Virtualization Technology News and Information
Reimagining Compliance: Using the CI/CD Process to Secure Your Software Supply Chain

Rising Threats Need a New Approach

Congratulations! You've been tasked with securing your organization's software supply chain. This might be due to your business dealings with the U.S. Federal Government, which mandates this. It could also be because your internal audit team raised security concerns, or perhaps your CISO is mindful of past challenges, such as those presented by SolarWinds and Log4j. Whatever the reason, you need an efficient, nondisruptive solution that won't add to the developers' workload.

A common approach is to focus security around the early stages of development. This is helpful but incomplete, and often adds overhead you don't want to the development process. The software supply chain demands a holistic security posture encompassing all stages of the software development lifecycle, from ideation to production. It needs visibility to all components of the software supply chain, including third-party vendors and open-source software.



One of the best and most efficient ways to achieve this is by embedding security and compliance enforcement into the CI/CD process. CI/CD automates the software development and deployment process, which offers a unique control point to identify and mitigate security vulnerabilities before they reach production. By integrating security into CI/CD, enterprises can create a continuous feedback loop that helps to improve the security of their software throughout its lifecycle.

The Double-Edged Sword of "Shift Left"

The "Shift Left" principle in security advocates for integrating security measures earlier into the software development lifecycle (SDLC). This means that developers take over more of the security responsibilities that previously were performed by DevOps engineers and SREs.

While the Shift Left principle has many benefits, it also introduces some challenges. In the traditional approach to security, a dedicated team of security experts would be responsible for reviewing and approving code changes before they were deployed. In a Shift Left environment security responsibilities are decentralized and distributed across the entire development team, making it difficult to ensure that security is being implemented consistently and effectively. Different teams choose to use different tools and processes, which means security data ends up in silos across the organization. Incomplete data makes it challenging to enforce policies now and fix new security vulnerabilities later.


Figure 1: Shift left can lead to silos of knowledge and expertise

"Shift Left" requires that developers have a good understanding of security best practices, challenging for developers who are not security experts. And of course security requirements change over time, adding the need for developers to stay up-to-date on the latest security threats and vulnerabilities.

Automating Compliance and Security in CI/CD Process:
The Deployment Firewall

These challenges highlight the need for a consistent point of control in the application lifecycle, both to identify and fix security vulnerabilities and to ensure that application releases comply with all relevant security and compliance requirements. The CI/CD process can offer just such a control point.

It can be helpful to think of the CI/CD process as a "Deployment Firewall" that sits at the edge of the production environment where applications will run. Just as a network firewall blocks bad actors from accessing a production network, a deployment firewall blocks "bad" applications releases from production deployment. In this case a bad application release may be one that contains unacceptable security vulnerabilities, has not gone through the required set of security checks, has not been properly approved, or in some other way is out of compliance with the release policies the organization has defined for this application. The deployment firewall operates on these policies as a set of rules that are evaluated at the time of deployment. Deployments that meet the rules proceed to production. Deployments that do not are blocked, with notifications back to the applications owners and deployment team.

With such an approach the CI/CD process moves from orchestration to active enforcement. As every application must be deployed at some point, a CI/CD based deployment firewall directly addresses the challenges of a decentralized development. The result is that every piece of software aligns with industry standards, security protocols, and best practices before seeing the light of production.


Figure 2: Deployment firewall acts as a unified control point for compliance and security

Enforcing NIST Controls with a Deployment Firewall

Any enforcement must start with a coherent set of policies to be enforced. The work of the National Institute of Standards and Technology (NIST), particularly Special Publication 800-53, is an excellent guide for organizations working towards more secure and dependable system architectures. Organized into control families, these standards offer a holistic approach to software security. Many of the NIST controls can be automatically evaluated during the CI/CD process using a deployment firewall approach, providing a way to automatically enforce some of the most stringent industry standards.

For example, under NIST guidelines it is necessary to verify their health and readiness of container images when they are deployed. Each container image should incorporate both a process health check and a readiness probe. A deployment firewall approach can evaluate this by checking if a Docker container has the proper source or test annotations. These annotations can be used to determine if the appropriate health checks were part of building the container. Additionally, Docker signing can be checked to verify test results or where the container was built. By enforcing these standards at the deployment firewall, containers are ensured to be optimally prepared for their specific roles. Containers missing these checks can disrupt orchestrated workflows or operate sub-optimally, potentially leading to system vulnerabilities and inefficiencies.

In this model deployment acts as a rigorous control point, rather than merely the end of the software delivery process. Operationalizing controls like those specific by NIST ensures that software consistently aligns with top compliance and security standards.

Trust but Verify: Safeguarding the Software Supply Chain

The principle "trust but verify" aptly applies to software delivery. While giving developers the freedom to innovate is essential, having mechanisms that ensure compliance and security is equally crucial. The CI/CD pipeline can play this role as an integral part of the application software lifecycle, scrutinizing code and artifacts to ensure they align with security and compliance benchmarks before deployment.

This proactive approach mitigates risks and streamlines code delivery, accelerating the pace at which solutions reach the business. Furthermore, this offloads a lot of the security burden from development teams so that they can focus on their core strength: innovating for the business. The result is a dual win-an enhanced security posture coupled with an environment where developers can concentrate on creating value, all while bolstering organizational confidence in a robust and secure software supply chain.

In conclusion, adopting a control point or "deployment firewall" within the CI/CD deployment process is essential for a resilient software supply chain. If your objective is a secure and agile software supply chain, refining and reinforcing your CI/CD process is a logical step forward.


Join us at KubeCon + CloudNativeCon North America this November 6 - 9 in Chicago for more on Kubernetes and the cloud native ecosystem. 



Gopinath Rebala Chief Technology Officer and co-founder, OpsMx

Gopinath Rebala 

Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures of OpsMx secure software delivery solutions. Gopi also has a strong connection with OpsMx customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well known leader in continuous delivery and open source community. Previously, Gopi was a co-founder and CTO at N42, which delivered machine learning tools for large operational systems.

Published Friday, October 13, 2023 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2023>