November 1, 2022
In today’s accelerating digital economy, all organizations feel pressured to release software more quickly. Although agile development is set to transform businesses for the better, checks and balances must be in place to ensure user data is always protected. But it’s not just data under threat — cloud-native software infrastructure and the DevOps processes themselves can be prone to abuse, too, if not adequately controlled.
Continuous integration and continuous delivery/deployment (CI/CD) is one area where additional security forethought is often required to avoid risk. Especially in financial services, where valuable data is consistently exchanged over the wire, CI/CD pipelines must be well-equipped to vet every code change to ensure it complies with regulations.
In this article, we’ll consider ways financial services can better secure their CI/CD pipelines. We’ve gathered helpful viewpoints from experts from across the cybersecurity field that will help information technology (IT) leaders ensure their automated deploys always have a level of financial-grade protection.
What is CI/CD?
First, for those unfamiliar, what exactly is CI/CD? CI/CD is when automation is introduced into the software delivery process to streamline moving code from the testing and integration stages into a production environment.
There are many steps involved within a CI/CD pipeline. Some common actions include:
- Code validation and compiling
- Bug testing, unit testing, and integration testing
- Merging with code branches
- Automatic release to a code repository
- Automated production deployment
- Continuous monitoring throughout the CI/CD pipeline
Potential Issues With CI/CD in Finance
As more organizations rush to bring more digital features to market, more are adopting rapid release cycles. CI/CD helps meet this goal by reducing the friction of releasing code. This greatly aids financial services, which are especially technology-dependent and rely on cutting-edge digital strategies to stay viable. Yet, many factors make securing CI/CD in financial services particularly difficult.
First off, FinTech often moves about very sensitive personal data, which is a precious commodity for attackers. Hackers highly prize credit card details, bank information, and login details. As Sydney Coffaro, Senior Product Marketing Manager of ThreatX, explains, “Exploiting payment information is the fastest way for them to get paid vs. stealing PII [personally identifiable information] or PHI [protected health information] to then sell on the black market.”
Due to the severity of data misuse, rapid release cycles must be particularly careful when handling consumer data. Continuous software release strategies must also ensure they are not breaking new compliance standards, such as those around open banking. “With the existing challenge to continuously integrate and deliver application development, developers need to work alongside security teams to develop secure code and protect an organization’s application attack surface, especially since the application layer is the most publicly facing,” said Coffaro.
“Financial services are the perfect storm of having a huge resource pool, the need to be ultra-competitive, and have a clear mandate to build things securely from senior leadership due to various risk factors,” said Gil Azaria, Director, APAC Operations, Nucleus Security. Due to these competing priorities, financial services can easily find it challenging to manage many distinct CI/CD pipelines between teams, he adds.
Tips to Protect CI/CD in Financial Services
So, how can financial services embed more security into their CI/CD pipelines? Here are some strategies to consider:
Shift-left: “Modernize your application security program by adopting shift-left technologies,” recommends Coffaro. To add security checks to the CI/CD pipeline, it’s recommended scan infrastructure-as-code templates, Kubernetes application manifests, and container images. Such real-time detection of CVEs (common vulnerabilities and exposures) can avoid risks down the line.
Take a tactical approach: “Try to stay away from infrastructure and scanning for scanning’s sake, but rather apply sensible solutions to each development team and engage with them on their level to ensure a good outcome rather than an outcome that ensures that the box is ticked but doesn’t actually move the needle,” said Azaria.
Ensure everyone knows the risk: There is a balance to strike between acceptable risk and carelessly rapid development. IT must carefully walk the line to ensure teammates observe and monitor risk within their CI/CD pipelines — therefore, employees should thus be made aware of potential threats with training and support. “It is vitally important that any regulatory and security requirements are clear for them,” said Altaz Valani, Director of Insights Research, Security Compass. “This means developers need to understand what code changes are needed and the tests required to prove completion. Release teams need to understand how regulatory and security metrics translate into go/no-go decisions.”
Think holistically to see platform holes: Coffaro notes that financial services often suffer from credential stuffing attacks and large volumetric attacks. “Financial services applications need both a platform that can scale and a solution that can effectively identify and block unwanted bot traffic.”
Reduce your attack surface: Having a clear picture of your attack surface, and applying ongoing monitoring, is key to a strong cybersecurity posture. Just as important is pruning aging IT. “Make it a common process in CI/CD to create migration plans to deprecate old API [application programming interface] endpoints while activating new ones, update legacy applications, and turn off servers that aren’t being used,” recommends Coffaro.
Keep documentation updated: Updated documentation is important to retain quality developer experience and upkeep a full inventory of your CI/CD pipeline and API integrations. “Update documentation after the clean-up is complete, and inventory APIs using OpenAPI specification files, so both developers and security understand what normal vs. suspicious traffic looks like,” recommends Coffaro.
Practice threat modeling: One technique that has proven useful is threat modeling to identify regulatory and security requirements early,” said Valani. “Developers can be shown how to code defensively by thinking with an attacker’s mindset.” By applying threat modeling, engineers could prevent disruption to the CI/CD process.
Tightening DevOps In the Financial Sector
The imperative to protect financial services is dire. “Financial services are part of a nation’s critical infrastructure,” said Valani. “As such, any disruption to financial services can have a crippling effect on businesses and citizens.” Therefore, FinTechs and banks have an obligation to meet not only customer expectations but also legal obligations.
Above, we’ve only scratched the surface of what it takes to hunker down DevOps and rapid release cycles within financial services. In addition to the tips outlined above, other ways to improve cybersecurity for agile software development include establishing a dialogue between developers and security and compliance teams, sharing common infrastructure knowledge across an organization, and adopting open standards and cybersecurity frameworks.