The foundation of the modern software delivery process is Continuous Integration/Continuous Delivery (CI/CD) and all its supporting procedures and systems. These processes compile the code from a developer’s workspace to the test environment and then to production. The emergence of the DevOps discipline, together with CI/CD systems and methods, has changed the engineering ecosystem. But with the gaining popularity of CI/CD, it has become an attractive attack surface for cyber-attacks.
Here are some of the more popular incidents:
- The Codecov breach led to the exfiltration of secrets stored within environment variables in thousands of build pipelines across numerous enterprises. [Codecov breach impacted ‘hundreds’ of customer networks: report | ZDNET]
- The Dependency Confusion flaw, which affected dozens of giant enterprises, abuses flaws in the way external dependencies are fetched to run malicious code on developer workstations and build environments.
List of the top 10 CI/CD security risks:
- CICD-SEC-1: Insufficient Flow Control Mechanisms
- CICD-SEC-2: Inadequate Identity and Access Management
- CICD-SEC-3: Dependency Chain Abuse
- CICD-SEC-4: Poisoned Pipeline Execution (PPE)
- CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)
- CICD-SEC-6: Insufficient Credential Hygiene
- CICD-SEC-7: Insecure System Configuration
- CICD-SEC-8: Ungoverned Usage of 3rd Party Services
- CICD-SEC-9: Improper Artifact Integrity Validation
- CICD-SEC-10: Insufficient Logging and Visibility
