Continuous Integration and Continuous Deployment (CI/CD) environments are integral to the modern software development lifecycle. While pivotal in ensuring a streamlined and efficient development process, these environments can contain several security vulnerabilities. Because of this, The Cybersecurity & Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recognized the importance of defending CI/CD environments and have released a cybersecurity information sheet (CSI) titled “Defending CI/CD Environments.”
In this post, we will examine the contents of this document, outline the attack surfaces listed therein, and discuss strategies for mitigation. Furthermore, this article will highlight the comprehensive measures implemented by Cycode to ensure the utmost protection for our valued customers.
What’s in the CISA and NSA CSI?
The document provides an in-depth examination of CI/CD environments, their inherent security risks, and best practices for defense. Some key areas covered in the document are:
- An introduction to CI/CD environments.
- A list of the primary CI/CD attack surfaces, including security risks and threats.
- Scenarios that demonstrate the risks while explaining recommended mitigations.
- A guide to defense, including guides to active hardening, developer environment mitigations, and development process mitigations.
6 CI/CD Threats and Mitigation Strategies
Threat actors are increasingly targeting software supply chains and CI/CD environments. On top of this, the general amount of compromises in CI/CD pipelines is on the rise. The CSI states 6 types of security threats that can impact CI/CD operations and the necessary measures to safeguard the environment or supply chain.
1. Insecure Code
Insecure code is often a result of rapid development practices that overlook security. It can include code defects, vulnerable open-source components, or third-party integrations that haven’t been properly vetted.
The mitigation for this threat involves implementing secure coding practices, conducting regular code reviews, and utilizing automated security scanning tools to identify and fix vulnerabilities in source code.
2. Poisoned Pipeline Execution (PPE)
PPE is a method malicious actors use to manipulate the build process. They inject harmful code or commands into the build pipeline configuration, allowing them to run malicious code during the build. This technique abuses permissions and compromises the integrity of the pipeline.
Mitigation means securing build configuration, limiting permissions in source code repositories, and hardening the build pipeline.
3. Insufficient Pipeline Access Controls
Malicious actors can exploit weak access control permissions in a CI/CD pipeline to inject harmful code into an application. These controls determine access to resources and systems within and outside the execution environment of pipeline nodes.
The mitigation for this threat includes strictly controlling configuration access and hardening the pipeline execution.
4. Insecure System Configuration
System misconfigurations in CI/CD environments, such as infrastructure, network, and application configurations, can be exploited by malicious cyber actors (MCAs).
The mitigation for this threat involves reviewing and hardening system configurations, ensuring permissions to the pipeline are least privileged, and that the build pipeline is correctly hardened.
5. Usage of Third-Party Services
Third-party services, such as GitLab, GitHub, and Travis CI, are often integrated into CI/CD pipelines. These systems could introduce new security weaknesses into the pipeline. Explore further how we found that thousands of open-source projects were vulnerable due to third-party integration.
The mitigation for this threat includes monitoring all used third-party services, keeping the tools up-to-date, implementing strong authentication, and hardening your pipeline.
6. Exposure of Secrets
Secrets, like private keys, passwords, and tokens, play a vital role in authentication between tools in the build and deployment processes to provide access to resources. Malicious actors could exploit exposed secrets to gain unauthorized entry.
The mitigation for this threat includes using secret management solutions to store and manage secrets securely. Regularly rotate secrets and use service accounts with minimal privileges where possible. Additionally, use automated scanning tools to continuously scan for exposed secrets across the software development lifecycle (SDLC) and in code repositories or configurations. Another mitigation strategy is using a build-hardening solution to prevent malicious actors from secret exposure.
3 Ways Cycode Mitigates These Threats
At Cycode, we are aware of these threats and have developed solutions that are security first and developer friendly:
1. CI/CD Posture Management & Software Supply Chain Security
Ensuring a robust security posture throughout the development process is of utmost importance in today’s landscape, where developers often employ numerous tools with varying configurations, sometimes without a complete understanding of their implications. By adhering to the following guidelines, Cycode effectively performs configuration scanning, offering invaluable security enhancements to address #3. Insufficient Pipeline Access Controls, #4. Insecure System Configuration:
- Source control access management.
- Branch protection rules and code review compliance. E.g., two-person review.
- CI/CD system configuration issues. For instance:
- Detecting scenarios where builds are being executed on the Jenkins controller server.
- Identifying where default write permissions are granted within GitHub Actions pipelines.
And finally, Cycode’s platform includes the leading secrets scanner that works across your entire CI/CD—not just on your code. This will help keep the keys to your pipeline and operation from being exposed and mitigates the risk of #6 Exposure of Secrets that can lead to your tools and infrastructure being compromised.
2. Code Security Scanning
By conducting a thorough code scan, you can uncover potential threats, including the presence of hard coded secrets. Additionally, a code scan can identify vulnerabilities in your first-party code that can be exploited (SAST), exposes weaknesses in third-party open-source components (SCA), detects misconfigured infrastructure-as-code, and finds malicious packages or other risks. In addition, the role of code scanning has evolved over the years, and will often include hard coded secrets, infrastructure as code, and CI/CD as code scanning.
Cycode provides an extensive scanning feature set that enables you to actively monitor, detect, receive alerts, and proactively prevent all of these issues from entering your codebase. These capabilities are crucial in mitigating the risks associated with #1 Insecure Code, #5 Usage of Third-Party Services, and #6 Exposure of Secrets, as described above.
3. CI/MON, Cycode’s Build Hardening Solution
Cimon by Cycode is a cutting-edge runtime security agent designed to safeguard your CI/CD pipelines against sophisticated cyberattacks. It leverages the revolutionary eBPF (extended Berkeley Packet Filter) technology to monitor and mitigate attacks within the kernel, providing real-time protection and preventing unauthorized access to your valuable assets.
Cimon is a force multiplier, enabling another layer of defense for CI/CD pipelines, one that focuses on the build environment—which is the core of the entire process. By monitoring the execution of the build, Cimon brings both security and integrity to the build process.
Organizations that utilize Cimon are safeguarding their pipelines against the mentioned threats:
– Poisoned Pipeline Execution: Cimon analyzes the pipeline, identifies normal operations, detects breaches, performs remediation, and provides recommendations for further strengthening. Because of this, poisoned pipelines have limited capabilities and are unable to perform malicious activity.
– Insufficient Pipeline Access Controls: Similar to PPE, malicious actors that exploit misconfigured access controls will be limited in their ability to perform malicious activities.
– Insecure System Configuration: Malicious actors who manage to infiltrate CI systems due to insecure system configuration will be detected and prevented from their malicious actions.
– Exposure of Secrets: Malicious actors that try to perform abnormal connections for secret exfiltration or access unknown hosts will be terminated.
Best of all? We are committed to CI/CD pipeline security so much that we offer it for free. To get started, visit https://cimon.build.
Summing Up
The CSI released by the CISA and NSA is an invaluable resource on securing one of the most sensitive assets in the SDLC pipeline—the CI/CD processes. It is imperative for companies to understand the various attack surfaces, implement robust security measures, and constantly monitor for new findings and methods to improve their security defenses. As CI/CD environments continue to evolve, so should the security practices that protect them.
Because of this, we provide the only AppSec platform that provides visibility, context, & remediation for Sec, Dev, & Ops teams to secure development together—faster. Visit our website or book a demo to learn more.
Originally published: July 12, 2023