I’m sure there is a metric somewhere on the internet that shows the number of times per day people talk about the importance of having a CI/CD pipeline and how it is a key (and it is ) part of an Agile/DevOps approach to doing things faster. I’m sure the gap between mentions is low. You’ll see it described as a conveyer belt or a pipe or one of a dozen other picturesque phrases.
Once it’s all working, you drop your code in at one end, add some tests, sit back and see what happens.
It does its job, and you stop paying attention to it. It does the job you set it up for, and as long as nothing goes wrong, it tends to get left alone.
There might be one person in the team who occasionally patches things, helps add that new batch of tests, or clears out a directory. But one it’s running you can leave it alone.
Isn’t life good?
Let’s rewind to December last year when it was discovered that SolarWinds had been hacked. Criminals had not only breached the network but used the build server which built their Orion product (with ~33,000 customers) to inject custom code into that process that allowed the Sunburst malware to become bundled within the patches for their product and onto the official product servers where they could be downloaded by customers and installed on their own infrastructure.
This was a major attack, possibly years in the planning and preparation.
Now we can hope this is an unusual occurrence and sit back confident that we wouldn’t be a target. We might be too small, not worth the effort or our security is better than SolarWinds (or Microsoft’s or Malawarebytes’ to name a few other recent targets)?
Perhaps it is time to take a look at your pipeline. Show it a little attention, and here are some starter questions.
- Is the build system part of your strategy?
- Is it documented?
- Is there an owner? Are they accountable?
- Who has access to the box?
- Does it have the appropriate accesses and no more?
- When did you last change your passwords? Are you following good practice?
- Is it running on a fully patched and protected server?
- How often is the build software checked and validated?
- Does it need internet access?
- If there’s a problem, who do you reach out to?
- Does it have any self-checks?
- Have you incorporated any security checks into the build process?