2023 OWASP API Security Top 10 Best Practices
After four long years since the original…
CI/CD stands for Continuous Integration/Continuous Deployment. It’s a software development practice that involves automating the process of integrating code changes from multiple developers into a shared repository, testing those changes, and deploying them to production environments. CI/CD aims to improve collaboration, increase productivity, and reduce the time it takes to deliver new features or bug fixes to end users.
The practice of continuous integration (CI) and continuous delivery (CD) of software code is an area of the technology trade that people tend to discuss without completely understanding. Most of us have a general sense of what CI/CD is about, but if you are an actual stakeholder in software development, it pays to get the details right. That’s the purpose of this article.
One reason that CI/CD can be confusing is that it is at once an idea, a set of practices and processes, and a sprawling toolset. It’s related to, but different from, DevOps and agile software development methodologies. Doing DevOps and agile does not mean you are automatically doing CI/CD.
The purpose of CI/CD is to make software development organizations work more quickly and precisely—rolling out features that users want at a rapid pace. CI/CD crucially allows software experiments with fast feedback loops. At its root, CI/CD is a coding philosophy. The goal is to integrate new, small code changes into applications as they become available and then deliver them into production on a continuous basis. Making this work requires solutions and processes, but those are simply the means of implementing the underlying concept.
To understand CI, and CI/CD in general, it’s worth taking a moment to review earlier software integration practices. The process of integration involves developers “checking in” new code they have written into a central version repository. From there, the new code is integrated into the overall code base of the application.
This was, and still is, a manual, intermittent process in many cases. In the “waterfall” approach to software development, integration may occur once every six months. There is nothing wrong with this mode of integration. It’s just slow and not well suited to a development strategy that calls for frequent feature updates.
With CI, development teams frequently implement small code changes, using automated processes to build, package, and test applications. Working this way, developers can commit to code changes frequently, resulting (hopefully) in better code quality and collaboration between Dev, Ops, and QA teams. This is not a simple matter, given that the code often comes from different platforms. CI provides a consistent mechanism for integrating and validating code changes.
CD is about putting the newly integrated code into production. CI comes first, followed by CD, which pushes the code out onto the infrastructure that hosts the application. Or, often, CD delivers the code to a testing platform before it is released for end users. CD is an automated process that takes care of updating the various databases and web servers and other systems that must be changed or restarted once the new version of the application is deployed.
Like CI, CD is an automated, faster-paced version of an older practice. Code delivery was, and still is in many cases, a labor-intensive process. CD leverages specialized tooling to enable code delivery on a continuous basis, sometimes as often as every hour.
The CI/CD process comprises multiple stages: build, package, test, and deploy. The flow from one stage to the next creates something resembling an assembly line of new code components working their way toward deployment. This is known as the CI/CD pipeline. There may be dozens of code components going through the pipeline, grouped by stage. CI/CD pipelines work using automation software that executes builds, performs quality control tests, and then pushes the builds out to their proper production environments.
The CI/CD pipeline offers a range of benefits to a software-producing organization. The automation inherent in the pipeline speeds up the delivery of code. Reducing the length of the delivery process usually translates into faster time to market for new features.
Done right, an automated CI/CD pipeline should also improve software quality. The pipeline produces a continuous feedback loop from quality stakeholders. Testing is more thorough and occurs earlier in the software lifecycle—the so-called “shift left” phenomenon. Defects get detected and fixed early, before they can go into production and cause user experience problems and costly remediation projects. Overall, the greater speed and efficiency of the CI/CD pipeline almost always translates into reduced costs.
CI/CD is different from DevOps. The two processes can work independently of one another. Yet, they are made for each other. DevOps is the fusion of software development (Dev) and IT operations (Ops). It unifies the previously separate processes, and respective teams, for developing and releasing software. CI/CD is a natural fit for DevOps as a result. The common DevOps and CI/CD toolsets work together. For example, CD tools usually have a dashboard that shows DevOps teams if a build fails, and so forth. In some cases, it’s the same toolset, with DevOps and CI/CD functionality built in.
It’s a little odd that there is no “T” in the terms CI/CD and DevOps. CI/CD should really be CI/CT/CD, including the very important continuous testing that goes on in the process. DevOps should be DevTestOps, but that would be a mouthful.
Automated testing is a critically important part of CI/CD. Tests vary by team, but the testing regimen usually includes static and dynamic testing of the code, along with security tests like software composition analysis (SCA), which looks for vulnerable code in open-source components. Increasingly, automated testing in CI/CD also incorporates the testing of application programming interfaces (APIs). This practice is necessary today because so many apps, especially those that are cloud-native, make extensive use of API calls to other pieces of software. At the end of the day, APIs are essentially software programs themselves so should be naturally incorporated into the pipeline flow.
Going further, APIs expand the attack surface, so it is essential to test them for security gaps. They can potentially allow a malicious actor to directly access data protected by the API, for instance. For this reason, it is a good practice to run tests on APIs that look for defects in API user authentication and configuration errors, along with, but not limited to, the OWASP API Security “Top 10” list of API risks.
CI/CD is an essential element of software development today. It speeds up the deployment of new code, which is useful for businesses that base their competitive advantage on great user experiences. Not only can they get new features to end users more quickly, but they can also save money by working smarter and faster at the same time. CI/CD functions like a pipeline, with new code moving through the build-package-test-deliver workflow in an automated process. Security testing, including the security testing of APIs, is a best practice, given the interconnected nature of modern software.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.