This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Phase 2: Build and Deploy
Security Compliance for Build and Deploy
Introduction
As software moves from development to production, the build and deploy stages play a pivotal role in maintaining the integrity, security, and provenance of your application. These phases involve compiling, packaging, and preparing your application for its live environment, making them prime targets for supply chain attacks, unauthorized modifications, and hidden vulnerabilities.
Integrating security into these phases ensures that your code is not only functional but also safeguarded against threats. From dynamic analysis during builds to automated scans for container security and misconfigurations, the right tools can help identify risks before deployment. Moreover, secure deployment pipelines prevent unauthorized changes, enforce compliance, and enable safe rollouts. Compliance for Build and Deploy steps include:
|
|
| Reproducible and Deterministic Builds |
Ensure that software artifacts can be independently verified and reproduced to prevent tampering. |
| Automated Threat Detection and Compliance Enforcement |
Integrate continuous security analysis to detect misconfigurations, vulnerabilities, and unauthorized dependencies before deployment. |
| Policy-Enforced Deployments |
Enforce verifiable security policies ensuring only compliant, attested software reaches production. |
| Trusted Execution Environments (TEEs) |
Secure build environments against tampering using hardware-backed execution environments. |
| Cryptographic Attestation |
Use digital signatures and cryptographic proofs to verify the authenticity and integrity of builds and deployments. |
Following are guidelines from industry frameworks with suggested open source tooling needed to achieve the compliance goals.
1 - Secure Software Development Framework
Secure Software Development Framework and Build/Deploy CI/CD Steps
Achieving Build and Deploy Tasks of the Secure Software Development Framework
The Secure Software Development Framework, developed by the National Institute of Standards and Technology (NIST), provides a comprehensive approach to ensuring security across the software development process, from initial design through deployment and maintenance. The framework outlines key practices and guidelines that organizations can implement to secure their software development lifecycle (SDLC), with a particular emphasis on integrating security into automated processes. This chapter focuses specifically on DevSecOps tooling and practices related to Build and Deploy actions of the CI/CD pipeline to achieve:
|
|
| Prepare the Organization (PO) |
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects. |
| Protect the Software (PS) |
Organizations should protect all components of their software from tampering and unauthorized access. |
| Produce Well-Secured Software (PW) |
Organizations should produce well-secured software with minimal security vulnerabilities in its releases. |
| Respond to Vulnerabilities (RV) |
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future. |
1.1 - Protect the Organization (PO)
Protect the Organization (PO) CI/CD Steps
Protect the Organization (PO)
PO.3 Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
1.2 - Protect the Software (PS)
Protect the Software (PS) CI/CD Steps
Protect the Software (PS)
1.3 - Produce Well-Secured Software (PW)
Produce Well-Secured Software (PW) CI/CD Steps
Produce Well-Secured Software (PW)
A Software Bill of Materials (SBOM) provides visibility into software components, dependencies, and security risks**. When combined with attestation mechanisms, SBOMs enhance trust and traceability across the software supply chain.
Open Source Build Signing and Verification
Ensuring software artifacts remain authentic and unmodified** is essential for a trusted software supply chain**. The following tools provide cryptographic verification** to protect against supply chain attacks**.
Beyond open-source tools, a secure build and deploy pipeline relies on trusted execution environments, deterministic build systems, cryptographic verification, and policy-enforced deployment mechanisms. These technologies provide tamper-proof guarantees, verifiable attestations, and automated security policies to strengthen the software supply chain.
1. Reproducible and Deterministic Build Systems
Ensuring that software builds are reproducible enhances security by allowing independent verification of artifacts. These systems minimize non-determinism and ensure that a given input always produces the same output.
2. Trusted Execution Environments (TEEs) and Confidential Computing
Trusted Execution Environments (TEEs) provide hardware-backed isolation to secure the build process, key management, and code execution. These environments ensure confidentiality and integrity in the build and deploy process and can be found in major cloud providers.
3. Cryptographic Signing and Verification ensures authenticity, integrity, and provenance in the software supply chain.
4. Secure Build and Deployment Policies
Automated security policy enforcement in CI/CD pipelines ensures only verifiably secure software is built and deployed.
.
1.4 - Respond to Vulnerabilities (RV)
Respond to Vulnerabilities (RV) CI/CD Steps
Respond to Vulnerabilities (RV)