Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Security monitoring for software build pipelines

First steps to increase confidence in your build environment's integrity

abstract glass cube
How KPMG can help: Cyber defense

Security operations monitoring in the traditional sense is often a beaten path for most large organizations.  What’s new for many however, is applying the concepts of automated, real-time alerting and streamlined responses to the fast-paced, rapidly changing landscape of DevOps.

Why is this important?

In the winter of 2020, the SUNSPOT malware demonstrated how sophisticated attackers may target software vendors. After achieving a foothold inside of an organization, attackers can compromise a build pipeline so that customers of an affected company’s software may be subject to compromise as well. So how can an organization monitor the integrity of their software build process to increase detection of malicious activity?

Where do I start?

What knowledge would make you feel better about your software development infrastructure itself, in addition to contributors and processes? Can you develop a list of questions that you’d like answered for each of the major steps in the build process?

Artifact Repository flow graphic

Here are a few examples of security monitoring questions that may help identify potentially malicious behavior in software development:

Build Process StageExample Security Monitoring Questions
Source Code Repository
  1. Was a brand new, unexpected contributor added to the source code repository?
  2. Did the code commit not come from a user not authenticated via multi factor authentication?
Dependency Management
  1. Did we generate a valid software bill of materials (SBOM) for this build?
  2. Did we notice a significant change in the quantity or quality of open source libraries used in this codebase?
Build
  1. Did anything change about the build server from its last known state?
  2. Was there a modification to the certificate / signing key used by the build process?
Artifact Repository
  1. Is there a difference between the hash in the artifact repository and the hash in the pipeline's output?
  2. Did an account access the artifact repository that has never accessed it before?


In this approach, which some may refer to as automated governance, it goes without saying that not all use cases are equally attractive. What makes a use case better? Analyzing use case attributes like “ability to reduce risk” and “level of effort to implement” will help identify a first set of more valuable use cases. Another round of prioritization could come from answers to questions about the monitoring use cases such as:

  • “Is the responsibility of this monitoring use case already addressed or made moot by a cloud-based Software as a Service offering in use?” If the answer is ‘yes’, perhaps the build pipeline use case is deprioritized compared to others.
  • Is this monitoring use case actually something we would alert on or just want to capture as an attestation (a declaration of evidence) for later use, such as in an audit?” If the answer is ‘just capture as an attestation for later use’, perhaps the build pipeline use case is deprioritized compared to others.

The goal of putting your first few build pipeline security monitoring use cases in production should be to learn the process of their implementation, not inspire complete assurance of build pipeline. You may even include the buildout of such monitoring use cases as part of your organization’s regular security champion dialog or hackathons. If you crowdsourced the buildout of some such use cases to engaged security champion developers, is one new use case per month realistic? And of course, consider sending alerts from such monitoring beyond the classical security operations team to the developer teams’ real time instant messaging collaboration tools. When done well, this can increase security awareness among broader development teams who may not yet consciously prioritize security and minimizes unnecessary “hand offs” – a core tenet of the “First Way” of DevOps and key to increasing process flow.

The suggestions above should provide a framework for what to monitor in your developers’ build activity, how to implement them, and who gets alerted when something potentially malicious is identified. As more build pipeline monitoring use cases are implemented, confidence that your build pipeline and software development is trustworthy increases, the likelihood of serious security events decreases, and you can focus on innovation and delivering value to your customers.

Meet our team

Image of Charles A. Jacco
Charles A. Jacco
Principal, Cyber Security, KPMG US
Image of Caleb Queern
Caleb Queern
Managing Director, Cyber Security, KPMG US

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline