Skip to content

Game Warden Platform

Game Warden is a Department of Defense (DoD)-authorized DevSecOps platform that quickly, securely, and cost-effectively deploys SaaS solutions into government networks – streamlining the software delivery process. Game Warden provides all tooling required to secure, harden, and run your applications.

GitLab

Game Warden tooling includes GitLab, which is a DevSecOps platform used to store code, track issues, and develop and deploy Continuous Integration and Continuous Delivery (CI/CD) pipelines. These pipelines move your applications through Game Warden's scanning, hardening, and deployment processes.

Within these pipelines, the Game Warden team uses Anchore Enterprise and Prisma Cloud to perform primary image security scans which produce a manifest of Common Vulnerabilities and Exposures (CVEs). As the name implies, this report identifies application image issues that require your attention. You can view and address CVEs in Scan Lab, accessible via the Game Warden Web App and, more specifically, App Central.

Harbor Registry

An open source and feature-rich registry, Harbor manages the images you push into this environment. As your images navigate the scanning and hardening processes, tags are appended to the end of your image names to designate the status of each. For additional information, read Harbor Registry.

Our Continuous Integration/Continuous Deployment (CI/CD) pipelines move your images through the scanning and hardening processes. The Game Warden team uses Anchore Enterprise and Prisma Cloud to both scan/harden images and identify vulnerabilities. The team also uses ClamAV for malware detection.

Clarification on Images and Containers

Docker, at its core, is a Platform as a Service (PaaS) that enables developers to build and deploy containers which store applications and their dependencies. Since a container stores applications and all components that applications need to run successfully, containerized applications function as designed despite where you deploy them.

A Dockerfile is a text file that includes instructions on how to build a base image. A Docker image can have several layers. The first layer is the base image and represents the foundation upon which you can build other images. You must not modify the base image.

Multiple images combine to form a single application, with each image providing a specific function. For example, you might use rhel, commonly known as ubi, as your base image; ubi is a universal base image that functions as an operating system. From ubi , you might add nginx (pronounced “engine-x”) atop this unmodified base image. nginx, which has many uses, might function as your web server. You might add other images as well. These other images provide additional functionality, and each additional image aligns with a specific application need. Again, all images combine to form a single application that includes the functionality designated by each.

Pipelines, Processes

A pipeline is a set of automated tasks, and the vehicle the Game Warden team uses to move your applications through the scanning, hardening, and deployment processes. Our engineers establish Game Warden infrastructure, tooling, and access controls for your application. They also establish pipelines along with bootstrap scripts. Pipelines determine the CI/CD path for coding, testing, and deploying your applications. Bootstrap scripts are written to automate image or container movement, promoting both efficiency and speed. You can view some of the pipelines in Scan Lab, which provide insight into your image progression through our processes.

Your application must undergo a rigorous process of image scanning and hardening coupled with mandatory approval by our Security team prior to any deployments.

Our Security team examines three layers of security controls:

  • IaC Infrastructure (AWS)
  • Platform (Kubernetes)
  • Applications

Game Warden generates a body of evidence, the Deployment Passport, that allows the government to make a security determination and grant a Certificate to Field (CtF). A memo which annotates customer expectations, the CtF also serves as the cover letter for the Deployment Passport and includes the signature of the government Information Systems Security Manager (ISSM). The Security team along with a government official must review your architecture, diagrams, and other information before approving this Deployment Passport. The Deployment Passport document includes the System Security Plan (SSP), vulnerability scan results, any required external approvals, and proof of a government contract for your company. This ISSM signature-approved document serves as your ticket into the DoD, as you inherit our Authority to Operate (ATO).

You must have a signature-approved Deployment Passport for each Impact Level containing applications you want to deploy into STG and PRD. Our engineers do not require a signature-approved Deployment Passport to deploy applications into DEV.

ATO is a designation a government official provides on behalf of a Federal agency that authorizes companies or organizations to operate their IT systems on a government network. Government officials grant ATOs to companies who have proven that their IT systems are secure and pose limited (if any) risks to their environments. Similar to an admissions ticket, an ATO is the government’s official approval and acceptance that allows you to run your applications in this government space.

While your first deployment is into DEV, you neither require a signature-approved Deployment Passport nor an ATO. Clients must obtain Government Access Cards to access the DEV environment. In GovCloud, DEV is an Impact Level 2 (or IL2) space. DEV IL2 houses non-classified data with generally open access policies. Our engineers commonly access DEV IL2 to configure the environment and ensure your application functions as designed.

After functional testing is completed in DEV, you have addressed any security concerns, and received a signed Deployment Passport (and inherited our ATO), Game Warden engineers deploy your application into the Staging (STG) environment. In GovCloud, STG is commonly IL4 and can house Controlled Unclassified Information (CUI). Limited persons have access to this environment. Here, engineers usually perform application-level tasks and, again, must ensure your application functions properly. Extensive testing is performed at this juncture.

Upon testing completion, Game Warden engineers deploy your application into PRD. This is a live environment, accessible to your users. The Game Warden team can deploy applications to IL4+, using additional security controls for higher levels of access.

After Game Warden engineers deploy your application into PRD, our Site Reliability Engineers (SREs) perform Day 2 activities to include monitoring your site to ensure stability. There are also Day 2 customer interactions. SREs use tooling to capture logs, monitor your applications, and send alerts. As a customer, you get our 24-hour incident response and help desk support with continuous monitoring and alerting.

Platform Security

To ensure the Game Warden platform remains secure, our team uses third parties to validate the security built into this environment. In addition, the government examines our platform from an accreditation standpoint, and we also have a third-party company that performs routine penetration testing of our Game Warden environment.

FAQ

Why does 2F ask for Dockerfiles when containers are pushed?

We ask for Dockerfiles to aid in our container hardening process. We use a set of scripts that will strip out most commands, users, and files that are not needed from the base image. Providing us the Dockerfiles gives us some insight into what users, files, and commands are needed by your container in order to run properly once hardened. This will allow us to go through the process of getting your containers to a secure yet still functional state much quicker.

Does an image go through the entire pipeline each time?

Each run through the pipeline after the first should be much easier. It will go from providing justifications for each vulnerability to verifying that the vulnerabilities match what has already been approved and only providing justifications for anything new.

What does the Game Warden custom hardening process entail/include?

Custom hardening will vary depending on what each container contains (databases, for example). In general, we use hardening scripts to remove all unnecessary files, users, and commands to reduce the attack area on your application and ensure it successfully passes our pipeline checks (Anchore Enterprise, Prisma Cloud, security validations, linking, for example.)
The hardening scripts are typically built using image hardening best practices. If you do not have a specific user with root privileges other than root, we make a user and modify the permissions to be able to run specific scripts or commands within the container. We then remove unnecessary user accounts. We also remove interactive login shells for everybody except that specific user, remove files generated by sed commands, ensure system directories are owned by root and not writeable by other users, remove existing crontabs, remove kernel tunables, remove fstab since we do not need them, remove all but a handful of administrative commands, remove most but only include any executable commands (cat, bash, sh, ls, cd, etc. ), and then remove broken symlinks.
After hardening, we work with you to ensure this process did not break any app functionality, and everything still works as intended.

What tool does Game Warden use to generate the Software Bill of Materials (SBOM)?

We utilize Anchore for the Software Bill of Materials (SBOM).

What security scan tools does Game Warden use, and which ones should I use?

The Security Scanners that Game Warden utilizes are Trivy and Anchore Enterprise for CVEs (which uses Grype and Syft for part of its scanning), Anchore Compliance for compliance checks and ClamAV for malware detection. These are what deliver all security findings on your pushed images to Scan Lab in the Game Warden web application.
We highly encourage you to test your images before pushing to Game Warden, so that you can work to resolve security findings/have a better idea of what findings to expect when run through the Game Warden pipeline. We recommend using these free open source tools for your scanning purposes: Trivy and Grype. They will surface most of the findings that Game Warden’s tools do, except for some DoD-specific findings. We recommend these free tools as the versions we use are typically not cost-effective for Game Warden customers to purchase considering the small delta in security findings surfaced.

Feedback

Was this article helpful? Want to see something more?

Please reach out to us here with your feedback.

Last Updated: 06/20/2024

Return to Help Center Home