The growing threat to CI/CD pipelines

Before the pandemic, most modern organizations had recognized the need to innovate to support developers’ evolving workflows.

Today, rapid digitalization has placed a significant burden on software developers supporting remote business operations. Developers are facing continuous pressure to push out software at high velocity. As a result, security is continuously overlooked, as it doesn’t fit into existing development workflows.

The way we build software is increasingly automated and integrated. CI/CD pipelines have become the backbone of modern DevOps environments and a crucial component of most software companies’ operations. CI/CD has the ability to automate secure software development with scheduled updates and built-in security checks.

Developers can build code, run tests, and deploy new versions of software swiftly and securely. While this approach is efficient, major data breaches have demonstrated a significant and growing risk to the CI/CD pipeline in recent months.

Theoretical threats are becoming reality

Despite increasing awareness around the need for securing code, securing the software build processes is often an afterthought. But high-profile supply chain attacks over the past year and a 430% surge in such attacks overall have underscored just how vulnerable software supply chains can be. Just recently, the UK’s National Cyber Security Center (NCSC) issued a warning about software build pipelines.

Organizations must be mindful of insider actors with access to source code. Verizon’s 2020 Data Breach Investigations Report found that one-third of data breaches originate from insider actors. These insider actors can include privileged IT administrators, disgruntled former employees, and managerial employees with the ability to commit code without review.

Malicious or not, insider threat is a tremendous risk to organizations’ overall security. 79% of security leaders worry that now, with remote work, users are more likely than ever to ignore security policies, thus making the organization more vulnerable to threats.

Another significant threat to the software supply chain is unpatched vulnerabilities in code. Attackers search for vulnerabilities in open-source code that they can use to attack any application that relies on that code. This is a considerable concern, as 99% of organizations use some open-source code in their software, and 91% of codebases contain components that were out of date or that had not seen developer attention in years.

Taking steps to CI/CD security

Supply chain attacks are growing in scale and frequency at an alarming rate. Organizations must consider the security of their CI/CD pipelines in addition to the security of their code. By hardening CI/CD pipelines and addressing security early in the development process, developers can deliver software faster and more securely.

It is crucial to maintain builds’ independence from one another to ensure that in the case of a compromise, uncompromised builds are not impacted by the affected ones. Organizations must conduct security checks frequently and make sure that the software shipped is the software developed. By inserting insider attack detection into the software supply chain, organizations can establish non-repudiation of the software shipped at every stage, eliminating the blind spot around the risk of software consumption that exists today.

Developers must secure pipelines by locking repository host systems, configuration managers, and build servers. Additionally, organizations should audit pipeline tools and repository access at random and make regular updates to limit potential internal or external threats. Builds should be scanned while the code is still fresh in the developer’s mind to guarantee any vulnerabilities found are quickly remediated before an application is off to production.

Organizations must maintain comprehensive visibility across various services to accurately identify anomalies and determine if an insider attack has occurred. This ensures they know what and where to monitor within their unique application architecture moving forward.