2

How do you implement security requirements in CI/CD while taking care of security requirements? What are best practices here?

Security requirements may differ, let's assume this simple level of security:

  • Direct administrative access to target system shouldn't be given to the CI/CD system
  • CI/CD system needs to be able to initiate deployment and show it's success/fail status (could be determined by a white box test routine i.e. without admin access rights placed on the CI/CD side)
Ta Mu
  • 6,792
  • 5
  • 43
  • 83

1 Answers1

1

As you stated, requirements will differ based on company and industry policy; for us, the adjustment from "separation of duties" to automated deployments has been rough. As interim steps, we've started:

  1. Requiring multiple "sign-offs" before deployment; this is accomplished by both reviews for the PR in Azure DevOps and an audit log in Octopus.

  2. Monthly review of deployments by higher-ups. This is mostly a rubber-stamp activity, but it satisfies auditors.

Stuart Ainsworth
  • 998
  • 6
  • 15