Continuous Development

Together, continuous integration (CI) and continuous delivery/deployment (sometimes called CD2) form a development process known as continuous software development (CSD). TechTarget points out that CSD shares many traits with agile software development, including being iterative, automated, and quick to deliver. CSD focuses on the idea of continuous improvement, which TechTarget describes as “a cycle of planning, delivering to a customer, gathering feedback and acting on that feedback” to continually improve a product.

• Automation is key to securing continuous development. Automate wherever you can automate. In addition, Jim Bird, author of “DevOpsSec: Securing Software Through Continuous Delivery,” recommends these activities:
• Do a threat model on the CI/CD pipeline. Look for weaknesses in the setup and controls, and gaps in auditing or logging.
• Harden the systems that host the source and build artifact repositories, the CI/CD servers, and the systems that host the configuration management, build, deployment, and release tools.
• Ensure that keys, credentials, and other secrets are protected. Get secrets out of scripts and source code and plaintext files, and use an audited, secure secrets manager.
• Secure access to the source and binary repos, and audit access to them.
• Implement access control across the entire toolchain.
• Change the build steps to sign binaries and other build artifacts to prevent tampering.
• Ensure that all systems are monitored as part of the production environment.