5 Must-Haves When Integrating DevSecOps Into Your CI/CD Pipelines

  • July 23, 2021

Continuous Integration and Continuous Development—or CI/CD as it is more commonly known—is one of the best ways to develop and update applications. Continuous Integration urges development teams to move through a coding philosophy and set of practices that implement small changes and frequently check-in code version control repositories. When you are ready to deliver your applications to select environments in your infrastructure, you can use Continuous Delivery or CD. This automates the delivery of your applications, making it faster and easier to implement changes to your code. 

As you integrate CI/CD into your development pipeline, you will want to ensure its security every step of the way. DevSecOps, which requires you to think about the security of your application from the very start, will help you do this. To integrate DevSecOps into your CI/CD pipeline, there are several steps you will want to implement. Tools are routinely being developed for this purpose. They will help keep your CI/CD pipeline secure and uncover any vulnerabilities as early as possible in the development process. Below are five must-have DevSecOps steps and the tools to implement them into your CI/CD pipeline.


1. SAST (Static Application Security Testing)

SAST is another testing methodology. It is a white box method that scans the source code before it is compiled. You will want to analyze your source code for any vulnerabilities, and SAST allows for real-time feedback while you code. SAST tools like Sonarqube can scan millions of lines of code in minutes and confidently catch critical security vulnerabilities. 


2. SCA (Software Composition Analysis)

Many developers make use of open-source libraries or other dependencies when building an application. It’s just as important to scan these dependencies as it is your own source code. Security, license compliance, and code quality all need to be evaluated early and often. OWASP Dependency-Check will attempt to detect publicly disclosed vulnerabilities contained within your project’s dependencies.


3. DAST (Dynamic Application Security Testing)

It is crucial to detect vulnerabilities when your application is running, too. DAST tools do not have to access your source code to scan for vulnerabilities. Instead, they perform black-box tests and perform attacks to test your application. You will want to do this before you deploy production. OSWAP Zap helps automatically find security vulnerabilities while you’re developing and testing our web applications. It also can detect issues in applications when they are up and running in certain environments. 


4. Container Scanning

Docker Images are your stand-alone software packages or containers. If there are any bugs or security vulnerabilities in these packages, you will want to identify them early before pushing the image to a registry like Docker Hub. Container Scanning will check these packages and dependencies for any known vulnerabilities. Docker image security scanning is a process that will help you uncover these security issues. 


5. Image Signature

Trusting images is critical to the security of your application. Image signatures allow you to verify the publisher and the integrity of the data you receive and send. You will want to sign container images when you build them and verify them when you deploy them in Kubernetes or any other orchestration tool. Docker trust is a tool that can help you do this.


At Flugel.it, we highly recommend including all 5 of these steps into your CI/CD pipeline. The security tools available will help you implement these steps and ensure the security and safety of your applications. Remember, it is never too early to integrate security practices into your development pipeline.


Written by: Gaston Valdes
General corrections and edition: Diego Woitasen