The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

How-to guides

CI/CD security - 5 best practices

Learn the basics of CI/CD security and the various ways to integrate risk-based vulnerability management into your CI/CD pipeline.

Tal Morgenstern | August 30, 2022

Alongside the rapid adoption of CI/CD (continuous integration and continuous delivery or deployment) over the past decade has been a surge in security threats. The need for a robust security policy is essential to thwarting potential threats. In this article, we’ll cover the basics of CI/CD security, and the various ways to integrate risk-based vulnerability management into your CI/CD pipeline to ensure that vulnerabilities are detected early on and remediated before they pose a threat. 

What is risk-based security and why does it matter?

Risk-based security identifies and mitigates the most severe threats to an organization. While this approach can be applied to various contexts, it is particularly well suited to the fast-paced world of software development.

Implementing risk-based security measures reduces the likelihood of security vulnerabilities and prevents data breaches. Risk-based security should be an integral part of your CI/CD pipeline to ensure the safety and security of your applications. It can also help you meet compliance requirements and improve your overall security posture.

By adopting a risk-based approach, organizations can maximize return on investment (ROI) and improve performance while maintaining quality standards. It enables businesses to develop strategies best suited to their operating and threat environments as well as to their business objectives.

Why do you need security for your CI/CD pipeline?

Securing your CI/CD pipeline is critical to ensuring business continuity and preventing any security vulnerabilities.

A brief introduction to CI/CD pipeline

A CI/CD pipeline is a component of a broader toolchain that entails continuous integration, delivery, deployment, automated testing, and version control. It automates the integration and delivery of applications and enables enterprises to deploy applications quickly and efficiently.

ci/cd pipeline security

 

Figure 1: Illustrating security in a typical CI/CD pipeline

Understanding the CI/CD security threats

Your CI/CD pipeline is the backbone of your software development process, so it's critical to ensure security. Incorporating security into your pipeline is a must for a number of reasons:

  • Protect code from attack: Your code is your most valuable asset, so it's essential to protect it from malicious actors.
  • Prevent data leaks: A breach in your pipeline could leak sensitive data, with devastating consequences for your business.
  • Comply with policies: Helps to ensure your CI/CD pipeline meets security policies.
  • Ensure quality assurance: A secure pipeline will ensure high-quality code that is free of security vulnerabilities.

How to ensure CI/CD security

As you set up your CI/CD pipeline, it's important to include security checks at various stages to ensure that your code is secure and compliant with security standards. There are a number of measures you can take to secure your CI/CD pipeline.

1. Planning phase

This stage involves gathering requirements and consumer input to develop a product roadmap. It also encompasses the best practices and policies for a successful DevOps strategy.

You should also take advantage of threat modeling to help identify potential areas of attack and take steps to secure your pipeline. In threat modeling, security vulnerabilities are identified, and countermeasures are determined to mitigate them. By applying threat modeling to CI/CD pipelines, you can identify potential attack areas and take measures to secure them.

Supply-chain Levels for Software Artifacts (SLSA) is also useful during the planning phase. This security framework comprises a checklist of standards and controls to prevent supply-chain attacks, safeguard against integrity challenges, and safeguard software packages and infrastructure in your organization.

2. Coding phase

In the coding phase, the developers write the necessary code to build the software. The code must be written in accordance with predefined standards and design guidelines.

You should use source code scanners such as CAST Application Intelligence Platform (AIP) or CodeSecure to detect pieces of code that might be vulnerable to security threats.

3. Build phase

During the build phase, the developers are responsible for committing their source code to a shared repository. Once the code changes are checked into the repository, builds are triggered, and automated tests are executed to verify if the builds comply with the requirements.

Here are some tips for setting up security checks in your CI/CD pipeline:

  • Include a static code analysis tool in your build stage to check the code for common security vulnerabilities and compliance issues.
    • Use static application security testing (SAST) tools like SonarQube, Veracode, AppScan, or Codacy.
    • Use software composition analysis (SCA) tools such as Veracode, Sonatype Nexus Platform, etc.
  • Set up security-related test cases based on organization policies. These tests can check for things like cross-site scripting (XSS) and SQL injection flaws.
  • Use a code-signing service to sign your code ahead of deploying the code to the production environment. This will help ensure that the code has not been tampered with and that it comes from a trusted source.

4. Testing phase

Once a build is successful, the software is tested to detect any potential bugs. If new features are added, a new build is generated and regression testing is performed on the new build to verify if the functional tests succeed.

At this stage, you should run container scanning tools (e.g., Datadog, Clair, Anchore, and Qualys) or dynamic analysis security testing (DAST) tools (e.g., Netsparker and Acunetix).

5. Deployment phase

In this phase, the build is deployed to the production environment.

6. Monitoring Phase

This is the last stage in a typical DevOps CI/CD pipeline. During this phase, the build is monitored to ensure that it works as expected. The application deployed in the production environment is observed to evaluate performance and other aspects.

Best practices for CI/CD security

Here are some of the other best practices you should follow to secure your application and the environment where your application is deployed.

1. Have complete visibility into the CI/CD pipeline

To properly secure a CI/CD pipeline, it is important to have complete visibility into all aspects of it. This includes understanding the components of the pipeline and how they interact with each other, as well as identifying and monitoring all points of entry into the pipeline.

A software bill of materials (SBOM) plays an integral role in the software development lifecycle (SDLC) and in DevSecOps by helping you keep track of all third-party and open-source components in your codebase. But it must be managed appropriately to ensure security and compliance.

2. Analyze the committed code

Securing your CI/CD pipeline first involves analyzing the code that is being committed, which can be achieved manually or using automated tools. Automated tools can identify potential security vulnerabilities in the code and track changes over time. Analyzing the code ensures that only approved changes are made to the code base and that any potential security vulnerabilities are addressed before they can be exploited.

3. Check for security vulnerabilities

There are several ways to check for security vulnerabilities in your CI/CD pipelines. The following tools should be employed to detect security flaws in your CI/CD pipelines:

  • Static application security testing (SAST)
  • Software composition analysis (SCA)
  • Dynamic analysis security testing (DAST)

Of course, no automated tool is perfect, so it's also important to do manual reviews of your code and your CI/CD pipeline. By understanding how your pipeline works and what could potentially go wrong, you can ensure that your pipeline is as secure as possible.

4. Perform security acceptance testing

Security acceptance testing is the process of verifying that the security controls in place are adequate to protect the system. This can be done manually or automatically. Either way, it's essential to have some form of security testing in place before allowing code changes to be deployed to production. If there are significant changes in the code, it is recommended that a security expert conduct a manual review.

Some common security acceptance tests include checking for vulnerabilities in dependencies, testing for insecure configuration settings, and verifying that authentication and authorization controls are working properly.

Organizations should also consider integrating an automated security testing tool into the CI/CD pipeline. Incorporating security acceptance testing into your pipeline can help ensure systems are secure.

5. Embrace continuous monitoring

You must take preventive steps to enforce the security of your CI/CD pipeline, such as: 

  • Tightening access control
  • Keeping secrets safe
  • Separation of duties
  • Enforcing permissions
  • Securing connections

You can also take advantage of security scanning tools capable of automatically detecting and reporting potential vulnerabilities. Another option is to manually review your pipeline logs for any suspicious activity.

An overview of static application security testing (SAST)

Static application security testing (SAST) is a security testing approach that can be integrated into CI/CD pipelines. SAST identifies potential vulnerabilities in the code using static analysis and automated tools. Developers can then address the vulnerabilities before the application is deployed to production.

SAST tools analyze source code or compiled binaries to look for security vulnerabilities. They can be used early in the software development lifecycle to find and fix issues before they become part of the code base. They can also be used later in the process to ensure your codebase is secure.

Leverage SAST tools

SAST encompasses a set of tools used to examine application source code, assembly code, bytecode, and binary files for possible security flaws. To identify security flaws in your application source code, you can leverage the SonarQube, Veracode, and Fortify Static Code Analyzer tools.

Adopt a risk-based approach to communicating security issues

The risk-based approach to security is a systematic strategy for identifying, assessing, and prioritizing potential threats to the company. It determines your organization's top compliance risks while prioritizing controls, rules, and processes to address those security vulnerabilities. Once your compliance program has reduced the most severe risks to acceptable levels, lower-priority risks can be addressed.

Take advantage of SLSA

Supply-Chain Levels for Software Artifacts (SLSA) is a framework that focuses on securing software from the development to the deployment stages. It offers security benefits at every step of the development lifecycle, while being incremental and actionable. SLSA encompasses a set of requirements widely accepted as best practices in the industry.

Automating security in CI/CD pipelines with policy as code

A policy-as-code approach automates security within CI/CD pipelines. Organizations define and enforce security policies as part of their build process to deploy only compliant code. Thus, security is woven into the software at the beginning instead of being incorporated later on.

Security policies can be enforced in your CI/CD pipeline using policy-as-code tools like Cloud Custodian, which are integrated into your build process to ensure that only compliant code is deployed. This will allow you to maintain high levels of security in your software development cycle.

Conclusion

As CI/CD pipelines are critical to an organization's product and service offerings, they must be secure. Businesses must integrate security into the CI/CD pipeline to prevent supply-chain attacks and other disruptions that can hinder production and delivery.

With so many interconnected components and services—often supplied or controlled by third parties—there is no such thing as a "set-it-and-forget-it" approach to pipeline security.

Using the right strategies (e.g., access control, secret management, registry scanning, and more) and tools will allow you to manage security risks in every stage of the pipeline.

Own your risk across your attack surfaces and across the full cyber-risk management lifecycle. Get your demo of Vulcan Cyber today.