SlideShare a Scribd company logo

The Challenge of Integrating Security Solutions with CI.pdf

Savinder Puri
Savinder Puri

Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions). Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).

1 of 4
Download to read offline
The Challenge of Integrating Security Solutions with CI/CD Workflows Created for UnBound Security In Mobile World Conference (MWC), 2019, Satya Nadella, the Executive Chairman and CEO of Microsoft famously reiterated “Every company is now a software company”. This message was also stated by Watts S. Humphrey, the father of quality in software and CMMI, about two decades ago, when he said “Every business is a software business”. In today’s native digital world, we know that a Bank is a software company and a car is a computer – computing is a core part of every industry. Those of us who have been around in the software industry well understand that DevOps or CI/CD workflows form the bedrock of this software. It is the CI/CD pipelines or workflows that churn out software faster, better and more secure. As the role of software becomes more pervasive, the role of security across the software development lifecycle becomes paramount. Enterprises have been taking security very seriously, since a breach can lead to loss of repute as well as heavy financial losses. The Covid-19 pandemic has further accelerated security deployments and investments across Enterprises. The 2021 State of Security Operations survey highlights this changing trend: 2021 State of Security Operations Research Report (microfocus.com) The report states: • 85% of respondents say their companies increased their security budgets • The same percentage increased their adoption of cloud-security services and technologies • 82% say they have increased the adoption of threat intelligence
With the heavy focus and investments on security, threat intelligence and detection is one of the key components. Verifying that the deployed code is legitimate so that threats such as supply chain attacks can be mitigated is most critical. The need to ensure that the software was provided from the stated vendor and was not tampered by a malicious adversary and contains malware or any unwanted code is most critical. The method for protecting code is using digital signatures and PKI – specifically using code signing certificates. There are a number of approaches for securing code signing certificates: • DIY: A Do It Yourself, custom built code signing solution integrating with your CI/CD pipeline. While its tempting to build something that fits perfectly into your ecosystem, it’s a classic build-vs-buy decision. • Hardware Security Module (HSM): These are FIPS-40 certified, dedicated hardware devices, requiring special expertise to deploy and maintain. Hyper scalers typically provide their own HSM’s and that makes an Enterprise solution (on premise + cloud) much more difficult to manage • 3rd Party vendors: Use HSMs as a root of trust for a 3rd party code signing solution. While this centralises the Management of code signing certificates from 3rd party, it’s still a hardware based solution. It also restricts CI/CD integration, due to limited availability of “signer utilities” by HSM • SECaaS: This provides centralised management of code signing certificates without the HSMs or any other backend software. In certain cases, SECaaC services requires the code signing certificates to be generated by a certain, specific Certificate Authority (CA), and does not allow to use code signing certificates from any CA. • Niche solution: There are specialised solutions that Centrally manage code signing certificates without dedicated hardware, support signing of any code, integrate with CI/CD platforms and include additional security layers, such as scan the file for malwares before it is signed, in order to mitigate supply chain attacks. Let’s now explore how all these aspects are brought together in the CI/CD pipeline. That’s the place where all dimensions of security is embedded in. Illustration of how security is integrated through the CI/CD pipeline
1. Agile backlog: The Security NRF Requirements are captured in the Agile tool (Jira, Rally, Azure DevOps etc.), so that they can be implemented at the appropriate layer (infra/app/db etc.) during the SDLC 2. Development IDE: Depending on what security tools the Enterprise uses, their corresponding IDE (Eclipse, IntelliJ IDEA, Visual Studio etc.) plugins are available, so that Developers can “left-shift” - detect and fix issues before the code leaves the IDE itself! 3. Build Tools: Build tools like maven, gradle etc. have security checks embedded in like OWASP vulnerability etc. 4. CI System: CI system like Jenkins, TeamCity, Azure DevOps etc. have plugins for SAST/DAST security tools like SonarQube, Veracode etc. This is where the first stage gate is typically implemented. If a critical vulnerability is found, the build is “terminated” and the entire pipeline stalled 5. Environment Provisioning: While spinning up environments using infra-as-code tools like terraform, chef, puppet etc, care has to be taken to adhere to Enterprise security guidelines 6. Database Deploys: Tools like Liquibase or Datical treat database-as-code and enable code reviews and automated deploys, with stage gate implementation 7. App Deploys: Whether you use tools like Jenkins, TeamCity, Azure DevOps, or cloud native ArgoCD or more sophisticated IBM UrbanCode Deploy, they have integrations with various security facets like verification of code signatures etc. 8. Testing: This is where you might have specific focus on security testing using tools such as Acunetix, Netsparker, ZED Attack Proxy (ZAP)), and Pen testing with Netsparker, Wireshark, Burp Suite etc. 9. Production System: Monitoring of Production Systems and their security posture through Argus, Splunk, SolarWinds, Nagios, OSSEC etc. Given the plethora of tools for each tenet in the CI/CD space, you would imagine that embedding security into the pipeline would be a pretty standard and mature practice. However, this is far from the reality of most Enterprises. Here are the top 5 reasons why it is challenging to integrate security solutions into CI/CD pipelines: 1. No gold standards for security: With the huge variations in technology and toolset landscape across Enterprises, there are no gold standards for security. Of course, there are regulatory and compliance requirements. Some industry guidelines are available, however, their implementation specifics are often left open, to suite
inclusion 2. It’s beyond the SAST tools of the world: As a DevOps Consultant, I often hear this – “Of course we embed security into the SDLC – we use SonarQube”. That’s a great place to start; however, there’s an entire world out there beyond this one! 3. Loss of control: Traditionally, there was an elusive Security Team, which got invoked during the Pre-Release phase, and who had the all-encompassing power to stop a Release! Now, with “Continuous Release” making Release itself a non-event and everything-as-code embedding security, the Security Teams tend to feel threatened 4. Developer resistance: With everything-as-code, the boundaries of a developer’s role are getting blurred. They are increasingly becoming responsible for not just the application, but also the infrastructure, configuration, deployments etc. And not all developers like this evolution 5. Complexity of the game: As Enterprises become composable and cloud native, their complexities grow disproportionately. It’s hard before it becomes simple. As an example, the cryptographic key management is very complex and demands a niche solution. It needs a unified key management and protection platform which controls and manages all keys anywhere – on-premise, in the cloud, any cloud. Easily integrates to existing solutions, and includes native support for all standard libraries, including KMIP. That’s a pretty big ask! Marc Andreessen, the co-author of Mosaic, the first widely used web browser; co-founder of Netscape famously said a decade ago – “Software is eating the world”. As this statement continues to be true in this decade and more, the importance of integrating security with CI/CD pipelines is now more than ever.
Ad

Recommended

Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
Beji Jacob
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as code
Prancer Io
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
SofiaCarter4
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
Infosectrain3
 
How BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperHow BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White Paper
BlackBerry
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
Imperva
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
www.datatrak.com
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
Source Code Control Limited
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Ad

More Related Content

Similar to The Challenge of Integrating Security Solutions with CI.pdf (20)

Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as code
Prancer Io
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
SofiaCarter4
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
Infosectrain3
 
How BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperHow BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White Paper
BlackBerry
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
Imperva
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
www.datatrak.com
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
Source Code Control Limited
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as code
Prancer Io
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
SofiaCarter4
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptxCompTIA CySA+ Domain 2 Software and Systems Security.pptx
CompTIA CySA+ Domain 2 Software and Systems Security.pptx
Infosectrain3
 
How BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White PaperHow BlackBerry Brings Android Security To Your Enterprise: White Paper
How BlackBerry Brings Android Security To Your Enterprise: White Paper
BlackBerry
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
Imperva
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
www.datatrak.com
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
Source Code Control Limited
 

Recently uploaded (20)

HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Ad

The Challenge of Integrating Security Solutions with CI.pdf

  • 1. The Challenge of Integrating Security Solutions with CI/CD Workflows Created for UnBound Security In Mobile World Conference (MWC), 2019, Satya Nadella, the Executive Chairman and CEO of Microsoft famously reiterated “Every company is now a software company”. This message was also stated by Watts S. Humphrey, the father of quality in software and CMMI, about two decades ago, when he said “Every business is a software business”. In today’s native digital world, we know that a Bank is a software company and a car is a computer – computing is a core part of every industry. Those of us who have been around in the software industry well understand that DevOps or CI/CD workflows form the bedrock of this software. It is the CI/CD pipelines or workflows that churn out software faster, better and more secure. As the role of software becomes more pervasive, the role of security across the software development lifecycle becomes paramount. Enterprises have been taking security very seriously, since a breach can lead to loss of repute as well as heavy financial losses. The Covid-19 pandemic has further accelerated security deployments and investments across Enterprises. The 2021 State of Security Operations survey highlights this changing trend: 2021 State of Security Operations Research Report (microfocus.com) The report states: • 85% of respondents say their companies increased their security budgets • The same percentage increased their adoption of cloud-security services and technologies • 82% say they have increased the adoption of threat intelligence
  • 2. With the heavy focus and investments on security, threat intelligence and detection is one of the key components. Verifying that the deployed code is legitimate so that threats such as supply chain attacks can be mitigated is most critical. The need to ensure that the software was provided from the stated vendor and was not tampered by a malicious adversary and contains malware or any unwanted code is most critical. The method for protecting code is using digital signatures and PKI – specifically using code signing certificates. There are a number of approaches for securing code signing certificates: • DIY: A Do It Yourself, custom built code signing solution integrating with your CI/CD pipeline. While its tempting to build something that fits perfectly into your ecosystem, it’s a classic build-vs-buy decision. • Hardware Security Module (HSM): These are FIPS-40 certified, dedicated hardware devices, requiring special expertise to deploy and maintain. Hyper scalers typically provide their own HSM’s and that makes an Enterprise solution (on premise + cloud) much more difficult to manage • 3rd Party vendors: Use HSMs as a root of trust for a 3rd party code signing solution. While this centralises the Management of code signing certificates from 3rd party, it’s still a hardware based solution. It also restricts CI/CD integration, due to limited availability of “signer utilities” by HSM • SECaaS: This provides centralised management of code signing certificates without the HSMs or any other backend software. In certain cases, SECaaC services requires the code signing certificates to be generated by a certain, specific Certificate Authority (CA), and does not allow to use code signing certificates from any CA. • Niche solution: There are specialised solutions that Centrally manage code signing certificates without dedicated hardware, support signing of any code, integrate with CI/CD platforms and include additional security layers, such as scan the file for malwares before it is signed, in order to mitigate supply chain attacks. Let’s now explore how all these aspects are brought together in the CI/CD pipeline. That’s the place where all dimensions of security is embedded in. Illustration of how security is integrated through the CI/CD pipeline
  • 3. 1. Agile backlog: The Security NRF Requirements are captured in the Agile tool (Jira, Rally, Azure DevOps etc.), so that they can be implemented at the appropriate layer (infra/app/db etc.) during the SDLC 2. Development IDE: Depending on what security tools the Enterprise uses, their corresponding IDE (Eclipse, IntelliJ IDEA, Visual Studio etc.) plugins are available, so that Developers can “left-shift” - detect and fix issues before the code leaves the IDE itself! 3. Build Tools: Build tools like maven, gradle etc. have security checks embedded in like OWASP vulnerability etc. 4. CI System: CI system like Jenkins, TeamCity, Azure DevOps etc. have plugins for SAST/DAST security tools like SonarQube, Veracode etc. This is where the first stage gate is typically implemented. If a critical vulnerability is found, the build is “terminated” and the entire pipeline stalled 5. Environment Provisioning: While spinning up environments using infra-as-code tools like terraform, chef, puppet etc, care has to be taken to adhere to Enterprise security guidelines 6. Database Deploys: Tools like Liquibase or Datical treat database-as-code and enable code reviews and automated deploys, with stage gate implementation 7. App Deploys: Whether you use tools like Jenkins, TeamCity, Azure DevOps, or cloud native ArgoCD or more sophisticated IBM UrbanCode Deploy, they have integrations with various security facets like verification of code signatures etc. 8. Testing: This is where you might have specific focus on security testing using tools such as Acunetix, Netsparker, ZED Attack Proxy (ZAP)), and Pen testing with Netsparker, Wireshark, Burp Suite etc. 9. Production System: Monitoring of Production Systems and their security posture through Argus, Splunk, SolarWinds, Nagios, OSSEC etc. Given the plethora of tools for each tenet in the CI/CD space, you would imagine that embedding security into the pipeline would be a pretty standard and mature practice. However, this is far from the reality of most Enterprises. Here are the top 5 reasons why it is challenging to integrate security solutions into CI/CD pipelines: 1. No gold standards for security: With the huge variations in technology and toolset landscape across Enterprises, there are no gold standards for security. Of course, there are regulatory and compliance requirements. Some industry guidelines are available, however, their implementation specifics are often left open, to suite
  • 4. inclusion 2. It’s beyond the SAST tools of the world: As a DevOps Consultant, I often hear this – “Of course we embed security into the SDLC – we use SonarQube”. That’s a great place to start; however, there’s an entire world out there beyond this one! 3. Loss of control: Traditionally, there was an elusive Security Team, which got invoked during the Pre-Release phase, and who had the all-encompassing power to stop a Release! Now, with “Continuous Release” making Release itself a non-event and everything-as-code embedding security, the Security Teams tend to feel threatened 4. Developer resistance: With everything-as-code, the boundaries of a developer’s role are getting blurred. They are increasingly becoming responsible for not just the application, but also the infrastructure, configuration, deployments etc. And not all developers like this evolution 5. Complexity of the game: As Enterprises become composable and cloud native, their complexities grow disproportionately. It’s hard before it becomes simple. As an example, the cryptographic key management is very complex and demands a niche solution. It needs a unified key management and protection platform which controls and manages all keys anywhere – on-premise, in the cloud, any cloud. Easily integrates to existing solutions, and includes native support for all standard libraries, including KMIP. That’s a pretty big ask! Marc Andreessen, the co-author of Mosaic, the first widely used web browser; co-founder of Netscape famously said a decade ago – “Software is eating the world”. As this statement continues to be true in this decade and more, the importance of integrating security with CI/CD pipelines is now more than ever.