In today’s accelerating digital economy, all organizations feel compelled to release software faster. While agile development is meant to transform businesses for the better, checks and balances need to be in place to ensure user data is always protected. But it’s not just data that’s at risk — cloud-native software infrastructure and DevOps processes themselves can also be subject to abuse if not properly controlled.
Continuous integration and continuous delivery/deployment (CI/CD) is an area where extra security foresight is often needed to avoid risk. Especially in financial services, where valuable Data is constantly swapped over the wire, CI/CD pipelines should be well equipped to check every code change to ensure it is compliant with regulations.
In this article, we’ll look at how financial services can better secure their CI/CD pipelines. We’ve gathered helpful insights from experts in the cybersecurity field that will help information technology (IT) managers ensure that their automated deployments always have a financial-grade level of protection.
What is CI/CD?
First of all, for those who don’t know, what exactly is CI/CD? CI/CD is when automating is introduced into the software delivery process to streamline the movement of code from testing and integration stages to a production environment.
A CI/CD pipeline has many stages. Some common actions include:
- Code validation and compilation
- Bug testing, unit testing and integration testing
- Merge with code branches
- Automatic publishing to a code repository
- Automated production deployment
- Continuous monitoring throughout the CI/CD pipeline
Potential problems with CI/CD in finance
As more organizations race to bring more digital capabilities to market, more and more are embracing rapid release cycles. CI/CD helps achieve this goal by reducing the friction of releasing code. It helps a lot financial services, which are particularly dependent on technology and rely on cutting-edge digital strategies to remain viable. Yet many factors make securing CI/CDs in financial services particularly difficult.
First of all, FinTech often moves highly sensitive personal data, which is a valuable commodity for attackers. Hackers give great importance to credit card details, banking information and login details. As Sydney Coffaro, Senior Product Marketing Manager at ThreatX, explains, “Mining payment information is the fastest way for them to get paid rather than stealing PII. [personally identifiable information] or ISP [protected health information] then sell on the black market.
Due to the seriousness of data misuse, rapid release cycles should be especially careful when handling consumer data. Continuous software release strategies must also ensure that they do not create new compliance standards, such as those relating to open banking. “With today’s challenge to seamlessly integrate and deliver application development, developers must work alongside security teams to develop secure code and protect an organization’s application attack surface. especially since the application layer is the most publicly exposed,” Coffaro said.
“Financial services is the perfect storm to have a huge pool of resources, the need to be ultra-competitive and to have a clear mandate to build things safely with senior management due to various risk factors “said Gil Azaria, Director of APAC Operations, Core Security. Because of these competing priorities, finance departments can easily find it difficult to manage many separate CI/CD pipelines across teams, he adds.
Tips for Protecting CI/CD in Financial Services
So how can financial services build more security into their CI/CD pipelines? Here are some strategies to consider:
Shift-left: “Modernize your application security program by adopting Shift-left technologies,” recommends Coffaro. To add security checks to the CI/CD pipeline, it is recommended to analyze infrastructure-as-code models, Kubernetes application manifests, and container images. Such real-time detection of CVEs (current vulnerabilities and exhibits) can avoid risk down the line.
Take a tactical approach: “Try to stay away from infrastructure and digitization for the sake of digitization, but instead apply sensible solutions to each development team and engage with them at their level to ensure a good outcome rather than ‘a result that ensures the box is checked but doesn’t actually move the needle,’ Azaria said.
Make sure everyone knows the risk: There is a balance to be struck between acceptable risk and carelessly rapid development. IT must carefully toe the line to ensure teammates observe and monitor risks in their CI/CD pipelines. Therefore, employees should therefore be made aware of potential threats through training and support. “It is vitally important that all regulatory and the security requirements are clear to them,” said Altaz Valani, director of Insights Research, Security Compass. “This means developers need to understand what code changes are needed and what testing is required to prove completion. Release teams need to understand how regulatory and security metrics translate to go/no-go decisions.
Think holistically to see platform holes: Coffaro notes that financial services often suffer from credential stuffing attacks and large volumetric attacks. “Financial services applications need both a scalable platform and a solution that can effectively identify and block unwanted bot traffic.”
Reduce your attack surface: Having a clear picture of your attack surface and applying continuous monitoring is key to a strong cybersecurity posture. Equally important is aging computer pruning. “Make it a common process in CI/CD to create migration plans to deprecate old API [application programming interface] endpoints while activating new ones, update legacy applications and shut down servers that are not in use,” Coffaro recommends.
Keep documentation up to date: Up-to-date documentation is important to keep quality developer experience and maintain a complete inventory of your CI/CD pipeline and API integrations. “Update documentation once cleanup is complete and inventory Apis using OpenAPI spec files, so developers and security understand what normal traffic looks like versus suspicious traffic,” Coffaro recommends.
Practice threat modeling: One technique that has proven useful is threat modeling to quickly identify regulatory and security requirements,” Valani said. “Developers can learn to code defensively by thinking with an attacker’s mindset.” By applying threat modeling, engineers could prevent disruption of the CI/CD process.
Tighten DevOps in the financial sector
The imperative to protect financial services is glaring. “Financial services are part of a nation’s critical infrastructure,” Valani said. “So any disruption to financial services can have a chilling effect on businesses and citizens.” Therefore, FinTechs and banks have an obligation to meet not only customer expectations, but also legal obligations.
Above, we’ve only scratched the surface of what it takes to master DevOps and the rapid release cycles within financial services. In addition to the tips outlined above, other ways to improve cybersecurity for agile software development include establishing a dialogue between developers and security and compliance teams, sharing common knowledge about infrastructure within an organization and the adoption of open standards and cybersecurity frameworks.
Want more information on cybersecurity? Subscribe to the Cybersecurity as a Business Enabler channel: