What is CI/CD Security?
CI/CD security helps identify and mitigate security risks associated with all phases of the continuous integration / continuous delivery or deployment (CI/CD) pipeline. The goal is to ensure code is always secure and its integrity is maintained as it moves across the pipeline.
Since each CI/CD pipeline is unique, the security measures, processes, and tools you implement depend on the unique characteristics of your pipeline. Most pipelines include core phases like source code management, code build, testing, and deployment. Other pipelines may also incorporate feature branches or target multiple production environments that introduce complexity and security risks into the pipeline.
Related content: Read our guide to CI/CD pipeline
CI/CD Security Risks
1. Insecure Code
The modern development lifecycle is designed for rapid development and delivery. To support this objective, CI/CD pipelines include an increasing amount of open-source components and third-party integrations. However, rapid development without proper security can introduce vulnerabilities and expose the pipeline to critical risks.
Improper integration of third parties and lack of code scanning for source code components can introduce vulnerabilities into your CI/CD pipeline. Failure to adhere properly to code security best practices can significantly increase the attack surface. Common code vulnerabilities include buffer overflows, format string vulnerabilities, and improper error handling.
2. Poisoned Pipeline Execution (PPE)
Poisoned pipeline execution (PPE) is a technique that enables threat actors to poison the CI pipeline. It was demonstrated by Omer Gil, head of research at Cider Security. The technique abuses permissions in source code management (SCM) repositories to manipulate the build process. It involves injecting malicious code or commands into the build pipeline configuration, poisoning the pipeline to run malicious code during the build process.
3. Insufficient PBAC (Pipeline-Based Access Controls)
Pipeline-based access controls (PBAC) grant or deny access to resources and systems inside and outside the execution environment. Pipeline execution nodes use these resources to perform various actions. However, if malicious code enters the pipeline, threat actors can exploit insufficient PBAC risks to abuse these pipeline permission to move laterally in or outside the CI/CD system.
4. Insecure System Configuration
CI/CD systems involve numerous infrastructure, network, and application configurations. These configurations greatly impact the security posture of your CI/CD pipeline and its susceptibility to cyber-attacks. This is why threat actors actively look for potential CI/CD misconfigurations and vulnerabilities they can exploit.
5. Usage of Third Party Services
Modern CI/CD pipelines often utilize many third-party integrations because they facilitate rapid development and delivery. However, improper usage of third parties can introduce security weaknesses into the pipeline. Securing usage of third-party services typically involves implementing controls that achieve governance and visibility, such as role-based access controls (RBAC).
6. Supply Chain Attacks
Software applications often rely on dependencies for core functionality, while CI/CD publishes source code and binaries to various public repositories. This supply chain includes many parties, including organizations, individuals, resources, technologies, and activities involved in creating and selling the software product. Supply chain attacks target weak parties within the supply chain to breach others connected to the chain.
7. Exposure of Secrets
CI/CD tools consume numerous secrets to gain access to many sensitive resources, such as databases and codebases. Secrets are required for authentication between tools and also participate in the build and deployment process to ensure deployed resources have access. However, the increasing consumption of secrets by CI/CD pipelines introduces complexities, making it difficult to store, transmit, and audit secrets securely.
Best Practices to Enhance CI/CD Pipeline Security
Map Threats and Secure Connections
The first step to securing your CI/CD pipeline is determining the threats and vulnerabilities within the build and deployment process that require additional security. Threat modeling can help you map threats to the pipeline. Additionally, you should inventory all connections and treat them as potential points of compromise. Regularly scan and patch all connections on the pipeline and block any devices that do not meet your security policy requirements.
Tighten Access Control
Access control mechanisms can help you tighten security around your CI/CD pipeline and the resources and system it consumes. Here are key practices to consider:
- Set up access control lists and rules—define and enforce lists and rules to control access to your CI/CD pipeline and access granted to the pipeline.
- Log, monitor, and manage access—track all pipeline components and resources to achieve visibility on all levels, including role-based, task-based, time-based, and pipeline-based access.
- Perform regular audits—implement audits to ensure you have closed or revoked permissions to all redundant accounts and users that belonged to ex-employees.
Keep Secrets Safe
Secrets include authentication credentials, like passwords and API tokens that allow access to services and applications. Improperly secured secrets can lead to data breaches and intellectual property theft.
You can employ a key management service to control the location of and access to secrets. Key management services encrypt, store, and inject secrets only at runtime only when these credentials are required. It ensures secrets are never exposed during application build and deployment or appear in the source code.
Secure Code Repository
Threat actors often target code repositories like Git because they store intellectual property and proprietary source code. Common attacks involve ransomware that wipes repositories if the ransom demand is not paid. Here are several ways to help secure code repositories:
- Two-factor authentication—helps prove the identity of the author. You can also implement signed commits.
- Access roles per repository—helps ensure only authorized developers with valid credentials can interact with each repository.
- Secure local backup—helps avoid a complete loss if the repository is held hostage by ransomware or corrupted by malicious parties.
Artifact Repository Security
An artifact repository provides end-to-end management for the entire artifact lifecycle. It provides consistency to CI/CD workflows, supporting different software package management systems. You can use signed code and artifacts within the CI/CD pipeline to confirm the origins of each component. It provides confidence that resources included within CI/CD processes originate from trusted sources.
Software Supply Chain Security
Third-party dependencies, like open source libraries, can introduce vulnerabilities into the CI/CD pipeline. You can mitigate this issue by using source composition analysis (SCA) tools to scan application source code and identify insecure third-party dependencies. You can also use package scanners to check packaged applications and container images for components with known vulnerabilities.
Continuous Monitoring
A CI/CD environment consists of constantly shifting builds and deployments that require continuous monitoring. You can minimize the attack surface by terminating temporary resources like containers and virtual machines (VMs) after tasks are completed, removing unnecessary utilities and tools and utilities, and launching containers in read-only mode whenever possible.
Prepare for Rollbacks
Rollbacks enable you to revert to a previous version of the application known to be secure. It helps to quickly eliminate the risk until you can fix the underlying security issue. This best practice applies to CI/CD pipelines as well. You can ensure that you can quickly roll back each release by keeping artifacts from previous application versions. You can also use release automation tools or deployment scripts to re-deploy a previous application version.
CI/CD Security with Codefresh
Codefresh can help with CI/CD security in a number of ways
- It provides out of the box integrations for several code scanning tools
- It supports running security analysis tools before, during and after each deployment
- It will work with any software supply security solution to monitor and assess risks in any part of the software lifecycle
- It includes a built-in facility for storing secrets but also integrates with popular secret solutions (such as Hashicorp Vault or the secret facilities of major cloud providers)
- It allows organizations to run pipelines and deploy application with a zero trust model where confidential information never leaves the customer premises
Most importantly because GitOps is the central paradigm behind all aspects of the Codefresh platform, with Codefresh organizations get auditing and tracing facilities out of the box using standard Git tools. Every action in Codefresh (even from the UI) is backed by a Git commit. Simply looking at Git history provides an audit log for everything that happened in the platform.
The World’s Most Modern CI/CD Platform
A next generation CI/CD platform designed for cloud-native applications, offering dynamic builds, progressive delivery, and much more.
Check It Out