What Is the CI/CD Pipeline and CI/CD Security?
The CI/CD pipeline is a foundational part of DevOps.
The CI/CD pipeline is a foundational part of DevOps. In addition to laying the foundation for the processes that DevOps teams use to deliver software, the pipeline also forms the basis for DevOps culture by unifying development work with IT work.
Given the centrality of the CI/CD pipeline to DevOps, it’s critical to secure the CI/CD pipeline.
What Is CI/CD?
CI/CD is the set of processes that DevOps teams use to produce software and software updates. Typically, those processes include:
- Planning: Developers plan changes to existing code (or plan a new application, if they are developing one from scratch).
- Coding: Developers write new code to implement their changes.
- Continuous Integration: New code is integrated into the main codebase as the new code is written.
- Building: Source code is compiled to build a new application version.
- Testing: Performance tests verify that the application build runs as required.
- Deployment: If testing is successful, the new release is deployed into production.
- Management: IT engineers monitor and manage the application in the production environment.
- Feedback: Feedback from the production environment is used to help shape the next round of application updates.
What Does CI/CD Stand For?
The acronym CI/CD stands for Continuous Integration/Continuous Delivery. That term can be a little misleading because Continuous Integration and Continuous Delivery are not the only processes in a CI/CD pipeline; indeed, Continuous Delivery isn't even a single process as much as it is the broad set of processes by which software is produced. (Continuous Integration, for its part, is a distinct process.)
Nonetheless, CI/CD is the term DevOps teams typically use to refer to the set of processes they use to create and update applications
What Is a CI/CD Pipeline?
A CI/CD pipeline, sometimes also called a DevOps pipeline, is what you get when you integrate all of the processes that go into delivering software.
In other words, when code flows smoothly and automatically from one CI/CD process into another, you have a CI/CD pipeline.
The pipeline is sometimes represented as a loop because teams can use feedback from the management stage to plan their next set of code changes. This practice helps achieve the DevOps goal of continuous improvement.
Figure 1: Stages and DevOps workflow of the CI/CD pipeline
What is CI/CD Security?
The core stages of the CI/CD pipeline typically don't extend to security. You can write, test, deploy, and monitor applications without securing them at each stage in the CI/CD process.
But failing to bake security into CI/CD leaves you at risk either of failing to secure your application at all, or of trying to manage security as a separate process that is not integrated into the application delivery workflow. In the latter case, it becomes difficult to ensure that security problems are detected and resolved quickly and efficiently.
That's why DevOps teams typically embrace the concept known as DevSecOps, which encourages the integration of security into core DevOps practices (as well as close collaboration between security engineers, developers, and IT engineers).
The integration of security into CI/CD typically involves adding security checks or safeguards to each key stage of the CI/CD pipeline:
- Source code scanning and analysis: You can scan source code for potential vulnerabilities as developers write it. You can also perform Source Composition Analysis (SCA) to identify security issues that may be introduced by third-party code or libraries that your own application uses.
- Security testing: Security tests can be run alongside the performance tests that teams run on new application builds prior to deploying them. At this stage, security tests can check for issues like vulnerability to injection attacks or insecure application configurations.
- Runtime security: Security monitoring and testing can continue after application deployment by identifying and responding to threats that arise in production. In addition, infrastructure as code (IaC) templates and IAM rules can be scanned continuously to detect vulnerable configurations within the application hosting environment that could enable breaches.
The goal of CI/CD security is not just to detect and address vulnerabilities, but to do so in a way that keeps pace with the rest of the CI/CD operation. With strong CI/CD security in place, teams can find and fix security issues without significantly slowing down the flow of the CI/CD pipeline or having to delay or roll back application releases.