Back to

This is an archived copy. View the original at

Build-time security: Block risk and security issues from production rings
March 27, 2019
Sam Bisbee

Build-time security has become a standard part of any security program and continues to grow in popularity with the shift left movement. In its most popular form, it’s a series of checks that take place as code makes its way from a developer’s laptop into production to ensure that the code is free from known vulnerabilities.

While they share some similarities with production environments, it’s important to realize that build servers have a unique threat model and require additional security measures that map to the unique set of risks.

Build-time security is not just about securing code that is pushed through the pipeline; it is about analyzing and monitoring the process and tools that enable that code to be pushed out and implementing sufficient monitoring and controls to ensure that it is done safely.

Build servers for example, not just the code residing on them, can represent a significant risk to organizations because in order to be effective they must be granted a lot of power. This risk is often forgotten by teams, leading them to inadequately account for it in their build time security program.

Why build servers are a popular target

While build servers are not typically a high priority for security teams, they have a number of characteristics that make them a common target for attackers.

The value for an attacker and impact to an organization

Because build servers are largely misunderstood and thus not prioritized in security as noted above, they often represent hidden risk for organizations. The impact of a build system being compromised is meaningful to the organization even if it never becomes public because of the sensitive information that lives on the build systems themselves and how it can be used. For example:


Every team within an organization is playing catch up as environments increasingly overlap with one another. And since there is less-and-less differentiation between corporate and production environments, not all of the overlapping sections and bridges – some of them major transit hubs – are obvious.

The massive hubs that are turned into build systems are among the most impactful and under appreciated links that both attackers and defenders can leverage. Any effective build-time security strategy must account for, and monitor, not just the code to be pushed out, but the tools and processes involved in the development cycle.