I’m sure there is a metric somewhere on the internet that shows the number of times per day people talk about the importance of having a CI/CD pipeline and how it is a key (and it is ) part of an Agile/DevOps approach to doing things faster. I’m sure the gap between mentions is low. You’ll see it described as a conveyer belt or a pipe or one of a dozen other picturesque phrases.
Once it’s all working, you drop your code in at one end, add some tests, sit back and see what happens.
It does its job, and you stop paying attention to it. It does the job you set it up for, and as long as nothing goes wrong, it tends to get left alone.
There might be one person in the team who occasionally patches things, helps add that new batch of tests, or clears out a directory. But one it’s running you can leave it alone.
Isn’t life good?
Let’s rewind to December last year when it was discovered that SolarWinds had been hacked. Criminals had not only breached the network but used the build server which built their Orion product (with ~33,000 customers) to inject custom code into that process that allowed the Sunburst malware to become bundled within the patches for their product and onto the official product servers where they could be downloaded by customers and installed on their own infrastructure.
This was a major attack, possibly years in the planning and preparation.
Now we can hope this is an unusual occurrence and sit back confident that we wouldn’t be a target. We might be too small, not worth the effort or our security is better than SolarWinds (or Microsoft’s or Malawarebytes’ to name a few other recent targets)?
Perhaps it is time to take a look at your pipeline. Show it a little attention, and here are some starter questions.
- Is the build system part of your strategy?
- Is it documented?
- Is there an owner? Are they accountable?
- Who has access to the box?
- Does it have the appropriate accesses and no more?
- When did you last change your passwords? Are you following good practice?
- Is it running on a fully patched and protected server?
- How often is the build software checked and validated?
- Does it need internet access?
- If there’s a problem, who do you reach out to?
- Does it have any self-checks?
- Have you incorporated any security checks into the build process?
About Andrew Fullen
Andrew has been a managing consultant with Sogeti since 2009. In this role, he has worked on a number of major clients across government and private sectors covering tasks such as security test manager for a major government pan-agency project, helping with restructuring a bank rescued by the UK government during the financial crash, re-planning a major welfare project and architecting a performance policy and approach to address significant shortfalls in the delivered solution.
More on Andrew Fullen.