DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Survey Surfaces Application Modernization Challenges
  • Dylibso Releases Tool for Tracking and Validating Wasm Modules
  • Data APIs: Realizing the Future of Data Warehousing
  • GraphQL Documentation Generators: How They Work and Why They Matter
  • Perceptions of Reality

Home » Blogs » 7 (More) Security Considerations for CI/CD

7 (More) Security Considerations for CI/CD

Avatar photoBy: Jayne Groll on July 8, 2021 Leave a Comment

CI/CD orchestration has become increasingly popular in DevOps practices. It facilitates faster deployment of software and product delivery. Through the use of automation when building, testing and deploying applications, CI/CD bridges the gap between development, operation activities and teams. 

However, there are many security considerations to keep in mind with frequent deployment. From quality automation to code history analysis, security must be baked into your CI/CD pipeline to ensure your product and processes remain safe from hackers.

To gain insights on the top security considerations for CI/CD, I asked the speakers and sponsors for the upcoming SKILup Day as well as several DevOps Institute Ambassadors for their thoughts. In this two-part series, I will be sharing their insights. Did you miss part one? You can read it here. Here’s what they had to say in part two of this series:

Speaker, Ravi Lachhman, Evangelist, Harness

“CI/CD platforms are core to an organization’s engineering efficiency and typically have elevated privileges to sensitive environments such as production. Since CI/CD platforms typically will be deploying, this makes sense. Delving into the SolarWinds hack with binary artifact signing, etc., can separate security concerns into two parts. One concern would be the security around the actual CI/CD platform and one around the DevSecOps goals inside a CI/CD pipeline. With so many items shifting left, having proper role-based access control (RBAC) is crucial. With the separation of duties for regulated environments and the need for engineers to be efficient, controls that ensure only certain entities can deploy and certain entities can view pipelines is important. Around the DevSecOps movement, container/OSS scanning is still top of mind for many firms.”

Sponsor, Basis Technologies, Eran Kriegshauser, Basis Technologies’ SAP DevOps Architect

“The question you should be asking is ‘How do I maintain quality with the frequent deployment tempo demanded by business today?’ We need automation of quality and guaranteed rigor. For example, take promoting security configuration changes in systems, applications and products (SAP). Today, this is done by SAP transports where the change is created in an SAP development system, then imported into QA and, ultimately, into production. How do you ensure that a developer can’t give themselves extra security access through a role modification? Automated analysis and approval workflows must support segregation of duties requirements. Users can’t approve changes they create–the appropriate CI/CD process will not allow it.

Another area is automatic peer review notification on changes to sensitive enterprise resource planning (ERP) objects. Once identified, the promotion of those object changes are halted until approved by a team lead or change and release manager.”

Savinder Puri, DevOps Evangelist, Zensar Technologies

“Infuse as many aspects of security as possible into your CI pipeline. CD is already too late for security—you’ve already deployed the application into an environment.

Start from the basic static code analysis, security scanners, etc., and then keep maturing. Whatever tools you integrate into CI Server, ensure the corresponding integrated development environment (IDE) plugins are made available to developers. That way, devs can do the first-level validation within their IDE itself, and do it as they code, even before compiling. That’s the practical implementation of the often overused term ‘shift left.'”

Vishnu Vasudevan, Head of Product Engineering and Development, Opsera

“Now with cloud migration, emerging technologies and open source technology, companies will have to make sure they have the right tooling to measure and take action based on the security challenges born out of different development activities. 

The focus will need to be on managing the risk that is tied to the business criticality. Each industry, domain, technology, etc., all have their own independent security goals, and you cannot have one security goal across the enterprise for different technologies and different domains. It is important to evaluate the technology being used and weigh the security requirements accordingly.”

Stephen Walters, Sales Engineer, Everbridge

“Inclusion! This is why the term DevSecOps came to be—because, erroneously, security was not included as part of a DevOps transformation, and the same is true for transformation of an SDLC to incorporate security.

Security has still been treated as a non-functional requirement; an afterthought. If there is one thing we should learn, there is no such thing as a non-functional requirement. Security needs must be considered on an equal footing with all other requirements and built into the design, test, deployment and delivery of any feature.”

Mark Peters, Technical Lead, Novetta

“CI/CD pipelines should implement security at every step.  Tests can be automated in tooling to conduct tests of various functions at multiple levels for code accuracy, unit tests through fuzzing and integration or vulnerability testing. Most vulnerability testing in a pipeline is actually patch management, ensuring all commercial and proprietary holes are filled for release software. The first step should be using coding checks to make sure there are not any common problems with the code. While this may seem easy, if you are not managing that basic step, you cannot move ahead to the more complicated areas.”

Pawel Piwosz, Lead Systems Engineer, EPAM Systems

“At a high level, I would say that security is still outside the main scope of CI/CD. We should consider a few areas and different angles, here. Security should be not only implemented by CI/CD; CI/CD should be implemented in a secure way. Everything-as-code is a solution here: policy-as-code, security-as-code, drift-as-code, and if we talk about infrastructure, remediation-as-code.”

If you’d like to learn more about the latest in CI/CD and similar topics, check out the upcoming SKILup Day schedule. Or, learn more about the benefits of becoming a DevOps Institute Member. 

Recent Posts By Jayne Groll
  • 4 Container Orchestration Security Concerns
  • The Key Benefits of Observability for SREs
  • 12 Ways to Bake Security Into a DevOps Transformation
Avatar photo More from Jayne Groll
Related Posts
  • 7 (More) Security Considerations for CI/CD
  • Continuous Integration vs. Continuous Delivery: There’s an Important Difference
  • Optimizing an Effective CI/CD Pipeline
    Related Categories
  • Blogs
  • Business of DevOps
  • Continuous Delivery
  • Continuous Delivery
  • Continuous Testing
  • DevOps Institute
  • DevOps Practice
  • Editorial Calendar
  • Features
    Related Topics
  • CI/CD
  • continuous delivery
  • continuous integration/continuous delivery
  • devops institute
  • SKILup Day
Show more
Show less

Filed Under: Blogs, Business of DevOps, Continuous Delivery, Continuous Delivery, Continuous Testing, DevOps Institute, DevOps Practice, Editorial Calendar, Features Tagged With: CI/CD, continuous delivery, continuous integration/continuous delivery, devops institute, SKILup Day

« A New DevOps Database Platform is Needed
Shhhh! It’s a Secret »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Build Securely by Default With Harness And AWS
Tuesday, March 28, 2023 - 1:00 pm EDT
Accelerate Software Development Flow with Value Stream Management
Wednesday, March 29, 2023 - 1:00 pm EDT
Cloud-Native Developer Tools: What's on the Horizon?
Thursday, March 30, 2023 - 1:00 pm EDT

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Survey Surfaces Application Modernization Challenges
March 23, 2023 | Mike Vizard
Dylibso Releases Tool for Tracking and Validating Wasm Modules
March 23, 2023 | Mike Vizard
Data APIs: Realizing the Future of Data Warehousing
March 23, 2023 | Tanmai Gopal
GraphQL Documentation Generators: How They Work and Why They Matter
March 23, 2023 | Gilad David Maayan
Postman Releases Tool for Building Apps Using APIs
March 22, 2023 | Mike Vizard

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

Grafana Labs Acquires Pyroscope to Add Code Profiling Capability
March 17, 2023 | Mike Vizard
Four Technologies Transforming Data and Driving Change
March 17, 2023 | Thomas Kunnumpurath
How Database DevOps Fuels Digital Transformation
March 17, 2023 | Bill Doerrfeld
5 Unusual Ways to Improve Code Quality
March 20, 2023 | Gilad David Maayan
Neural Hashing: The Future of AI-Powered Search
March 17, 2023 | Bharat Guruprakash
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.