Build-time security has become a standard part of any security program and continues to grow in popularity with the shift left movement. In its most popular form, it’s a series of checks that take place as code makes its way from a developer’s laptop into production to ensure that the code is free from known vulnerabilities.
While they share some similarities with production environments, it’s important to realize that build servers have a unique threat model and require additional security measures that map to the unique set of risks.
Build-time security is not just about securing code that is pushed through the pipeline; it is about analyzing and monitoring the process and tools that enable that code to be pushed out and implementing sufficient monitoring and controls to ensure that it is done safely.
Build servers for example, not just the code residing on them, can represent a significant risk to organizations because in order to be effective they must be granted a lot of power. This risk is often forgotten by teams, leading them to inadequately account for it in their build time security program.