In the last couple of months we participated in an increasing count of customer projects following current trends of agile software development approaches and corresponding toolstacks. Especially the terms Continuous Integration and Continuous Delivery kept (and still keep) popping up on every corner. The frameworks and processes behind those two hypes aid developing software at higher quality in shorter release cycles. This is especially relevant since end consumers nowadays expect fast releases including the newest features. If companies neglect this demand, competitors might take advantage of their better time-to-market which might result in increased market share and -dominance. A lot of changes are happening in the space of CI/CD. Existing tools become more mature, gaining increased attention, and new ones are appearing every month including better ways of integrating them into existing or new processes. Companies benefit from more choices, increased flexibility, and faster integration into existing company policies.
In terms of security, companies start recognizing huge benefits which can be leveraged by integrating CI/CD pipelines into their software development lifecycle (SDLC). Those benefits are amongst others the following:
* Automation
* Standardization
* Documentation
* Integration of Continuous Security
* Integration of Controls (Policy- & Compliance-checks)
Automating processes like building, testing, and deploying software artifacts supports standardization and proper documentation of processes within the company as well as increasing code quality due to regular scans for problems (i.e. code smells or bugs). Additionally, security can be integrated as a standardized quality gate within the pipeline. Thereby, important security rules can be enforced by just canceling the process in case something is not compliant or deviates from existing security policies. By using this approach, artifacts which are not compliant or constitute a baseline security risk can be identified and hold up from being deployed to production environment.
But those paradigms also bring a lot of challenges with them. A very prominent example is the build server software Jenkins. It is written in Java and has faced most of the common Java vulnerabilities in the last few years such as deserialization vulnerabilities. Multiple vulnerabilities with a critical CVSS score of 9 and above (see here) have been detected, which allow unauthenticated attackers to get full control over the pipelines and access to the complete source code. Yet, those are only the known vulnerabilities. In the worst case, after compromising a Jenkins instance, lateral movement to a production environment is possible, which would lead to full leakage of sensitive customer data. A small spoiler here: you want to separate Jenkins as much as possible 😉
The training “Secure CI/CD Pipelines” at Troopers ’19 (Link) will have a look at both, benefits and challenges of CI/CD pipelines. It will shed light on relevant tools and buzzwords, e.g., by explaining Docker and Microservices as well as their role and placement within CI/CD pipelines. The training will be held by Kevin Kelpen and Simon Lipke, both experts and experienced with multiple projects in this area.
We are looking forward to see you at Troopers 2019!
Cheers!
Simon Lipke & Kevin Kelpen