CI/CD: Necessary for modern software development, yet it carries a lot of risk

Trending 6 months ago

SCSW CI/CD complete nan past decade has go nan cornerstone of modern package development.

The word – for continuous integration and continuous transportation (sometimes nan "D" besides tin mean "deployment") – emerged successful nan precocious 2000s pinch nan emergence of DevOps, defining a measurement to much quickly create and update applications by leaning heavy connected automation for everything from building to testing to deploying systems, pulling together contributions from myriad contributors into a pipeline, and speeding up merchandise cycles.

Software is nary longer built by a azygous developer connected a azygous machine; instead, developers utilizing disparate devices tin lend to nan build wrong nan pipeline without causing conflict. Organizations don't person to hold for package updates to beryllium gathered together into a azygous ample batch to beryllium released astatine a group clip and updates and improvements tin beryllium pushed retired arsenic soon arsenic they are ready.

Builds are standardized, information shifts from shared to progressively isolated resources and checks tin beryllium tally connected each change, and worth is much quickly delivered, it's claimed. With CI/CD came a greater reliance connected automation and infrastructure-as-code (IaC), much 3rd parties being involved, and caller frameworks and languages becoming quickly adopted.

With velocity comes risk

That said, nan aforesaid velocity that comes from a streamlined and automated shared CI/CD pipeline tin besides make it highly charismatic to online miscreants.

"Today, CI/CD is wherever exertion code, build tools, third-party components, secrets, identities and moreover unreality resources travel together," Adrian Diglio, main programme head of unafraid package proviso concatenation (S3C) astatine Microsoft, told The Register.

"CI/CD take grows astatine characteristic velocity velocity and these interconnected pipelines outpace organizational maturity and their expertise to support them secure. This makes CI/CD a premier target for attackers."

CI/CD is wherever exertion code, build tools, third-party components, secrets, identities and moreover unreality resources travel together

CI/CD expands nan onslaught aboveground and intruders person go bully astatine exploiting specified systems to onslaught nan package proviso chain, arsenic proven by nan high-profile SolarWinds fiasco successful 2020. In that lawsuit nan Russia-linked Nobelium group compromised nan IT package suite maker's build process and inserted malicious codification into applications that subsequently went upstream to users.

Palo Alto Networks wrote successful December 2022 that nan number of proviso concatenation attacks successful nan erstwhile twelvemonth jumped 51 percent. CI/CD pipelines are peculiarly susceptible to specified problems arsenic misconfigurations (which tin expose delicate accusation and go introduction points for malicious code) and permissive credentials (which tin lead to lateral activity and CI poisoning).

Multiple threats to pipelines

Microsoft's Diglio added that nan astir prevalent first entree techniques are misconfiguration of package improvement lifecycle (SDLC) resources, malicious dependencies, and targeted developer attacks.

"In practice, this intends attackers summation an first foothold by manipulating CI/CD pipeline inputs, including codification and configuration," he said.

By abusing broadly scoped tokens and different misconfigurations granting assets access, attackers tin move deeper done their target's system

"Then attackers activity lateral movement. By abusing broadly scoped tokens and different misconfigurations granting assets access, often based connected positional privilege, attackers tin move deeper done their target's strategy and manipulate consequent stages of package delivery."

From there, attackers tin maltreatment accumulation resources and discuss products distributed to 3rd parties to dispersed attacks.

"CI/CD infrastructure compromises alteration attackers to manipulate nan package being built, making CI/CD infrastructure an onslaught aboveground for exploiting extremity users' trust," Diglio said.

CI/CD becomes an easier target

The pipelines are an easier target than much hardened and well-monitored accumulation environments, according to John Steven, CTO astatine ThreatModeler. CI/CD pipelines thin to get little information attraction and person small if immoderate logging for what developers execute arsenic portion of nan build, package, aliases deploy phases.

  • SBOM is simply a 'massive postulation of mess' for proviso concatenation security
  • Feeling VEXed by package proviso concatenation security? You're not alone
  • Datacenters successful China, Singapore cracked by crims who past targeted tenants
  • Open root package has its perks, but proviso concatenation risks can't beryllium ignored

Essentially, we're told, injecting malware aliases exploiting a vulnerability via an organization's CI/CD pipeline actions – aliases moreover into unfastened root package aliases containers and images downloaded from outer sources – is easier than successfully attacking a accumulation situation without drafting notice. The invaders cognize this well.

"Attackers wrong an statement tin adhd configuration to build phases that injects susceptible aliases malicious dependencies," Steven told The Register.

"Build processes typically don't create – fto unsocial clasp – elaborate logs of really codification is constructed aliases transformed, truthful these injections would beryllium 'invisible' compared to a nefarious configuration aliases root commit.

"Unless a later shape conducts elaborate scanning of nan produced binaries, those injections will stay undiscovered arsenic they're orchestrated into production."

Unless a later shape conducts elaborate scanning of nan produced binaries, those injections will stay undiscovered arsenic they're orchestrated into production

The Open Worldwide Application Security Project (OWASP) wrote astir nan caller surge successful nan number of incidents aimed astatine abusing nan CI/CD ecosystem, pinch nan wave and magnitude of attacks besides connected nan rise.

Defenses are successful nan early stages

Criminals are quickly adapting techniques to target CI/CD, while galore defenders are successful nan early stages of figuring retired really to detect, understand and negociate nan risks.

"Seeking nan correct equilibrium betwixt optimal information and engineering velocity, information teams are successful hunt for nan astir effective information controls that will let engineering to stay agile without compromising connected security," OWASP wrote.

Diglio said nan ample number of components that travel pinch modern package delivery, and nan expanding complexity of CI/CD, complicate package proviso concatenation information considerations.

"Organizations must lead pinch a defense-in-depth attack spanning root integrity, build integrity, merchandise integrity, dependencies, and entree controls," he said.

The Microsoft executive outlined a number of steps enterprises tin return to harden CI/CD pipelines, including performing an appraisal utilizing nan Secure Supply Chain Consumption Framework (S2C2F), a instrumentality developed and utilized by nan package behemoth since 2019 to unafraid its ain improvement processes.

In November 2022 Microsoft contributed nan S2C2F to nan OpenSSF (Open Source Security Foundation). The model is designed to reside real-world proviso concatenation threats that are circumstantial to unfastened root software. An appraisal utilizing it will thief organizations understand really to amended nan information of unfastened root depletion practices, Diglio said.

Security steps to take

Enterprises besides request to reside CI/CD misconfigurations, limit entree to nan CI/CD infrastructure and related services, and widen discovery to nan CI/CD infrastructure. They besides request to harden IaC against tampering.

DevOps teams should "start addressing third-party dependency consequence coming by taking inventory and knowing dependencies, reducing them wherever practicable, and monitoring them," Diglio said, pointing to testing and debugging devices for illustration Dependabot successful Microsoft-owned GitHub. "Work incrementally connected pinning, proxying and rebuilding those limitations in-house arsenic your organizational maturity and assurance increases."

In addition, developers request to beryllium included successful their companies' information programs. This includes enabling multi-factor authentication (MFA) and conditional access, and reviewing existing permissions crossed nan CI/CD infrastructure arsenic portion of nan rule of slightest privilege successful a zero-trust strategy.

"Educate your developers astir information risks and really information threats tin put their endeavor astatine risk," Diglio said.

CI/CD pipelines aren't going anywhere. There are integral to nan larger DevOps push and take of agile development. However, each that makes them charismatic and, for now, susceptible areas for attacks. Miscreants understand this and are putting a attraction connected nan package proviso chain. Organizations now person to return nan steps to harden nan process. ®