The goal of this series is to inform you about all the elements involved in the process of securing a CI/CD pipeline and help you to take the right steps. We will explore the main topic throughout articles every two weeks.
First things first
The golden rule is you can’t protect something that you don’t even know about (it will be the central axis of our next article). So, first of all, let’s recall what CI/CD is so that it is possible to start thinking about how to secure it.
CI/CD stands for Continuous Integration, Continuous Delivery, and/or Continuous Deployment. It basically is a set of techniques or a method intended to improve the software development process so that it can be possible to deliver builds faster and in a more efficient way. CI must ensure that the code input is tested and bugless and then send it to the CD where it will be tested in the hardest way and, if it’s all good, the build will be ready to manually deployment (in a Continuous Delivery scheme) or it will be directly deployed (in a Continuous Deployment scheme)
It’s worth saying that this is a general explanation due we assume that if you are reading how to secure a CI/CD pipeline, you already know what it is.
What a Secure CI/CD includes?
The CI/CD pipelines themselves came about to improve the way the software development process was carried out. In the old days, the development process consisted of sporadic, gigantic commits without as much testing, while a new build was released infrequently. Today, the trend of using CI/CD is to make small changes through more commits per day, which is more manageable allowing bugs and vulnerabilities to be detected and remediated more easily.
While it is true that one of the CI/CD focuses is security in terms of code (preventing and detecting known vulnerabilities when coding), that is just the tip of the iceberg in terms of a secure CI/CD pipeline.
The process of securing a CI/CD pipeline involves many other things besides the code. It involves the whole picture in a transversal way:
Programmer habits and routines
Coding best practices
IDEs and plugins used to code in a secure way
Infrastructure security (servers, workstations, PaaS and SaaS security)
Automations tools used by Continuous Integration and Continuous Delivery/Deployment
Identity Access Management and secure authentication
Security management
Step to production and actively monitoring
The first conclusion is the pipeline must be monitored and secured from end to end. And there is a difference between securing the code through the CI/CD pipeline and securing the CI/CD pipeline itself.
Why should a CI/CD pipeline be secured? When is it important?
This is important if you care about the CIA triad, your long-term business budget, your clients, your reputation, and most of all if you value your time. Now that we've established why it's important, in future articles we'll look at different recommendations to cover these topics, such as Identity Access Management, infrastructure security, repository policies, threat mapping, and even developer best practices.
Exercise for the next article
I would like to give you the first exercise heading to the next article.
You must identify the components of your infrastructure and every step into your CI/CD pipeline, from start to end. Try to break each activity into several smaller ones, down to the atom.
