One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2293217 |
| Date de publication | 2021-02-04 11:00:00 (vue: 2021-02-04 12:05:18) |
| Titre | Rooting out the cybersecurity risk in your CI/CD pipeline |
| Texte | This blog was written by an independent guest blogger. When it comes to productivity, agility, and efficiency - continuous integration/continuous delivery (CI/CD) pipelines are great. When it comes to ensuring cybersecurity, they leave a lot to be desired. In fact, and especially given the popularity of CI/CD pipelines now, securing continuous environments might turn into the most important security challenge of the next decade. Some of the managerial and legal tools that will be used to meet this challenge are already available. Advanced vulnerability management programs are now able to deal with continuous environments by default, and the IoT cybersecurity act that has just been signed into law contains provisions that specify the liability of developers in the event of an embedded device getting hacked. On the technical side, however, cybersecurity has yet to catch up with the flexibility and complexity of CI/CD pipelines. In this article, therefore, I want to sketch a holistic way forward: a roadmap for how these environments can begin to be secured in the years to come. This roadmap contains five main pillars: 1. Leadership First, and arguably most importantly, finding security vulnerabilities in your CI/CD pipeline requires brave, involved, and forward-thinking leadership. The central challenge of CI/CD pipelines, from a cybersecurity perspective, is that they are constantly evolving. Security solutions that were developed for the environment of three years ago no longer offer adequate protection. In response, leaders need to inspire every member of an organization to adopt the DevSecOps mindset, in which every individual who interacts with a piece of software takes responsibility for its security. This means that managers need to put in place systems and processes through which developers can work with operations staff and through which software can be designed in a way that all key stakeholders know the risks it is exposed to. In addition, leaders should take a long-term view of security in their organizations. CI/CD pipelines provide a great deal of flexibility when it comes to software design and development, but they also require (at least) a three-year, horizon-scanning approach to security flaw identification. 2. Design for DevOps A related point to the one above is that developers must ensure that the code they write and ship via their CI/CD pipelines is designed for the DevOps approach. This means that all source code should be pre-checked with static analysis tools prior to committing to the integration branch. This verifies that it does not introduce critical code vulnerabilities into real world software. This is particularly important today, because of the range of devices on which the average piece of software is deployed. One of the main promises, and advantages, of CI/CD pipelines is that they allow developers to work in a way that is platform-agnostic. However, this can sometimes blind them to the sheer range of places in which their code will eventually be deployed and potentially exposed to attack. Of particular concern here is the (sometimes unauthorized and often unexpected) deployment of code on smartphones. In 2020, we passed a notable watershed – for the first time in history, the majority of internet traffic originates from cell phones. Given this, it seems absurd that the majority of software is still written, by default, for desktop environments. Making sure that code is thor |
| Envoyé | Oui |
| Condensat | 2020 able above absurd access account acls across act addition adequate administration adopt advanced advantages agility agnostic ago all allow already also analysis another approach approved are arguably arise article artifacts attack available average avoid basic because been before begin beginning being benchmarked best better blind blog blogger branch brave builds business but can catch cell central challenge checked checks; ci/cd code coding come comes committing complexity compose concern constantly contains continuous continuously control controls coverage create critical crucial curing cybersecurity danger deal decade default defects defined delivery deployed deployment design designed desired desktop despite detection; develop developed developers development device devices devops devsecops difficult does doing due dynamic efficiency efficient elastic embedded embraced enough ensure ensuring environment environments especially event eventually every evolving exposed extended extending fact failed file fim finally finding firms firmware first five flaw flexibility follow form forward forward: frameworks from fundamental further future gaping getting given going great guest hacked handle hardware has have healthcare here highlighted history holes holistic hope horizon hour how however iac idea identification identified important importantly independent individual infrastructure insight inspire integrated integration integration/continuous integrity interacts internet introduce introduced involved iot its itself journey just key know largely law leaders leadership least leave legal level liability lists little long longer lot main majority making management managerial managers marked may mean means medical meet member metrics might mindset model monitoring more most must nature necessary need new next not notable novel now number objects obscure offer often once one only operations order organization organizations originates out own part particular particularly passed percent perimeters perspective phones piece pillars: pipeline pipelines place places platform point points popularity potential potentially practices pre prevention prior problem process processes production; productivity programs proliferation promises protecting protection provide provisions put quickly range real recently regression related report reports require required requires resolution response responsibility rigorous risk risks roadmap rooting run runs same scanning sector secure secured securing security see seems separately services set sheer ship shipped should side signed sketch small smartphones software solution solutions some sometimes soon source specify spend staff stakeholders static such sure systems take takes team technical term test tested testing testing; tests than them therefore these thinking thoroughly three through time today tool tools traffic train trained turn unauthorized unexpected updates use used using verifies versions very view virtual vulnerabilities vulnerability want watershed way well when which who will work world write written year years yet your |
| Tags | Tool Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.