DevSecOps: Securing Your Continuous Delivery Pipeline

In today’s world, DevOps practices have become the norm – but are companies implementing appropriate security processes throughout their software delivery life cycles?

Scott Willson
Scott Willson, August 17, 2017 2:30 pm
Blog > DevSecOps | ARA | DevOps > DevSecOps: Securing Your Continuous Delivery Pipeline

Today, DevOps is mainstream and as a result, there is plenty of information readily available concerned with how to achieve it. Lately, however, there's been an increase in the messaging and concern surrounding security within DevOps practices. This is a good thing, of course – because who wants to deploy vulnerable code to a production environment? Security concerns within DevOps are collectively known as ‘DevSecOps’. The thing is, DevSecOps is typically focused on the safety of application code and its ecosystem.

I submit to you, however, that DevSecOp concerns primarily concentrated on the application and its ecosystem are not the final destination. I propose there is another layer of concern which need to be considered and addressed. What is this additional layer? It's the actual Continuous Delivery pipeline itself that needs to be secured, and not just the deliverable artifacts and resources.

The automation mechanics used by CD pipelines are designed to make aggressive changes to environments. They execute commands, change files and access dependent app resources. What's more is that over time, as problems arise deploying newer versions of an app, privileges are increased in an ad-hoc fashion to solve or address these challenges. A kind of ‘privilege-creep’ occurs. Can you imagine if a hacker were able to compromise one of your automation mechanics? If they gained control of an automation bot, agent or daemon?

Securing the Pipeline

This is where CA Privilege User Governance comes in. By combining the CA Identity Suite with CA Automic Release Automation, you can ensure the tried and true practice of ‘least privilege’ applies to your CD pipelines. CA Automic Release Automation and CA Privileged Access Manager (CA PAM) provides privileges that are granted just-in-time to agents and only for the duration required to complete the necessary deployment tasks. Additionally, passwords can be randomized and changed with each request.

Adding identity governance and administration to CA PAM and CA Automic Release Automation provides organizations with even more visibility, control and auditability of their CD pipelines.  The credentials and privileges used by automation bots, agents or daemons is no longer a black box, but a reconcilable component of your CD pipeline.

Gone are the days of using static passwords for little-known credentials and a growing set of ‘permanent’ privileges. Combining CA Automic Release Automation and the CA Identity Suite will give your organization peace of mind and an auditable trail of the credentials and privileges used along every step of your CD pipeline, making that goal of DevSecOps practices more achievable.

This combined solution by CA reminds me of the door to ‘The Source’ in the movie, The Matrix Reloaded. The door is only open for a very small window. With CA, your CD pipeline is only granted JIT privileges. Ad-hoc privilege-creep is replaced by auditable requests requiring approval. You will always know and be able to show the who, what and where for your CD pipeline.

New Call-to-action

DevSecOps
ARA
DevOps
Back to the blog
Scott Willson

Scott Willson

Scott Willson is Product Marketing Director, Release Automation at Automic Software. He has over 20 years of technology experience that spans software development, pre-sales, post sales, and marketing. Scott is passionate about technology and helping business achieve value through technology and was leading DevOps at organizations before it was coined DevOps