Technology has advanced to a state where clients now expect a constant stream of updates for their software and applications. To fulfill this demand, developers commonly turn to what’s known as a CI/CD pipeline. As noted by Synopsys, this practice embraces two important software development concepts of today’s streamlined world:
- Continuous Integration (CI): The effort of software engineers to assimilate their work together as much as possible. They oftentimes use automation tools that support building and testing with the purpose of creating a software-defined lifecycle.
- Continuous Delivery (CD): The orchestration of software’s construction, configuration and packaging to allow a product’s release at any moment. CD relies on a balance of low cost and high automation to deliver software packages on a timely basis.
CI and CD coalesce to create a number of advantages for software developers. According to Code Dx, the CI/CD union injects agility into the software development process by enabling developers to build components, integrate their work and address errors incrementally, thereby avoiding lengthy delays at the end of the development process. This translates into faster deployment of the software. Additionally, by allowing developers to fix errors on an ongoing basis, CI/CD allows developers to create better apps by freeing up their time to focus on more important tasks like usability testing.
Security and the CI/CD Pipeline
A CI/CD pipeline constitutes a crucial bridge between the development organization and those consumers who use its products. This significance isn’t lost on digital attackers. They know that by gaining access to the CI/CD pipeline, they can corrupt the software delivery process and potentially pull off something resembling what happened to MeDoc in the case of NotPetya.
Such threats highlight the importance of applying security to the CI/CD pipeline. But that’s not exactly a straightforward process. Per data engineer Matt Boegner, organizations must coordinate their efforts to secure the CI/CD pipeline within the scope of three separate yet complementary frames:
- Security of the pipeline: This concept deal with protecting the CI/CD pipeline overall including who has access to it and what authentication they need to push changes.
- Security in the pipeline: Organizations need to protect what flows through their CI/CD pipeline by analyzing their code for potential security vulnerabilities and other flaws.
- Security automation: The notion of security automation streamlines an organization’s defense against and response to potential security incidents.
Let’s now look at each of these considerations in greater detail and identify how exactly organizations can fulfill them in protecting their CI/CD pipelines.
Security of the Pipeline
Per CodeDx, organizations can ensure the security of their CI/CD pipeline with relative ease so long as they’ve followed the best practices for DevSecOps. They should specifically require authentication for anyone to push changes to the CI/CD pipeline, implement login tracking and confirm that builds reside on secure servers only.
Security in the Pipeline
In contrast to security of the pipeline, security in the pipeline is a bit more involved. Organizations should focus on several best practices in particular:
Static Analysis Tools
Static analysis tools are important as they can check an application’s code for software vulnerabilities and coding errors. When implementing these utilities, organizations should enforce the usage of IDE plugins and linters by entire teams of developers to standardize their incorporation of security into their efforts. They should also employ code quality tools that can specifically analyze open-source components on which their applications depend for known vulnerabilities. Ideally, organizations will be able to integrate these tools with Jenkins, Travis CI or CircleCI and schedule their analysis windows appropriately to not affect the build process.
Peer Code Reviews
Organizations can improve the quality of their code with informal walkthroughs or formal inspections. That being said, they can’t analyze every line of code. Teams should therefore follow Boegner’s recommendation and come up with a security checklist such as OWASP’s “Cheat Sheet Series” to guide their reviews. They can perform these checks manually while keeping common vulnerabilities in mind during the development process.
It’s important for developers to test if their classes and methods behave as expected. To achieve this end, they can conduct unit tests that specifically use scripts to analyze misuse/abuse cases and search for common vulnerabilities. Developers should make sure these tests run quickly so as to not affect the build process.
Functional Security Testing
Functional security testing is useful for ensuring that software fulfills authentication, session management and other requirements. Organizations should design these tests whether users can do what they should be able to do as well as evaluate whether they can do something that’s not allowed. They can oftentimes design these tests using their unit testing tools.
The last piece of the CI/CD pipeline security puzzle is automation. According to DevOps.com, organizations can use automation tools, for instance, to ensure that developers follow CI/CD pipeline security policies with a minimal chance of error, as these utilities can automate any changes and make them available to all developers. Additionally, they can use configuration management tools to automate the task of provisioning secure infrastructure repeatedly and at scale while making few mistakes.
A Robust Solution for DevOps Security
The recommendations discussed above can help organizations ensure security of the CI/CD pipeline. Fortunately for them, there are solutions available through which security professionals can harden configurations, remediate vulnerabilities, monitor for suspicious events and automate their security. They just need the right solution.
Learn how Tripwire DevOps could be the ideal security platform for your organization.
You can also check out a DevOps survival guide that Tripwire created for security professionals by clicking here.