team and the development team emerging as a pivotal factor. Seamless cooperation became imperative for success. First and foremost, the Engineering team had to understand the reasons for a secure development lifecycle and how this would benefit them and the broader business landscape. Meticulous planning was required for the implementation of different controls. Once the controls were in place, the Product Security team collaborated closely with the developers to address different findings uncovered by security controls, such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). This collaborative process not only remedied existing issues but actively involved engineers in discussions, imparting knowledge to prevent similar weaknesses and vulnerabilities in future developments. This is not a once-and-done initiative, the cycle repeats as controls are validated and the teams move on to iteratively improve the security controls and layers of security with every version.

Navigating the RH-SDL integration journey

The integration of a secure development process before Ansible Lightspeed's general availability (GA) was a clear and beneficial process. Direct collaboration with the Product Security team helped navigate uncertainties to keep engineers on the right track to prevent weaknesses and vulnerabilities and adeptly handle any emerging issues.

Throughout the creation of this service, the Ansible Lightspeed team partnered with many internal and external teams which created dependencies and caused many different unanticipated changes to the service from the initial scope. 

Strategies employed by the Ansible Lightspeed team included:

• Secure Development Training: The team prioritized completing training sessions to ensure each member understood how to implement controls accurately. Daily scrum check-ins proved instrumental in advancing this training.
• Threat Model: Engaging in multiple meetings with the Product Security team, the Engineering team meticulously reviewed diagrams, documentation, and development plans to embed security considerations at every stage.
• Manifesting: To maintain a comprehensive overview of our codebase's dependency tree, we automated the generation of manifests and SBOMs, which benefited Engineering teams right from the beginning of the development.
• SAST: Efforts focused on configuring the SAST tool across all repositories, with meticulous documentation of our workflow processes, was a prerequisite for all controls. In our documentation, we outlined procedures for addressing findings to ensure thorough remediation.
• DAST: The team implemented a streamlined workflow utilizing Red Hat Product Security's RapiDAST, and then used the rapidast-results-parser to create a report with all of the relevant information. We also implemented a process for triage and remediation of findings.
• Security Architecture Review: During this critical review, the Product Security team assessed all security implementations, ensuring all findings were promptly addressed before GA. This step is critical to help Red Hat products adhere to security standards. This process demanded robust cooperation with diligent documentation and ongoing updates to streamline control execution.
• Penetration Testing: The timing of a penetration test is critical, as it requires a stable environment but should also be completed early enough to allow Engineering teams to resolve findings before the release date. In the case of Ansible Lightspeed, the Product Security team completed penetration testing before GA and unearthed two critical vulnerabilities in the service:
  • A distributed denial-of-service (DDoS) vulnerability in a 3rd party dependency;
  • Remote command execution through a plugin.

Since we had already worked through the other remaining RH-SDL controls, the team could focus their energy on fixing the vulnerabilities by disabling the setting for configuring a file path and providing a default configuration from within to override any potential for future vulnerabilities.

• Malware Scanning: The team implemented ClamAV and documented our feedback process in our Standard Operating Procedures (SOP) repository. This control was executed as the final step before product release to safeguard against malicious artifacts.

The team's collaborative efforts were instrumental in overcoming these challenges, enabling Ansible Lightspeed to adhere to high security standards throughout its development journey.

Future with Ansible Lightspeed and the RH-SDL

While the initial integration worked towards securing Ansible Lightspeed for GA, the secure development journey does not end here. The RH-SDL remains intertwined with the software throughout its lifecycle, addressing vulnerabilities and keeping engineers informed of new security threats. The future with Ansible Lightspeed and Red Hat’s Secure Development Lifecycle (RH-SDL) promises a continued commitment to excellence in the ever-evolving landscape of DevSecOps.