380 BROUGHT TO YOU IN PARTNERSHIP WITH

CONTENTS

Continuous Delivery
•  Overview of CD Pipeline Security

•  Essentials of Continuous Delivery

Pipeline Security
−  Testing

Pipeline Security −  IaC Automation

−  Runtime Security
−  Role-Based Access Control

Essentials
−  Threat Modeling
−  Source Control
−  Continuous Monitoring
−  Incident Response Plans
−  Secure Secrets
−  Vulnerability Scanning
SUDIP SENGUPTA •  Summary
TECHNICAL WRITER, JAVELYNN

A DevOps model follows a non-traditional approach to application
delivery that relies on continuous automation and wider collaboration
among distributed teams. While automation and collaboration are
fundamental features of a DevOps framework, securing deployment
pipelines requires diligent planning, efficient threat modeling, and
comprehensive testing.
security into a delivery pipeline allows software teams to automatically
run stress, acceptance, and performance tests, documenting early
warnings of security risks before they make it into production. While
CD helps to deliver advanced features and bug patches rapidly,
organizations remain mostly apprehensive toward various challenges
in securing a continuous delivery pipeline.

In this Refcard, we delve into various challenges and key considerations
for administering robust security into continuous delivery pipelines.
OVERVIEW OF CD PIPELINE SECURITY
Continuous delivery supports accelerated application deployment and
delivery cycles by leveraging sustainable, frequent updates. In a typical
DevOps framework, continuous delivery is extended upon continuous
integration (CI) to collectively help in automatic deployment of
infrastructure and code changes into a production environment.
CHALLENGES OF MAINTAINING SECURITY IN A
CONTINUOUS DELIVERY PIPELINE
CD pipelines are built to shorten delivery times, which fundamentally
remains the prime concern of organizations that are looking to perform
extensive security and QA analyses. Some common challenges of
implementing security within CD pipelines include: an inconsistent
approach to services, resistance from developers, reduced delivery
velocity, compliance requirements, and inadequate integration of
security automation tools.

Figure 1: Administering security in a typical DevOps workflow

Interactive App
Continuous Security Testing
Penetration Testing
Integration Event Monitoring
}

Infrastructure Scanning
Dynamic Scanning

Code Commit Build Test Review Deploy

Production
}

Threat Modeling
Pre-Commit Review
IDE Scanning
Continuous
Static Code Deployment &
Analysis Testing
Delivery

Enforcing CD security is crucial for enterprises as it enables developers,

operators, and security teams to make informed decisions on the
deployment pipeline's architecture and workflow pattern. Integrating

REFCARD | JULY 2022 1


INCONSISTENT APPROACH TO SERVICES
While containers offer a lightweight, portable, and platform-
independent deployment option, they require a non-traditional
approach to protect workloads that is considerably more complex than
securing monolithic frameworks.
Security profiling tools in such instances often need more memory and
processing power than a container image can be allocated. Due to the
distributed nature of multiple loosely coupled services, the framework
requires security controls to be broken down and deployed at the
service level while ensuring minimal impact to orchestration patterns.
As each service relies on independent platform configuration and
threat control, any inconsistency may lead to additional complexity of
securing CD pipelines.
DEVELOPER RESISTANCE
Securing a CD pipeline relies on successful collaboration between
developers, security experts, QA, and operations teams. Developers
usually restrain from implementing CD security practices, as dealing
with infrastructure engineering and production troubleshooting
adds to their workload. Most developers are accustomed to a specific
technology stack that helps build functional code quickly without
factoring in cyber threats and security best practices.
Administering robust security throughout the CD pipeline also implies
more time spent testing the code. This essentially requires developers
to adopt incremental security checks throughout their programming
process, and hence, is one of the most common reasons for developer
resistance toward a security-first approach.
SECURITY REDUCES DELIVERY VELOCITY
The core objective of DevOps CD pipelines is to automate frequent
deployments and updates. While attributing more importance to
automation and collaboration as the fundamental benefits of a DevOps
model, security is often viewed as an afterthought, where security tests
are performed at the end of the SDLC.
Traditional approaches of static and dynamic application security
testing rely on scanning the entire codebase, even with a few committed
changes. As CD pipelines undergo frequent code changes, such testing
mechanisms eventually reduce the velocity at which newer features
make it to production.
Besides this, modern applications operate on a loosely coupled service
architecture, with each service requiring its own stack of application
security solutions. Aggregating data from these disparate sources
introduces bottlenecks in security decision-making processes, further
slowing down the CD pipeline.
COMPLIANCE REQUIREMENTS
Industry standards and security frameworks offer guidance on the way
data should be transmitted between different systems in a continuous
delivery toolchain. Although these guidelines help adopt industry
best practices, implementing them adds to effort overhead toward
REFCARD | JULY 2022
REFCARD | CONTINUOUS DELIVERY PIPELINE SECURIT Y ESSENTIALS
monitoring, testing, and documentation. As CD pipelines leverage
distributed environments for deploying different components of
the workload, comprehensive observability of infrastructure and
compliance risks is often a complex undertaking.
Security compliance monitoring and audits require the proper
alignment between architecture principles, coding practices, and
safety controls, which further add to the complexity of modern
deployment pipelines.
INADEQUATELY INTEGRATED SECURITY
AUTOMATION TOOLS
Although most security solutions offer a web UI or CLI tool for
integrating and interacting with the continuous delivery pipeline,
lack of comprehensive automation is often considered insufficient
for holistic security. In the absence of appropriately administered
automation, a CD pipeline relies on human intervention to perform
security management functions at predefined checkpoints. A pipeline
should also be configured to move seamlessly from one stage of the
application security testing process to the next.
Besides this, once a vulnerability is identified, developers are
responsible for taking down the affected service and making sure
the application stays available while they build security patches.
Lack of automation in administering security not only raises manual
overheads but is also considered an inefficient approach of mitigating
attacks in real time.
ESSENTIALS OF CONTINUOUS
DELIVERY PIPELINE SECURITY
Securing CD pipelines requires a multi-faceted approach that
involves alignment between different frameworks, technologies, and
operational cultures. As a result, the security of a typical CD pipeline
can be subdivided into a number of different aspects, including testing,
IaC automation, runtime security, role-based access controls, threat
modeling, source control, continuous monitoring, incident response
plans, secure secrets, and vulnerability scanning.
TESTING
Software security testing aims to identify threats and system
weaknesses before they can be exploited in production. Used by QA
teams and security experts alike, comprehensive testing helps to
determine a system's vulnerability score and provides guidance for
hardening security measures.
Security testing is often considered to be a broad term that includes
a number of security mechanisms focused on different components
of a workflow, including application security testing (AST), runtime
application self-protection (RASP), software composition analysis
(SCA), vulnerability scanning and penetration testing, and quality
analysis (QA) testing.
3 BROUGHT TO YOU IN PARTNERSHIP WITH

Figure 2: Essentials of security within the CD pipeline
Aspects of
CD Security
Source Control & Version Management
Software Composition Analysis, Vulnerability Scanning, Threat Modeling Penetration Testing
CD Pipeline
Source
Stages
APPLICATION SECURITY TESTING
Application security tools scan, analyze, and report the security
posture of an application across different phases of the CI/CD pipeline.
An AST mechanism is primarily categorized into the groups shown in
the table below:
CATEGORY PURPOSE
Static •  Follows a white-box
application approach.
security •  Requires thorough
testing
understanding of
(SAST)
underlying technology.
•  Helps analyze the app for
inherent security gaps
within the source code,
libraries, frameworks,
and various software
components used.
Dynamic •  Follows a black-box
application approach.
security •  Helps security teams write
testing
tests without learning the
(DAST) fundamentals of the app's
source code.
•  Scans exposed external
interfaces of an app
to uncover runtime
vulnerabilities.
Interactive •  Combines SAST and DAST
application to widen the range of
security effectiveness.
testing
•  Although purpose-built
(IAST)
to run and scan apps
during runtime, IAST also
compiles source code
similar to SAST tools.
REFCARD | JULY 2022
Auditing and Continuous Monitoring
SAST
Access Control, Secrets Management
Build
BENEFITS
Identifies vulnerabilities
such as:
•  Code/command
injection
•  Directory indexing
•  Insufficient transport
layer protection
•  Credential leakage
Identifies vulnerabilities
such as:
•  App misconfiguration
•  Improper input
handling
•  HTTP request
smuggling
•  Content spoofing
•  Cross-site scripting
Remediates CD security
flaws much quicker by
identifying root cause
of runtime issues and
pinpointing specific
code segments causing
an error.
4 BROUGHT TO YOU IN PARTNERSHIP WITH
REFCARD | CONTINUOUS DELIVERY PIPELINE SECURIT Y ESSENTIALS
Runtime
Security
Application Security Testing
DAST
QA Testing
Test Deploy
RUNTIME APPLICATION SELF-PROTECTION
RASP is an advanced technology that has evolved over time to respond
to security vulnerabilities and attacks in real time. The tool runs on an
application server to help obtain collective visibility of the application's
source code and underlying runtime components. RASP protection
tools are primarily used to detect active threats while sniffing out and
isolating malicious actors.
While RASP can be customized differently for prevention tactics, the
most common approaches are to either issue an alert, terminate the
session, or both.
SOFTWARE COMPOSITION ANALYSIS
SCA automates the identification of open-source software
vulnerabilities used within the application stack. A typical software
composition analysis involves scanning the container images, manifest
files, source code, and binary files to come up with a Software Bill of
Materials (SBOM), which is compared against a database of known
vulnerabilities for security posture evaluation.
SCA tools also enable security teams to evaluate the code quality,
license limitations, and compliance of open-source software used
within an existing workflow.
VULNERABILITY SCANNING AND PENETRATION TESTING
Vulnerability scanning and penetration testing are active threat
identification processes that involve inspecting the application from
an attacker's point of view. Though the processes are mostly used as
two separate approaches, they can also be used as concurrent steps to
identify application flaws.
As the first step, vulnerability scanning helps proactively identify
weaknesses within the enterprise network. Once these vulnerabilities
are identified, security professionals perform penetration tests to see
how the attacker can exploit them to orchestrate attacks.

Beyond identifying system weaknesses, threat hunting functionalities
also help determine the effectiveness of security controls in place and
flag enhancement opportunities.
QUALITY ANALYSIS TESTING
QA testing is the process of evaluating whether the software performs
to customer expectations and the required standards of the user
experience. Beyond testing the functional and technical performance
of software, QA tests assess the product's usability, compatibility, and
known vulnerabilities.
IAC AUTOMATION
Infrastructure as Code (IaC) enables the provisioning and management
of infrastructure resources across multiple deployment environments
using declarative text files. Developers can leverage dedicated CD and
DevOps processes for security testing, version control, application
updates, and security fixes. With automated IaC tools, organizations
can proactively enhance the security posture of an application's
infrastructure while fostering collaboration between security,
development, and operation teams.
RUNTIME SECURITY
Runtime security encompasses various activities focused on identifying
and remediating security flaws of a production environment. Securing
a runtime primarily involves analyzing the application's source code
and server activity — as well as monitoring network activity — for any
defects and potential threats. On account of its multiple underlying
components and sub-processes, securing a runtime often involves
leveraging various tools and a collection of security controls, including:
•  Runtime application self-protection (RASP)
•  Web application firewall (WAF)
•  Log analysis
•  Vulnerability scanning
•  Container security
ROLE-BASED ACCESS CONTROL
Role-based access control (RBAC) is one of the most widely adopted
mechanisms for governing permissions and actions of a CD pipeline
at the component/sub-workflow level. The mechanism forms the
foundation of CD security by relating data privacy, confidentiality,
compliance, and access to specified resources and processes.
RBAC helps developers implement resource access as a function of the
firm's organizational structure, helping to group users efficiently based
on seniority or functions performed. To achieve this, RBAC systems
implement an innate separation of duties, breaking down sensitive
functionalities into smaller units, thereby reducing the attack surface
in the event of an account breach.
THREAT MODELING
Threat modeling involves an elaborate analysis of how a system
operates while examining the combination of user behavior with
data flows across network components. Ethical hackers and security
REFCARD | JULY 2022
REFCARD | CONTINUOUS DELIVERY PIPELINE SECURIT Y ESSENTIALS
researchers commonly use threat modeling to identify potential
security gaps and attack mechanisms of a tech stack to help mitigate
known and unknown vulnerabilities.
Though the process involves integrating security checks throughout
the development lifecycle to identify and remediate security issues,
the approach is considered one of the most critical security practices
during the initial phases of system design.
SOURCE CONTROL
Version/source control management (SCM) enables cross-functional
teams to collaborate liberally without the apprehension of unwanted
changes and updates. Leveraging a centralized branch as a single
source of truth for all interlinked systems of the workflow, SCM tools
retain committed changes in an organized and well-structured format.
SCM tools also maintain comprehensive version history that allows CD
security teams to roll back or undo erroneous updates.
CONTINUOUS MONITORING
Continuous monitoring is one of the core processes that automates
the identification of security flaws and compliance errors throughout
the software development lifecycle. The mechanism essentially
blends observability into the continuous change processes that
characterize a typical CD pipeline. Continuous monitoring covers
multiple facets, including:
•  Comparison of deployments over time
•  Daily trend analysis
•  Vulnerability scanning, reporting, and remediation
•  Security incident alerting
•  Retrospective analysis of security incidents
Besides helping to identify error sources and security vulnerabilities,
continuous monitoring also aids enterprises in measuring the user
experience and KPIs. Adoption of such monitoring tools allows QA
teams to receive prompt feedback on how a recent security update
affects users, subsequently helping to refine the security strategy.
INCIDENT RESPONSE PLANS
An incident response plan allows organizations to maintain clarity
and an escalation matrix during a security crisis. The plan outlines the
systematic handling of security attacks to ensure such incidents cause
minimal impact to the organization's assets, financials, and reputation.
Diligently designed incident response plans help CD security teams
protect crucial data, maintain trust, and safeguard the firm's revenue
while resolving a security crisis.
SECURE SECRETS
Secrets such as user credentials, configuration files, API keys, tokens,
and other sensitive information exist throughout the lifecycle of a CD
pipeline. These secrets are considered one of the primary sources of
data leakage and hence, should be consistently hidden, protected,
5 BROUGHT TO YOU IN PARTNERSHIP WITH

and governed. While seamless delivery of code through different phases
of the SDLC is crucial, it is equally important to maintain robust security
of secrets across all stages of the workflow.
The adoption of secret management systems that streamline the
storage and management of access management components is often
considered a key factor that prevents unauthorized access of system
resources without impacting delivery.
Some of these solutions also offer encryption, key management, and
identity management services, further simplifying the secure access to
organizational data and resources.
OPEN SOURCE VULNERABILITY SCANNING
Organizations that rely on third-party-developed open-source software
often tend to overlook certain features and vulnerabilities of their
source code. On account of the open source nature of such software,
hackers typically possess detailed intricacies of the code along with the
list of known vulnerabilities.
Unsurprisingly, mitigating attacks in such workflows requires focused
vulnerability scans of open-source components to identify weaknesses
before they are exploited. Vulnerabilities in open-source software
commonly arise due to a number of factors, including:
•  Inexperienced developers and maintainers
of the open-source code
•  Lack of coding best practices
•  Outdated/unpatched code
SUMMARY
Continuous delivery enables rapid builds by provisioning test
environments that match production as closely as possible. Although
integrating security across all stages of a CD pipeline has its own
challenges, with automation and programmable infrastructure, it is
possible to secure continuous delivery components and underlying
processes. As the threat landscape continuously evolves, it is also
critical for organizations to adopt a shift left for security mindset — the
approach that essentially prioritizes security at par with automation
and collaboration.
REFCARD | JULY 2022
REFCARD | CONTINUOUS DELIVERY PIPELINE SECURIT Y ESSENTIALS
Additional Resources:
•  "Continuous Delivery Patterns and Anti-Patterns" Refcard –
https://dzone.com/refcardz/continuous-delivery-patterns
•  "Continuous Integration Patterns and Anti-Patterns" Refcard –
https://dzone.com/refcardz/continuous-integration
•  "Introduction to DevSecOps" Refcard – https://dzone.com/
refcardz/introduction-to-devsecops
•  OWASP DevSecOps Maturity Model – https://owasp.org/www-
project-devsecops-maturity-model/
•  Web Security Learning Materials and Labs – https://portswigger.
net/web-security
•  Overview of Cloud-Native Security – https://kubernetes.io/docs/
concepts/security/overview/
•  How to Exploit a Microservice Architecture – https://www.javelynn.
com/devops/how-to-exploit-a-microservice-architecture/
WRITTEN BY SUDIP SENGUPTA,
TECHNICAL WRITER, JAVELYNN
Sudip Sengupta is a TOGAF Certified Solutions
Architect with more than 15 years of experience
working for global majors such as CSC, Hewlett
Packard Enterprise, and DXC Technology. Sudip now works as
a full-time tech writer, focusing on Cloud, DevOps, SaaS, and
cybersecurity. When not writing or reading, he's likely on the
squash court or playing chess.
600 Park Offices Drive, Suite 300
Research Triangle Park, NC 27709
888.678.0399 | 919.678.0300
At DZone, we foster a collaborative environment that empowers developers and
tech professionals to share knowledge, build skills, and solve problems through
content, code, and community. We thoughtfully — and with intention — challenge
the status quo and value diverse perspectives so that, as one, we can inspire
positive change through technology.
Copyright © 2022 DZone, Inc. All rights reserved. No part of this publication
may be reproduced, stored in a retrieval system, or transmitted, in any form or
by means of electronic, mechanical, photocopying, or otherwise, without prior
written permission of the publisher.
6 BROUGHT TO YOU IN PARTNERSHIP WITH