Best Practices for Embedding Security into CI/CD Pipelines

The term “shift left” has traditionally been applied to the process of testing “early and often” in software development. Today, that concept also extends to security.

Conventional software development focuses on solving a problem, with security tacked on once the application is put into production. However, it’s typically more time-consuming, expensive and complex to embed security into an application after it’s implemented. DevOps teams are often left with the headache of stomping out security fires as they crop up. Shift-left security builds security best practices into the development process to minimize this technical debt.

The same principle applies to the continuous integration / continuous delivery (CI/CD) pipeline. By embedding security in their CI/CD pipelines, DevOps teams can deliver, release and operate systems that are more reliable and secure.

Here are four best practices to follow.

First, secure the CI/CD pipeline itself.

Software supply chain attacks have increased more than 400 percent in recent years, so it’s critically important to ensure that the CI/CD pipeline is secure. Organizations should follow the principle of least-privilege access and ensure that credentials, tokens, API keys and other secrets are secured. Test environments should also be secured because they can give attackers inroads into other environments. CI/CD tools should be kept up to date and temporary resources destroyed when they are no longer needed. Audit logs can provide clues to an attacker’s activities.

Build in continuous security testing.

A robust CI/CD pipeline enables a continuous testing strategy that can include the validation of security controls. This includes both static application security testing (SAST), which analyzes source code for security flaws, and dynamic security testing (DAST), which looks for vulnerabilities in running applications. DAST tools should test for high-risk issues and trigger penetration tests to look for entry-point vulnerabilities. Automated testing should also incorporate notification, remediation and rollback processes.

Include data in the security testing process.

Many organizations overlook production data when testing for security and compliance. DevOps teams should familiarize themselves with the security and compliance policies regulating the organization’s data and build an automated framework for applying and testing controls. Common techniques include static data masking to hide sensitive information and utilizing synthetic data where data is inaccurate or incomplete or cannot be used for testing.

Integrate the CI/CD pipelines with security automation and AIOps tools.

Continuous monitoring is critical once applications are moved into production. Many CI/CD tools can be integrated with security automation and AIOps platforms to facilitate operational and security workflows. Security automation tools handle routine tasks such as patching systems and setting permissions, and performing incident detection and response. AIOps platforms combine artificial intelligence techniques, big data analytics and automation to help DevOps teams to better monitor performance, detect anomalies and rapidly identify the root cause of problems.

Implementing a robust and secure CI/CD pipeline can be difficult for organizations that lack specific expertise in this area. DeSeMa has extensive experience with CI/CD, security testing and automation. Our team can help ensure that these tools are properly tuned and integrated with your environment to provide actionable insights while minimizing noise.

Shift-left principles begin with software development but should extend to DevOps workflows to ensure that systems run securely in the production environment. Because the CI/CD pipeline is an integral part of DevOps practices, organizations should follow best practices for embedding security within the pipeline.