Why and How to Introduce DevSecOps Into CI/CD Pipelines

DevSecOps is an increasingly popular framework for integrating security into every phase of the software development lifecycle. A key phase that organizations should be targeting as soon as possible is their Continuous Integration and Continuous Deployment (CI/CD) pipeline. Doing so can accomplish more than increasing security and decreasing risk. It can also increase productivity and morale.

In 2020, the devastating attack on managed software provider SolarWinds brought software supply chain vulnerabilities into public consciousness. Attackers inserted malicious code into the company platform, which was then distributed via standard updates to around 18,000 customers, including several U.S. government agencies and Fortune 500 companies, leading to data theft and possible espionage. A similar attack against Kaseya VSA in 2021 impacted around 1,500 businesses, causing disruption and financial loss, including forcing a Swedish supermarket chain to close temporarily. These attacks demonstrate how a single vulnerability can impact thousands of companies and potentially millions of people.

However, despite the increased awareness of the threat, which even led to the 2021 Executive Order on Improving the Nation’s Cybersecurity in the U.S., software supply chain vulnerabilities remain a major problem. Increased reliance on open-source dependencies and third-party integrations continues to expand attack surfaces, making it easier for attackers to infiltrate the systems, while the competitive demand to deliver software within ever shorter timeframes often distracts teams from their security mission. As a result, every company that isn’t actively seeking to improve its software supply chain defenses is vulnerable.

DevSecOps and the CI/CD Pipeline

A critical component of the software delivery supply chain is the CI/CD pipeline, which is a set of practices development teams use to deliver code changes more frequently and reliably. CI/CD pipelines have become the foundation of fast and efficient software delivery processes that allow for the frequent addition of new features and bug fixes. However, an insecure CI/CD pipeline opens multiple entry points for attacks, including malicious code, compromised source controls, vulnerable dependencies, a compromised build system, the injection of bad artifacts, compromised package management and artifact signing, abuse of privileges, and more. These vulnerabilities introduce a significant security gap in the software supply chain.

To secure CI/CD pipelines, many organizations are now integrating DevSecOps best practices into it. A DevSecOps approach ensures that security gets embedded into every phase of the pipeline. There are two main aspects of this:

• Incorporating application security testing strategies to establish a strong application security posture. These include static code analysis, dynamic application testing, open source and third-party package management, secrets scanning, and vulnerability management. 
• Instituting deployment security measures, including image and container security, infrastructure as code (IaC) and environment security, secrets management, cloud security, and network security.

DevSecOps processes and tools enable automated security checks and continuous monitoring that make securing the development process possible. By doing so, they also foster better collaboration among the development, operations, and security teams. This promotes a more secure development environment and more secure and resilient software.

The DevSecOps CI/CD Pipeline

The DevSecOps CI/CD pipeline uses automation to add key measures and strategies to each of its five stages: code, build, test, deploy, and monitor.

1. Code

DevSecOps secures the coding stage of the CI/CD pipeline by automatically evaluating source code to detect vulnerable or faulty code that may have been checked in by developers. These automated evaluations include:

• Software Composition Analysis (SCA) to detect known vulnerabilities and license issues in open-source dependencies
• Static Application Security Testing (SAST) to automate scanning and analysis of code for early detection of vulnerabilities
• Secrets Scanning and Management to make sure sensitive information, including passwords, API keys, tokens, encryption keys, and more, are not added to the codebase

2. Build

This DevSecOps best practice automatically scans binaries and packages after the source code is committed, compiled into executable artifacts, and stored in an artifact repository. Automated scanning of binaries and packages should be continuous until the code is sent to the testing stage, where the code, still in the form of artifacts, is scanned in its entirety.

3. Test 

At this stage, real-time testing of the application is conducted through attack simulations using PenTesting, SQL injections, cross-site scripting, and more. Artifact scanning and Dynamic Application Security Testing (DAST) are also integrated into the CI/CD pipeline during this stage.

4. Deploy

The deployment stage can be leveraged as a key control point to automate security checks and enforce application security measures. Key practices include:

1. Policy checks
2. Compliance verification
3. Digital scanning
4. Infrastructure as Code (IaC) security
5. Cloud security

5. Monitor

Continuous and automated monitoring must be implemented to ensure applications continue to operate as expected. A DevSecOps best practice is to add continuous scanning for Common Vulnerabilities and Exposures (CVEs) and integrate these scans with audit tools that can track and report on compliance with industry and organization rules.

The Benefits of Taking a Best Practices DevSecOps CI/CD Approach

The most important DevSecOps best practices for CI/CD pipelines are:

• Shift Left: Integrate security tests and impose security checks as early as possible in the development process to make identifying and addressing vulnerabilities faster and easier.
• Automate Security Testing: Automatically conduct security tests and scans throughout the pipeline.
• Monitor Continuously: Identify and mitigate security incidents in real time through continuous monitoring.
• Collaborate Across Teams: Nurture collaboration among development, operations, and security teams to ensure security remains a top priority for everyone and increase productivity.
• Utilize Regular Training and Awareness Programs: These programs are essential for ensuring that security best practices remain a priority for everyone with a stake in the CI/CD pipeline.

Companies that implement and maintain these DevSecOps best practices for CI/CD pipelines will enjoy several key benefits:

• Enhanced Security: Early identification and mitigation of vulnerabilities, leading to safer software, increased developer productivity, and cost savings.
• Accelerated Time-to-Market: Faster delivery of secure software that does not require time-consuming and expensive fixes.
• Happier and More Productive Teams: The ability to satisfy the needs of the development, operations, and security teams without compromising productivity or security standards.
• Reduced Security Risks: A dramatically lower risk of security breaches and data loss that can result in fines or damage to the brand.
• Proactive Compliance: Identification of regulatory and organizational compliance issues before violations occur.

Conclusion

As part of securing a company’s software supply chain, every software organization should embrace DevSecOps for CI/CD pipelines. However, it’s about more than just security. With DevSecOps for  CI/CD pipelines, companies can accelerate software production and, equally important, improve the morale of everyone involved in the software development process, as well as those who track user satisfaction with that software.