As software development environments adopt cloud-native technologies, container-based architectures, and microservices, distributing software manually becomes less practical. But the need for speed often ignores or minimizes necessary security testing. Vulnerabilities found in the production version of an application can lead to compromised systems and data. To reduce the risk of vulnerabilities going undetected during the software development lifecycle, organizations should add continuous security validation to the CI/CD (continuous integration continuous delivery) pipeline. This makes developers more productive, reducing time-to-market despite the added layer of security checks, and more secure apps will eventually gain consumer trust over other apps that put users and their data at risk.
What is continuous delivery?
Continuous Delivery is the ability to get software changes of all types, including new features, configuration changes, and bug fixes, into production safely and quickly in a sustainable way. Continuous Delivery is critical towards successfully achieving the DevOps potential across your organization.
Continuous Delivery aims to reduce the time between when code is written and when it's deployed while maintaining high quality and reducing risk. It is a crucial part of the software development process as it allows teams to continuously release new features, making it possible to test them, and make changes quickly.
According to research conducted by the Continuous Delivery Foundation, adopting a Continuous Delivery approach to software development offers many benefits. For example, at the organization level, it accelerates the delivery of new features, increases the responsiveness to external events and helps build deeper relationships with the product customers. At the process level, the approach helps decrease deployment pain while improving quality.
Security is a key challenge of continuous delivery at scale
Although CD brings many advantages in the software development industry, 75% of organizations still can improve their processes in terms of deployment frequency and lead time for changes. The key challenges of CD at scale are the following:
Pipeline sprawl has created many management inconsistencies. For example, pipelines are not declared as code or they are patched and extended over multiple generations. In addition, pipeline sprawl across many development teams results in inconsistent CI/CD processes that create vulnerabilities.
The 12 Factor App is a set of principles that describes a way of making software that, when followed, enables companies to create code that can be released reliably, scaled quickly, and maintained in a consistent and predictable manner. However, many developers fail to apply these 12 factors, resulting in overly complicated apps and giant monoliths that slow down build and deployment times.
Furthermore, an immature development lifecycle will greatly harm CD at scale. Improper use of version control, inefficient repository structure and lack of code reviews will result in poor quality products and lack of scalable pipelines.
Security and visibility
Managing secrets and access to the environments is a critical factor for building trust across your CI/CD pipelines. Lack of best practices and security governance hurt your ability to audit and trace changes to your software and greatly reduces visibility into your environment.
Closely related to the lack of visibility and security is having poor testing coverage and lack of quality testing to measure all indicators of development performance.
Failure to address these challenges not only affects the time-to-market of your apps, but also impacts your software supply chain, leaving your organization (and your customers) open to attacks looking to exploit vulnerabilities in your applications. As demonstrated by the SolarWinds supply chain attack, the disruption can be devastating.
How to enable security in continuous delivery
When we discuss about CD, we need to understand that there are pipelines running in the environment and to secure CD we need to secure these pipelines. The foundation of security in CD is to have version controlled pipelines as code. A pipeline as code file specifies the stages, jobs, and actions for a pipeline to perform. Because the file is versioned, changes in pipeline code can be tested in branches with the corresponding application release.
Pipelines as code is the first step to handle fast, secure continuous delivery at scale. When you have pipelines as code you can parameterize them, reuse them and extend them to meet your business needs. Most importantly, you can embed security and compliance policies to simplify access to approved, secured, and reliable pipelines for your development teams.
Since your CI/CD is a critical component in your software supply chain, you want to be sure that your CI/CD is as secure as possible through static or dynamic testing so that your artifacts can be trusted. To achieve that, you need to consider the following important aspects:
- Use secure credential storage and rotate your keys frequently
- Inspect your build output and make sure you are not leaking secrets or any other sensitive information
- Code-sign all your artifacts and incorporate runtime checks to guarantee integrity
As a system gets more complex, it is critical to have checks and best practices in place to guarantee artifact integrity, that the source code you are relying on is the code you are actually using. If you want to develop and deliver software that is as resilient as possible, you could leverage a security framework like SLSA (Supply chain Levels for Software Artifacts, pronounced as salsa), that includes a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your business.
Venafi can help
Cloud-native machine identity automation gives developers a high-grade consistent deployment process with built-in workload security. With Venafi Jetstack Secure you can automate security best practices and improve the developer experience. Jetstack Secure provides vital visibility and control of X.509 certificates and their configuration status across Kubernetes and OpenShift clusters.
To learn how your organization can securely automate cloud native workloads, speak to an expert.