The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on how organizations can secure continuous integration and continuous delivery (CI/CD) pipelines against malicious attacks.
The document (PDF) includes recommendations and best practices for hardening CI/CD cloud deployments and improving the defenses of development, security, and operations (DevSecOps).
A development process for creating and testing code changes, CI/CD is seen as a key part of DevSecOps, integrating automation and security in the development lifecycle.
The increasing adoption of cloud has led to CI/CD pipelines being implemented in commercial cloud environments, making them an attractive target to threat actors looking to inject malicious code into CI/CD applications, steal sensitive information, or cause denial-of-service (DoS).
Security threats to CI/CD environments, CISA and the NSA note, include insecure first-party and third-party code, poisoned pipeline execution, insufficient pipeline access controls, insecure system configurations, the use of insecure third-party services, and secrets exposure.
Malicious threat actors may exploit CI/CD vulnerabilities introduced by insecure code, may manipulate the build process by compromising source code management repositories, may exploit the lack of access controls or misconfigurations to pivot in a CI/CD pipeline, and may introduce security weaknesses via the improper usage of third-party services.
To harden environments, organizations are advised to use strong cryptographic algorithms on cloud applications and services, use strong credentials, add signatures to CI/CD configurations, use two-person rules (2PR) for all code updates, implement least-privilege policies, implement network segmentation, and audit and secure secrets and user credentials.
Furthermore, the two agencies recommend updating operating systems, software, and CI/CD tools, removing unnecessary applications, using malware detection tools, integrating security scanning as part of the CI/CD pipeline, restricting the use of untrusted code, analyzing committed code, removing temporary resources, and implementing software bill of materials (SBOM) and software composition analysis (SCA).
“NSA and CISA encourage organizations to implement the proposed mitigations to harden their CI/CD environments and bolster organizational DevSecOps. By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate,” the two agencies note.
Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections
Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
Related: US Government Provides Guidance on Software Security Guarantee Requirements
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
