Traveling Companions: Continuous Delivery and Security
Security and Continuous Delivery. They are unlikely friends because security has historically taken an approach to do large batch testing, freeze development windows, and do annual compliance testing. These older approaches don’t work in the world of Continuous Delivery. In Continuous Delivery, there is a complete departure from traditional delivery cycles of months and quarters to times in minutes and seconds. One of the oft-quoted mantras of Continuous Delivery is that you should focus not just on speed but on how little can be delivered at a time — security has to move away from infrequent batch testing approaches to more agile approaches.
The Delivery Pipeline and Security’s Role
In the delivery pipeline, I like to think of these five stages.
Design is your intent for application and overall purpose. Inherit embodies the operating system, system dependencies, and libraries your application receives just by existing. Build is the step where everything comes together and is tested (unit, integration, smoke, …) by your CI system. Deploy is everything needed to get consumers of your application able to use it as intended. Lastly, operate is usage of the application in the real world — where rubber meets the road.
Introspective Questions for Security to Add Value
I was able to give a presentation on this topic last week at GOTO Amsterdam and we drilled in on 3 phases in particular for places where security can add value.
At each of these three phases there are introspective questions I like to ask:
- Inherit — What have I bundled into my application (either intentionally or unintentionally) that leaves me vulnerable?
- Build — Can my build acceptance tests catch security flaws and before being released?
- Operate — Am I being attacked right now and if yes, are the attackers having success?
With these three questions, this can be a guide for where to spend time and effort for security in organizations doing continuous delivery. If you are interested in this, you can see the full presentation or comment on twitter @wickett or a comment over at medium.
The Signal Sciences’ Web Protection Platform protects modern applications, microservices and APIs from real attack and threat scenarios, and can be deployed in any infrastructure and technology stack.