A new report from Cider Security delves into the top risks in continuous integration/continuous delivery (CI/CD) environments using a combination of scans of hundreds across industries, input from industry experts and recently published security vulnerabilities and incidents. The final verdict is that the greatest present threat to CI/CD security is insufficient flow control, or a lack of mechanisms in place to require additional approval prior to allowing code to be pushed down the pipeline.
There are a number of other substantial threats as well, with two of the top items being poor identity and access management, and abuse of flaws in the mechanisms that fetch code dependencies.
CI/CD security threats headlined by approval & access control
CI/CD is the pipeline directly from engineers to production, and therefore CI/CD security is a key component of any organization’s defense strategy. However, some organizations may be underlooking both the importance of this element and the pace at which sophisticated attackers are shifting focus to it as a quick path to complete compromise of a network.
Some recent examples of high-profile CI/CD security failures include the SolarWinds breach, the publication of a malicious version of PHP, the Codecov breach and the attacks on the ua-parser-js, coa and rc NPM packages. In all of these cases, the compromise of a central and trusted source of updates led in turn to the compromise of thousands of downstream users that did not have adequate checks in place.
Participants in the interviews and network reviews for the CI/CD security report include security heads and C-suite officers from Twitter, Mozilla, Netflix, Mercari and Atlassian among other firms. #1 on the list of security issues are insufficient flow control mechanisms, or the ability of an attacker to autonomously push malicious code or artifacts down the pipe after gaining some level of unauthorized access to an internal system. The report notes that this is a frequent issue because CI/CD flows are designed for speed rather than security.
Examples of flow control abuse include the malicious update to the PHP Github repository, and the demonstration of a flaw in Github Actions that allows bypass of required reviews to push code to an unprotected branch. The central recommended remediation is ensuring that no one single person has the ability to push sensitive code without some secondary verification. Other recommendations include limiting the use of auto-merge rules and the ability of accounts to trigger production build and deployment pipelines, and only allowing artifacts to move through the pipeline if they come from a pre-approved CI service account.
Other major threats to CI/CD security
The second-ranked problem is that of identity and access management, ranging across all of the different systems in the engineering ecosystem. This is another case in which a compromised account is likely to have permissions that allow it to push code and infrastructure changes. CI/CD security remediation includes the continuous mapping and analysis of the potentially thousands of identities across the ecosystem, systematic and timely removal of permissions as they are no longer needed for the job, a firm inactivity period for removing unused accounts, and limiting the creation of local user accounts as much as possible.
Employees are also not recommended to use personal email addresses or any established outside the organization, and ending the use of shared accounts and the ability to self-register.
Another CI/CD security factor that ranks highly is dependency claim abuse, or the exploitation of flaws in how engineering systems fetch code dependencies. This was the method employed in the NPM library breaches as well as attack attempts seen at Amazon, Lyft and Zillow. This is a process that can involve many different systems and is largely regulated by configuration settings, which is where the vulnerabilities tend to crop up. Common attacks include “typosquatting” and other forms of essentially confusing users into downloading a malicious package, or perhaps even swapping out a valid package for a tainted one.
Other serious CI/CD security risks identified in the report tend to follow in this theme of uncontrolled access leading to an attacker having an excessive amount of permission to make changes in the environment: poisoned pipeline execution, insufficient pipeline-based access controls, poor credential hygiene, insecure system configurations, ungoverned usage of third party services, improper artifact integrity validation and insufficient logging/system visibility.
The report includes much more detailed information on defense and mitigation measures for each of these CI/CD security risks. The researchers expect the targeting of business source code to continue to grow in popularity as an attack vector in the coming years. Penetration of the engineering environment is a rising threat given that it can provide an attacker with multiple avenues of long-term access to an organization’s systems, an approach well suited to the most advanced state-backed hacking groups that look to quietly exfiltrate confidential information over extended periods of time.