close search bar

Sorry, not available in this language yet

close language selection
«
»
 

How to build security into the DevOps life cycle

Posted by on Friday, June 2, 2017

How to build security into the DevOps life cycle

As a kid, I often traveled by train in India. I always wondered what would happen if I pulled the chain under the sign that read, “To Stop Train, Pull Chain.” My parents warned me that it would cost them a fortune to pay the fine and that I’d be taken away by the police. Even though it scared me as a child, I was still tempted by the thrill of pulling that chain.

Fast forward 25 years, and I find myself pushing my clients to pull a similar, metaphorical chain. The chain in this case exists in their fast-tracked continuous integration/continuous delivery (CI/CD) pipeline where the procedural train moves at lightning speed.

Key software security activities

Before digging into why pulling the proverbial CI/CD pipeline chain is important, let’s first examine some key software security activities. We’ll explore activities that take place in-line with the pipeline, in addition to those performed out-of-band.

What’s the difference between in-line and out-of-band activities, you may ask? Activities that can be completely automated and run in a CI/CD pipeline without any human intervention are categorized as in-line activities. Examples include SAST, DAST, and open source management.

Activities that cannot be completely automated are categorized as out-of-band. Examples include architecture risk analysis, threat modeling, and manual code review.

Most in-line activities can also be performed out-of-band. However, out-of-band activities can’t be performed inline. As an example, there is currently no way to automate architecture risk analysis or manual code review.

To stop the train, simply pull the chain

The primary goal when breaking the build in the CI/CD DevOps life cycle is to treat security issues with the same level of importance as quality and business requirements. If quality or security tests fail, the continuous integration server breaks the build.

When the build breaks, the CI/CD pipeline also breaks. Based on the reason for the broken build, appropriate activities such as architecture risk analysis (ARA), threat modeling, or a manual code review are triggered.

This eBook provides actionable insight into:

  • Building security into your DevOps SDLC
  • Understanding the relationship between security and quality in the CI/CD pipeline
  • Coordinating various teams to ensure that the process is well defined, tools are properly configured, and developers are ready to resolve issues when the build breaks
Ensure that your DevOps security strategy is on the right track

Download eBook

This post is filed under Building secure software.
 
Meera Rao
Posted by

Meera Rao

Meera Rao

Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.

SEE AUTHOR ARCHIVE

More from Building secure software

Subscribe
Related Tags