CI / CD

What Is It?

Continuous Integration (CI) and Continuous Delivery (CD) is the use of automation in delivering minor application developments regularly and reliably. Typically, there is a toolchain which code flows through, undergoing various checks including security verification, before being released into the hosting environment.

Why Assess It?

There are many reasons to conduct a CI / CD security assessment, five of which are below.

Toolchain Vulnerability Management

The pipeline for deployment of code can include multiple different products from different organisations and each one needs to be kept up to date and undergo security hardening which can also change as features are added in new releases. By assessing all the tooling deployed you can be assured that your pipeline is secure.

Security Efficacy

As your code progresses through the deployment pipeline it is a time to ensure that security relevant checks are being conducted, whether it is static code analysis or more dynamic runtime checks. Conducting a CI / CD security assessment allows you to ensure you are using appropriate tooling to your advantage.

Privilege Management

Automation simplifies a lot, however it also means that there are distinct processes involved and these yield potential attack avenues for threat actors. Ensuring the authentication into and integrity of your pipeline protects your security.

Defend Intellectual Property

Your organisations developers have invested time into the code and it is unique to your organisation so should be protected. Whilst threat actors often try and insert malicious code, amend existing code or the flow of the pipeline for their own advantage, a number of threats still exist around code theft.

Align with Best Practices

Modern software development requires adherence to standards and guidelines, as well as having the information easily accessible about what makes up your organisation’s applications such as a software bill of materials. A security assessment allows you to demonstrate a robust security posture and understand, with technical accuracy, exactly where your dependencies and risks reside.

The Agility Cyber Approach

Like all our engagements, we want you to get the most out of your CI / CD security assessment and we do this by:

End to End Evaluation

We do not just ensure every part of your flow is configured securely and protected from the creativity of threat actors. We embed security into every step, ensuring you get the very best out of what you have and share our knowledge about any areas that may need to be added.

Map Dependencies

We understand that it is not all about the pipeline, security needs to be embedded into the end application and we always take a wider holistic view to understand where both the applications and your organisations dependencies are and how they are managed.

Deep Dive the Pipeline

A CI / CD pipeline can be extensive. Every task executed inside a process and handover from one process stage to another is a source of vulnerability. We thoroughly evaluate the security impact and identify the rare edge conditions that could give a threat actor a way of achieving their objective.

The Bigger Picture

We believe in a CI / CD pipeline security assessment being a complementary activity to your organisation, our objective is not to stifle development or add complexity. We strive to identify ways that security can be improved but also make the pipeline more efficient, easing the administrative burden and increasing clarity.

Product Expertise

We do not just conduct a configuration review. We simulate threat actors. This means we know exactly what functionality threat actors target in what products. We share this knowledge with you and demonstrate how you can stop threat actors from subverting your pipeline, end product and wider organisation.

Benefits of Partnering with Agility Cyber

Mutually Invested

Our experts work with you, not against you. There are no egotistical celebrations when a serious issue is discovered, just rapid full disclosure with pragmatic suggestions for effective remediation followed by ongoing support.

Clarity and Simplicity

We always provide clarity, believe in simplicity and value your time. An example is rather than waiting until the engagement starts, we will conduct open source intelligence gathering activities before the scoping meeting to help us understand your organisations position and risk posture thus enabling us to ask better questions, securing you higher value and saving you time.

Full Consultancy

Our team, based in the UK, is technically exceptional but we pair that with business sense to discover, triage and help you remediate the full range of security issues.

Impartiality

We are impartial, we do not sell you products or the latest buzzword laden trending solution.

Outstanding Service

We have an industry leading turnaround, agility is in our name after all. Proposals are shared with you within 24 hours of the scoping meeting. Accurate and complete daily debriefs are given during every engagement. The report is shared within 5 working days at the latest.

Scroll to Top