Chapter 6. Continuous Delivery, Continuous Insecurity

An army marches on its stomach.

Napoleon Bonaparte (or Frederick the Great)

You get out what you put in.

Jeanette Jenkins

In the previous chapter, you used a CNAPP to secure your dependencies. This meant the pre-packed boxes of code, libraries, frameworks, and containers that your applications depend upon, packaged and supplied by third parties, were all scanned and free from any known vulnerabilities. While you can’t claim to be vulnerability-free,¹ you’ve got a grip on your supply chain and some strong OODA loops back to your developers so they can be aware of and fix problems as they arise across all those dependencies.

You’ve secured the packages, but what about your own packager? What about the processes that you run, whose sole responsibilities are to process and package your own code and then collate your third-party dependencies into the artifacts that can then be deployed and released at runtime? There’s many a slip ‘twixt the cup and the lip or, in our case, there’s many a vulnerability between commit and deploy. Something has to do the building, the packaging, the deploying and releasing. And in all that activity contains a myriad of possibilities for a malicious actor to seize control.

It’s time to secure a new realm of your cloud native application. It’s time to secure the continuous integration and delivery (CI/CD) pipeline.