CI/CD security is a growing concern as it becomes a point of focus for hackers looking to compromise corporate networks. A new report that studied hundreds of organizations and took input from a number of field experts breaks down the top 10 risks, with the central theme of all of them being the elimination of easy paths to pushing code that can make systemic changes.
CI/CD security issues include flow control, access management and code dependency vulnerabilities
The report, prepared by Cider Security and drawing on the experience of officers from some of tech’s biggest names, identifies flow control as the leading CI/CD security concern. Flow control mechanisms are a serious risk given that access to a relevant account can allow an invader to single-handedly push malicious code and artifacts to the rest of the system, and the report notes that this is an area that is often not properly secured as engineers are prioritizing a speedy system over one that is locked down against attackers. While engineers may not be happy with this answer, the best remediation is to require secondary verification before any kind of sensitive code is sent out.
The more general category of identity and access management is the second-biggest issue in CI/CD security. With thousands of active accounts across the typical organization, there are always some number that are inactive but retain key permissions or that continue to have permissions that are no longer necessary for their current duty. The report advises diligence in scrubbing these accounts and limiting creation of new accounts as much as possible, as these are exactly what attackers are looking to compromise as the first step of their attack.
Other CI/CD security risks that made the top 10 list include vulnerabilities in the systems that fetch code dependencies (often due to misconfigurations), poisoned pipeline execution, issues with pipeline access controls, policies and employee practices leading to poor credential hygiene, poorly secured system configurations, ungoverned use of third party services, improper artifact integrity validation and failure to log adequately and maintain system visibility.
Exploiting CI/CD security issues
When attackers are able to insert themselves into the engineering environment via CI/CD security failings, this gives them a direct line to the production environment. This is often an area of security that receives an inadequate level of attention, however. It requires greater attention as it is becoming a point of focus for hackers: the SolarWinds incident of 2020, linked to state-backed hackers from Russia, is an example of a CI/CD security issue being exploited to gain access to a variety of targets via just one point of compromise. The attackers were able to run through numerous federal agencies as well as the biggest names in tech and some major universities; in total over 33,000 organizations were thought to be compromised, though the attackers stuck to high-value espionage targets in terms of actually exfiltrating information. A ransomware group or cruder form of profit-driven cyber criminal would certainly not limit themselves in this way.