After the seminar you will be able to...

... use key technologies and methods to design, build, and secure CI/CD pipelines.

... apply modern testing methodologies and tools, and integrate them into CI/CD processes for application security testing.

... analyze and address the technical and organisational challenges of implementing secure CI/CD in industrial contexts.

• Developers and process owners in teams using CI/CD and DevOps
• Software companies
• IT service providers
• Operators of IT infrastructure and cloud systems
• Other companies, authorities, etc. that operate with / use cloud infrastructure

Inhouse Course:

1.     Introduction

• What is CI/CD and CI/CD security?
• Which CI/CD platforms exist?
• What are microservices?         

2.     Pipeline Automation

• Implementing CI/CD with Gitlab
• Jobs, stages, and pipelines
• Gitlab runners
• Practical implementation

3.     Application security tests in CI/CD      

• Static Application Security Testing (SAST) with SonarQube
• OWASP Dependency-Check for Software Composition Analysis (SCA)
• Dynamic Application Security Testing (DAST) using OWASP ZAP

4.     CI/CD pipeline security

• What is pipeline security
• Potential threats for pipeline security
• Permissions, role and rights management
• Virtualization, containerization and container security
• Identity and access management, secrets management, Dependency management

5.     CI/CD for industrial applications

• General requirements
• Key challenges
• Practical case Studies and Group Discussions
• Summary and perspectives

Supplementary online course:

• The software development process
• DevOps for an optimised software development process
• Automation using CI/CD
• Secure CI/CD
  • Management of secrets (secrets management) and security of log-in information (credential security)
  • Containerisation
  • Example implementations
• Best practices

Andre Plötze (andre.ploetze@fokus.fraunhofer.de)

• Studied at the FU Berlin with specialisation and master's thesis on IT security
• Over 5 years of professional experience in the development of complex software systems
• Trainer at the Fraunhofer Academy specialising in security testing
   

Abishek Shrestha (abhishek.shrestha@fokus.fraunhofer.de)

• Over 4 years of professional experience in the field of machine learning
• Scientific publications on research topics focussing on ML and security
• Experienced trainer and course developer with many years of experience
• ML and security expert with industry experience
• Trainer at the Fraunhofer Academy specialising in ML, security and testing
   

Dorian Knoblauch (dorian.knoblauch@fokus.fraunhofer.de)

• Over 5 years of professional experience with ML
• Scientific publications Scientific publications on research topics with a focus on ML, auditing and verification of AI and security
• Trainer at the Fraunhofer Academy with a focus on ML, security and testing

What is CI/CD?

Continuous Integration (CI) refers to frequently merging new code changes into a shared repository, with automated builds and tests ensuring correctness. Continuous Delivery (CD) extends this by automatically staging builds into test or pre-production environments, ensuring the application is always in a release-ready state. Continuous Deployment (CD) goes one step further by automating deployment of every change that passes the pipeline directly into production for end users.

How does CI/CD correlate to DevOps, and does it require adopting DevOps or Agile principles to be useful?

CI/CD facilitates smoother DevOps by providing automation that enables fast and reliable software delivery cycles. While it is closely related with DevOps and Agile principles, it can still be useful on its own, and adopting CI/CD doesn’t strictly require a full DevOps or Agile process. For instance, a team could use GitLab CI/CD pipelines just to automate builds and tests, without adopting full DevOps culture or Agile practices.

What do you mean by a secure CI/CD pipeline?

A secure CI/CD pipeline means that security is built into every stage of the pipeline, ensuring both the applications and the pipeline itself are protected. This is achieved by integrating checks (SAST, DAST, dependency scanning), managing secrets safely, enforcing strong access and identity management, and logging and monitoring for anomalies.

Does securing a CI/CD pipeline require full DevSecOps implementation, and what is the difference between the two?

Securing a CI/CD pipeline does not require full DevSecOps implementation. A secure CI/CD pipeline focuses on embedding security into the build, test, and deployment processes, while DevSecOps is a broader concept and encompasses cultural and organizational approach to integrate security practices across the software development lifecycle.

What benefits does a secure CI/CD pipeline bring to software release cycles?

A secure CI/CD pipeline brings reliability and trust to software release cycles. Benefits are clear:

• Reduced risks of vulnerabilities, leaked secrets, and supply chain attacks.
• Safer releases with fewer last-minute disruptions.
• Release cycles can be made compliant with standards.
• Automated tests improve coding practices and code quality.

What are the common hurdles in integrating security into CI/CD?

While CI/CD (and secure CI/CD) has many benefits, there are some challenges teams often face, like:

• Comprehensive security checks may slow down pipelines, balancing speed with security is essential.
• Implementation at industrial scale (massive codebases, huge teams) can be challenging.

What are the best practices for secure CI/CD?

Below are some of the best practices for securing CI/CD workflows:

• Treat everything as code, including everything needed to create, run, test, change, monitor, secure, and destroy infrastructure.
• SAST, DAST, and SCA on every change.
• Avoid hardcoded secrets; use short-lived, scoped tokens.

Are there already defined standards/risks relating to securing CI/CD processes?

There are several standards and guidelines that address CI/CD security risks. One of the directly relevant and widely recognized is the OWASP Top 10 CI/CD Security Risks which (https://owasp.org/www-project-top-10-ci-cd-security-risks/) highlights issues like insecure configurations, poisoned pipelines, and poor secrets management.

What are the unique challenges of implementing secure CI/CD in large-scale industrial environments?

When scaling CI/CD to large, complex environments, teams often face unique challenges, such as:

• High volume of issues: Makes prioritization and triage difficult.
• Large and complex codebase: Slow builds, harder dependency management, and higher risk of hidden vulnerabilities.
• Large development teams: Maintaining strict access control and security measures becomes increasingly challenging.
• Number of tests performed are massive and grow overtime: Slower feedback time, which may force developers to make out-of-cycle changes.
• Redundancy in development: Similar requirements may already be implemented but are not visible, leading to redundant code and development efforts.

What unique features does this training offer that can help organizations master secure CI/CD?

Through this course, Fraunhofer FOKUS shares its expertise not only in secure CI/CD processes but also insights from research projects that addressed the challenges of scaling CI/CD pipelines. The course offers:

• Hands-on learning: From the basics of CI/CD to building secure pipelines, with practical exercises on real-world security challenges.
• Insights into essential security practices: Including static code analysis, dynamic code analysis, software composition analysis, secure cloud deployments, secret management, and container security.
• How to scale CI/CD processes: Organizational and technical approaches for supporting industrial-scale software development within the CI/CD process.