Connect with us

Hi, what are you looking for?


Application Security

CISA, NSA Share Guidance on Securing CI/CD Environments

New guidance from CISA and the NSA provides recommendations on securing CI/CD pipelines against malicious attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on how organizations can secure continuous integration and continuous delivery (CI/CD) pipelines against malicious attacks.

The document (PDF) includes recommendations and best practices for hardening CI/CD cloud deployments and improving the defenses of development, security, and operations (DevSecOps).

A development process for creating and testing code changes, CI/CD is seen as a key part of DevSecOps, integrating automation and security in the development lifecycle.

The increasing adoption of cloud has led to CI/CD pipelines being implemented in commercial cloud environments, making them an attractive target to threat actors looking to inject malicious code into CI/CD applications, steal sensitive information, or cause denial-of-service (DoS).

Security threats to CI/CD environments, CISA and the NSA note, include insecure first-party and third-party code, poisoned pipeline execution, insufficient pipeline access controls, insecure system configurations, the use of insecure third-party services, and secrets exposure.

Malicious threat actors may exploit CI/CD vulnerabilities introduced by insecure code, may manipulate the build process by compromising source code management repositories, may exploit the lack of access controls or misconfigurations to pivot in a CI/CD pipeline, and may introduce security weaknesses via the improper usage of third-party services.

To harden environments, organizations are advised to use strong cryptographic algorithms on cloud applications and services, use strong credentials, add signatures to CI/CD configurations, use two-person rules (2PR) for all code updates, implement least-privilege policies, implement network segmentation, and audit and secure secrets and user credentials.

Advertisement. Scroll to continue reading.

Furthermore, the two agencies recommend updating operating systems, software, and CI/CD tools, removing unnecessary applications, using malware detection tools, integrating security scanning as part of the CI/CD pipeline, restricting the use of untrusted code, analyzing committed code, removing temporary resources, and implementing software bill of materials (SBOM) and software composition analysis (SCA).

“NSA and CISA encourage organizations to implement the proposed mitigations to harden their CI/CD environments and bolster organizational DevSecOps. By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate,” the two agencies note.

Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections

Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers

Related: US Government Provides Guidance on Software Security Guarantee Requirements

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.