Setting Up a Security Pipeline from Development to Production
Most security tools cover a single stage of the application lifecycle. A SAST scanner checks your code, an obfuscator protects your build, a WAF sits in front of your server. But they operate in isolation, with no shared context and no way to connect what happens in development to what happens in production. This guide shows how to build a connected security pipeline that covers every stage.
The Four Stages
Application security breaks down into four stages. Each one has different risks and requires different tools.
Develop is where vulnerabilities are introduced. Insecure coding patterns, vulnerable dependencies, and hardcoded secrets enter the codebase through commits and pull requests.
Build is where the application is compiled and packaged. This is the last opportunity to apply code protection before the binary is distributed.
Release is where the protected application is deployed to servers or published to app stores. Configuration, environment secrets, and infrastructure settings must be secure.
Runtime is where the application faces real attacks. Injection attempts, tampering, debugging, and exploitation happen here, against the running application.
A complete security pipeline addresses all four.
Stage 1: Develop - Static Analysis and Secret Scanning
Code Scanning with Radar (SAST)
ByteHide Radar performs Static Application Security Testing on every commit and pull request. It identifies vulnerabilities in your source code before they reach production.
Radar covers the OWASP Top 10 (2021 and 2025) and maps findings to CWE identifiers so you can understand the exact nature of each vulnerability.
When Radar finds a vulnerability, AI AutoFix can generate a validated pull request with the fix. This removes the manual triage step and lets developers review and merge the fix directly.
Dependency Scanning (SCA)
Radar also scans your dependency tree for known vulnerabilities. It checks your package.json, *.csproj, requirements.txt, go.mod, or pom.xml against the CVE database and flags packages with known security issues.
See SCA Documentation for supported ecosystems and configuration.
Secret Scanning
Every commit is scanned for hardcoded credentials, API keys, tokens, and private keys. Radar detects over 200 secret types and alerts before the secret reaches the main branch.
See Securing API Keys and Secrets for a detailed guide on this topic.
Centralized Secret Management
ByteHide Secrets replaces hardcoded credentials with encrypted, centrally managed values. Developers reference secret names in code, and the SDK retrieves the actual values at runtime from the vault.
Available for .NET, JavaScript, Java, Go, Python, and PHP.
Stage 2: Build - Code Protection
Once your code passes static analysis, it needs to be protected before distribution. This is where ByteHide Shield comes in.
Shield runs as a post-build step. It takes your compiled binary and applies obfuscation, string encryption, control flow transformation, and anti-tamper checks. The result is a functionally identical application that is significantly harder to reverse engineer.
What Shield Covers
| Protection | .NET | JavaScript | Android | iOS |
|---|---|---|---|---|
| Name obfuscation | Renamer | Name Protection | Name Obfuscation | Symbol Renaming |
| String encryption | Constant Encryption | String Array | String Encryption | String Encryption |
| Control flow | Control Flow | Control Flow Flattening | Control Flow | Control Flow |
| Anti-debug | Anti-Debugger | Debug Protection | Anti-Debug | Anti-Debug |
Shield integrates into your existing build process:
- .NET: NuGet package that runs during MSBuild. See MSBuild Integration.
- JavaScript: Webpack, Vite, or Next.js plugin. See JavaScript Shield.
- Android: Gradle plugin. See Gradle Setup.
- iOS: Xcode Run Script phase or CLI. See Xcode Integration.
Stage 3: Release - Secure Distribution
At the release stage, the focus is on ensuring the protected application reaches its destination without modification, and that the infrastructure it runs on is properly configured.
For mobile applications, submit the Shield-protected binary to the App Store or Google Play. Shield's anti-tamper checks ensure the binary cannot be modified and redistributed. See Protecting a Mobile App Before Publishing for a complete checklist.
For server applications, ensure that production secrets are managed through ByteHide Secrets with separate environments for staging and production. Never deploy configuration files that contain credentials.
For all applications, archive the mapping files that Shield generates with each protected build. These are essential for debugging production stack traces. Shield uploads them automatically to the Cloud Panel.
Stage 4: Runtime - Active Defense
Static protection hardens the binary, but it cannot prevent all attacks against a running application. ByteHide Monitor adds a RASP layer that defends from inside the application.
For Server Applications (.NET)
Monitor detects and blocks injection attacks (SQL injection, XSS, command injection, path traversal), unauthorized access attempts, and anomalous behavior patterns. It runs inside your ASP.NET pipeline with zero infrastructure changes.
See .NET Monitor Documentation.
For Mobile Applications (Android and iOS)
Monitor detects rooted/jailbroken devices, debugger attachment, hooking frameworks, emulators, and binary tampering. It can block compromised sessions, notify your backend, and log all incidents.
See Android Monitor and iOS Monitor.
Automated Response
Monitor supports Workflow Automation with configurable actions. When a threat is detected, the response can be automatic: block the user, terminate the session, wipe local data, or send a webhook notification to your backend.
Correlation with Radar
This is where the connected pipeline pays off. When Radar identifies a vulnerability in your code and Monitor detects exploitation of that same vulnerability in production, the Runtime Correlation feature connects the two events. This gives you direct evidence of which vulnerabilities are being actively exploited, so you can prioritize fixes based on real attack data instead of theoretical severity scores.
Observability with Logs
ByteHide Logs provides centralized, structured logging across all your services. Every security event from Monitor, every scan result from Radar, and every secret access from Secrets feeds into the same logging infrastructure.
This gives your team a unified audit trail for compliance, forensics, and real-time visibility into what is happening across the platform.
Available for .NET, JavaScript, Java, Go, and Python.
The Connected Pipeline
The key advantage of this approach is context. Radar knows what vulnerabilities exist in your code. Monitor knows which ones are being attacked. Shield protects the code in between. And Logs gives you the complete record. When all four layers share the same platform, the information flows between them automatically.
Next Steps
- Integrating Security Into Your CI/CD Pipeline - Practical setup with GitHub Actions, Azure DevOps, and GitLab CI
- Detecting and Responding to Runtime Attacks - Deep dive into Monitor's RASP capabilities
- What OWASP Top 10 Means for Your Application - Understanding the vulnerabilities Radar detects