The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published guidance on how organizations can secure continuous integration and continuous delivery (CI/CD) pipelines against malicious attacks.
The document (PDF) includes recommendations and best practices for hardening CI/CD cloud deployments and improving the defenses of development, security, and operations (DevSecOps).
A development process for creating and testing code changes, CI/CD is seen as a key part of DevSecOps, integrating automation and security in the development lifecycle.
The increasing adoption of cloud has led to CI/CD pipelines being implemented in commercial cloud environments, making them an attractive target to threat actors looking to inject malicious code into CI/CD applications, steal sensitive information, or cause denial-of-service (DoS).
Security threats to CI/CD environments, CISA and the NSA note, include insecure first-party and third-party code, poisoned pipeline execution, insufficient pipeline access controls, insecure system configurations, the use of insecure third-party services, and secrets exposure.
Malicious threat actors may exploit CI/CD vulnerabilities introduced by insecure code, may manipulate the build process by compromising source code management repositories, may exploit the lack of access controls or misconfigurations to pivot in a CI/CD pipeline, and may introduce security weaknesses via the improper usage of third-party services.
To harden environments, organizations are advised to use strong cryptographic algorithms on cloud applications and services, use strong credentials, add signatures to CI/CD configurations, use two-person rules (2PR) for all code updates, implement least-privilege policies, implement network segmentation, and audit and secure secrets and user credentials.
Furthermore, the two agencies recommend updating operating systems, software, and CI/CD tools, removing unnecessary applications, using malware detection tools, integrating security scanning as part of the CI/CD pipeline, restricting the use of untrusted code, analyzing committed code, removing temporary resources, and implementing software bill of materials (SBOM) and software composition analysis (SCA).
“NSA and CISA encourage organizations to implement the proposed mitigations to harden their CI/CD environments and bolster organizational DevSecOps. By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate,” the two agencies note.
Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections
Related: CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
Related: US Government Provides Guidance on Software Security Guarantee Requirements