DevOps and CI/CD Security Assessment
Most organizations use continuous integration and continuous delivery to build, test and deliver applications. In many cases that same pipeline infrastructure is also used to deploy the application in the target environment (either triggered manually or through continuous deployment). This provides high productivity as well as good places to inject additional review and security tooling. But such setups are also complex and can contain many steps and parts that can potentially be leveraged to attack the organization or even their customers (a supply-chain attack).
Truesec has general expertise in the area of secure development processes as well as specific experience in many CI/CD and cloud environments.
This assignment is mainly performed through workshops, threat modeling and documentation. The scope can be variable. In certain cases, it is best to focus on specific parts of the development pipeline, and in other cases more of the production environment and operations are included.
The assignment can be augmented with additional tasks, such as:
- Detailed review of pipeline structure in the repository.
- Health check/penetration test of installed systems.
- Tool suggestions for improve security (SAST, DAST etc.).
DevOps and CI/CD Security Assessments can be performed on-site or remotely.