Secure CI/CD: Building CI/CD Pipelines with Continuous Security in Application Development

Software development practices have evolved throughout the years, from the more sequential and rigid waterfall model to more flexible methodologies like Agile. This evolution has been driven by the need to deliver value faster and make the development and delivery process smoother and more efficient, not only for end customers but also for the teams themselves. A cornerstone of this evolution is DevOps, facilitated by automated Continuous Integration (CI) and Continuous Deployment (CD).

CI/CD streamlines DevOps workflows by automating the building, testing, and deployment of applications (https://arxiv.org/abs/2401.17606). In today’s development landscape, companies increasingly rely on automation platforms like GitLab CI/CD to integrate code and deploy seamlessly, often across cloud environments such as AWS. However, without robust security measures, the applications deployed within these pipelines and the pipelines themselves can become high-value attack targets. From leaked credentials to compromised dependencies, the risks are real and growing (https://cheatsheetseries.owasp.org/cheatsheets/CI_CD_Security_Cheat_Sheet.html).

The Shortcomings of Current CI/CD Implementations

Although many organizations have been practicing DevOps for years, security still often remains an afterthought (https://learn.fastly.com/rs/025-XKO-469/images/Fastly_eBook-DevOps-Roadmap_2023.pdf). While CI/CD offers a natural opportunity to embed security within these workflows, tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are frequently introduced too late in the process rather than from the start (https://arxiv.org/abs/2310.00205). These challenges are further amplified in large-scale projects, where governance and scalability issues make integration even more difficult.

Towards Secure application development and deployments and Scalable Pipelines

Automated security testing, when integrated across various stages of the pipeline, enables continuous security and provides fast and reliable assessments of vulnerabilities (https://ieeexplore.ieee.org/document/10957011). Further, pipelines themselves must be treated as critical infrastructure, since they have access to highly sensitive assets like code repositories, production and test environments, secrets, and configuration files.

Moreover, in large-scale industrial deployments, secure CI/CD cannot be achieved with textbook knowledge alone. The requirements for scalability often clash with strict security measures, especially given the sheer size of code bases, distributed organizational structures, and the complexity of integration processes. This frequently leads to trade-offs that are far from trivial and demand nuanced, experience-driven solutions.

Fraunhofer FOKUS, with its long history of transferring research into industrial practice, can draw extensively on its expertise from major software development projects and applied research. This dual perspective allows FOKUS to address real-world challenges in reconciling security, scalability, and practicality, equipping teams not only with the basics of GitLab, AWS deployments, and SAST/DAST integration, but also with the advanced strategies and case-driven insights needed to master secure CI/CD at industrial scale.

Links:

1.     https://www.fokus-akademie.de/en/courses/free-on-demand-ci-cd.html

2.     https://www.fokus-akademie.de/en/courses/ci-cd.html