This  new  way  of  crafting  software  improves  delivery  by  using  automation  and  removing  human
            interactions  as  much  as  possible.  Platforms  and  tools  like  Jenkins,  Docker,  Vagrant,  Puppet,  Chef,
            Platform as a service (PaaS), ServiceNow, Bitbucket, Git, Selenium, and many others have enabled
            development teams to create a continuous integration and continuous delivery pipeline (CI/CD).  The use
            of these tools have allowed some organizations to delivery software multiple times per day. Public cloud
            providers like Amazon provide their own CI/CD pipelines to their customers.
































            Figure 1: Example of a DevOps CI/CD pipeline



            Cyber Defenders must become very familiar with the tools and applications used in a CI/CD pipeline. A
            compromise of one or more of these tools could adversely impact an organization’s ability to deliver
            software. Furthermore, these applications become a new attack vector for threat actors. Vulnerabilities
            found in these applications should be remediated immediately.



            Many of the tools being used in creating a CI/CD pipeline are open source. Although more eyes are
            looking at the code for potential vulnerabilities, there are those that are also looking for ways to comprise
            these applications.


            Cybersecurity professionals, especially those involved in defense operations, might be wondering how
            organizations are able to deploy code that is secure multiple times per day. How does one conduct
            penetration testing on an application that is constantly changing and using temporary infrastructure? For
            example, Jenkins, a very popular continuous integration tool, has over 260 CVEs identified.










                                 69