Regularly assess security properties of the pipelines

PostedNovember 29, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Regular assessment of security properties within development pipelines is essential to maintaining a robust security posture. By continually focusing on the separation of permissions and the overall security of the pipeline infrastructure, organizations can prevent risks while ensuring the integrity of the software being deployed.

Best Practices

Regularly Assess Security Properties of the Pipelines

1. Establish pipeline security reviews: Schedule regular reviews of your CI/CD pipelines to assess configuration and permission settings, ensuring they align with security best practices and the Well-Architected Framework principles.
2. Implement automated security testing: Integrate tools that automatically test for security vulnerabilities in your code during each phase of the development lifecycle. Tools like Snyk, Checkmarx, or OWASP ZAP can help identify issues before deployment.
3. Enforce least privilege access: Ensure that permissions are strictly controlled within your pipelines. Only provide access necessary for specific roles, and regularly review access permissions to eliminate any that are no longer needed.
4. Conduct dependency scanning: Regularly scan for vulnerabilities in third-party libraries and dependencies used in your application. Use tools like DependencyCheck or npm audit to keep track of known vulnerabilities.
5. Utilize logging and monitoring: Enable logging and monitoring for your pipeline activities to detect any unauthorized access or anomalies in real-time. Implement alerts to notify the responsible teams of potential security issues.
6. Document security processes: Create and maintain comprehensive documentation regarding your pipeline’s security configurations and procedures. This will help onboard new team members and maintain security standards across the organization.

Questions to ask your team

How often do you assess the security properties of your pipelines?
What tools and processes do you use to validate the security of your CI/CD pipelines?
How do you ensure separation of permissions within your pipeline tools?
When was the last security assessment conducted on your pipeline infrastructure?
Are there automated tests in place to check for security vulnerabilities during the build process?

Who should be doing this?

DevOps Engineer

Implement security best practices in CI/CD pipelines.
Configure automated security testing tools to assess code vulnerabilities.
Monitor and maintain security configurations of pipeline infrastructure.

Security Engineer

Conduct regular security assessments of pipeline processes.
Define and enforce security policies for pipeline access and permissions.
Review security findings and recommend mitigation strategies.

Software Developer

Write secure code by adhering to security best practices.
Participate in security training and implement learned principles.
Collaborate with DevOps teams to address identified vulnerabilities.

Quality Assurance (QA) Engineer

Design and implement test cases that validate security aspects of applications.
Work with automation tools to integrate security testing into the testing phase.
Document and communicate security testing results to stakeholders.

Compliance Officer

Ensure that all pipeline activities comply with relevant regulations and standards.
Conduct audits of security practices within the pipelines.
Report compliance status to stakeholders and recommend improvements.

What evidence shows this is happening in your organization?

Security Pipeline Assessment Checklist: A checklist that outlines key security considerations and best practices to assess the security properties of CI/CD pipelines regularly.
Pipeline Security Assessment Report Template: A structured template for documenting the results of security assessments conducted on application deployment pipelines, including findings and recommendations.
Separation of Permissions Policy: A policy document that defines the principles of least privilege and separation of duties within deployment pipelines to enhance security.
Automated Security Testing Playbook: A playbook detailing the steps and tools to implement automated security testing within the application development lifecycle, including CI/CD integration.
Security Metrics Dashboard: A real-time dashboard that visualizes security metrics related to application pipelines, such as vulnerability scans, compliance checks, and permission assessments.
DevSecOps Strategy Guide: A comprehensive guide that outlines the integration of security practices within DevOps processes, focusing on continuous security monitoring and validation.

Cloud Services

AWS

AWS CodePipeline: Automates the application’s release process and enables security assessments as part of each pipeline execution.
AWS Config: Provides resource inventory, configuration history, and configuration change notifications to help assess the compliance of security policies.
Amazon Inspector: Automates security assessments of applications deployed on Amazon EC2 and provides a way to validate security properties.

Azure

Azure DevOps: Facilitates CI/CD pipelines that can integrate security scanning and compliance checks as part of the development lifecycle.
Azure Security Center: Provides unified security management and threat protection across Azure services, helping to regularly assess security properties.
Microsoft Defender for Cloud: Enhances security posture by providing recommendations and alerts on vulnerabilities throughout the deployment pipeline.

Google Cloud Platform

Cloud Build: Offers a CI/CD platform that can integrate security testing into your builds, allowing for security properties validation.
Google Cloud Security Command Center: Provides visibility into security and compliance across your Google Cloud resources and helps you assess risks.
Container Analysis: Provides metadata and vulnerability information for Docker images to help ensure the security of containerized applications.

Question: How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals