eBooks & Reports

Build-Time Security: Securing Your CI/CD Pipeline

Issue link: https://resources.threatstack.com/i/1102021

Contents of this Issue


Page 1 of 4

Securing Your CI/CD Pipeline Involves More Than Quality Gates Build- me security has become a standard part of any security program. In its most popular form, it is a series of checks that take place as code makes its way from a developer's laptop into produc on, to ensure that the code is free from known vulnerabili es, that it does not include malicious third-party code, and does not introduce other known risks into produc on. With the rise in the popularity of DevOps, security o en automates their checklists as part of the build pipeline. This form of security control is a great way to proac vely reduce applica on risk without requiring large amounts of manual review for basic hygiene issues. Properly designed and implemented build- me security checks will operate as a quality gate, ensuring that known risks don't enter a produc on environment. However, these quality checks focus on the code moving through the CI/CD processes — not the tools and processes that make up the pipeline itself. The reality is, the CI/CD pipeline can be exploited in a number of ways (and ul mately compromise the integrity of what is moving through CI/CD). So it's important that companies regularly review their processes to ensure that they can con nue to trust them. Build Server Risk Build servers are typically not top-of-the-list for environments that security teams choose to monitor and secure. The percep on is that they do not actually hold sensi ve data like a produc on environment would. However, in reality, they have unique access and func onality that makes them a common target for a ackers: Build servers are a cri cal transit hub. Source code, valuable data, and other cri cal informa on flows through a build server from corporate endpoints into other parts of the business, such as the produc on environment or an engineer's laptop. By exploi ng a build server, a bad actor can gain access to many other parts of the business. Build servers link environments with unequal security. Build systems are natural bridges between corporate environments, pre-produc on cloud, and produc on cloud environments. O en mes, each of these environments will have a separate owner, spread across IT, engineering, and opera ons organiza ons. By breaching the least secure of those environments, a ackers can gain an inside track to the other environments. This is especially likely since the overwhelming majority of pre-produc on environments are not as secure as produc on, no ma er what your policy says. So compromising a development environment that's linked to your build system is a natural path of least resistance. At Threat Stack, our team of cloud security experts uses the full stack cloud security observability provided by the Threat Stack Cloud Security Pla orm ® to con nuously monitor our customers' clouds as part of the Threat Stack Cloud SecOps Program℠ — so we have a unique perspec ve and deep insight into the latest a ack techniques. One trend we've observed is a ackers leveraging build pipelines as an entry point or stepping stone to infiltrate and amplify the impact of an a ack. When we have conversa ons with other cloud companies, we o en find that they view "build- me" security as just securing the code passing through their CI/CD pipeline — and they are not analyzing the risk to the processes and tools they are using. Coupled with the fact that auditors and compliance frameworks are less focused on this aspect of infrastructure security, many companies are leaving themselves exposed to considerable risk. Given our vantage point, we thought it would be useful to share our observa ons with the Security and DevOps communi es to help other companies understand the risks associated with build-servers and CI/CD processes across ephemeral infrastructures. Our goal in this paper is to provide new insights that will help you reduce your risk in a calculated and measurable way. -Sam Bisbee, CSO, Threat Stack 01 BUILD-TIME SECURITY: SECURING YOUR CI/CD PIPELINE Copyright © 2019, Threat Stack, Inc. All rights reserved.

Articles in this issue

view archives of eBooks & Reports - Build-Time Security: Securing Your CI/CD Pipeline