Introduction
Last week, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) detailing recommendations for strengthening the security of Continuous Integration/Continuous Deployment (CI/CD) pipelines. This document reflects the growing importance of CI/CD security, which is at the core of our work here at StepSecurity.
As per the document, which you can find here, "CI/CD environments are attractive targets for malicious cyber actors (MCAs) whose goals are to compromise information by introducing malicious code into CI/CD applications, gaining access to intellectual property/trade secrets through code theft, or causing denial of service effects against applications."
The Rising Importance of CI/CD Security
As CI/CD pipelines have become integral to IT modernization efforts and DevSecOps approaches, they have concurrently grown as prime targets for malicious cyber actors (MCAs). The increasing number of supply chain attacks on CI/CD environments, such as the infamous SolarWinds, Codecov, and ua-parser-js attacks, paints a vivid picture of the growing threat.
StepSecurity has extensively researched past CI/CD attacks and created a public GitHub repository https://github.com/step-security/attack-simulator. This simulator allows users to mimic past CI/CD attacks. It showcases how StepSecurity's solutions can stop these attacks, demonstrating our solutions' effectiveness in real-world scenarios.
Unpacking the recommendations
In their comprehensive Cybersecurity Information Sheet (CSI), CISA and the NSA have provided several key recommendations to enhance the security of CI/CD pipelines.
The table below lists the high-level recommendations from the document and how StepSecurity can help implement them.
|
CISA’s Recommendation for CI/CD Security
|
How StepSecurity can help
|
- Implement network segmentation and traffic filtering
- Remove unnecessary applications
- Implement endpoint detection and response (EDR) tools
- Keep Audit logs
|
Our first-of-its-kind EDR solution for CI/CD pipelines, Harden-Runner, works for GitHub-hosted runners and Actions Runtime Controller (ARC) self-hosted runners to:
- Implement network segmentation and traffic filtering, and serve as an EDR by continuously surveilling the CI/CD environment.
- Prevent the exfiltration of credentials from the build server.
- Detect tampering of source code during the build process, ensuring the integrity of your release builds.
- Identify compromised dependencies and build tools.
- Retain provenance and logs so artifacts can be traced back to the pipeline and code repository.
Harden-runner is used by 1,200 public GitHub repositories in their GitHub Actions workflows, including those of industry giants like Microsoft, Google, and DataDog, and numerous enterprises for their private repositories.
|
- Keep CI/CD tools up-to-date
- Implement least-privilege policies for CI/CD access.
- Integrate security scanning as part of the CI/CD pipeline
- Implement software bill of materials (SBOM) and software composition analysis (SCA)
|
Our platform features a unique orchestration capability that automates the integration of security tools and pipeline security best practices using automation and pull requests.
Over 500 public repositories have utilized our orchestration component to:
- Limit GitHub token permissions, thereby reducing the potential impact of a token compromise.
- Pin GitHub actions and Docker images, ensuring that only approved and secure versions of tools and images are used, thereby reducing the risk of introducing vulnerabilities.
- Update Dependabot configuration to keep CI/CD tools updated.
- Integrate Static Application Security Testing (SAST), Software Composition Analysis (SCA), and secret scanning tools into the pipeline, creating a thorough and continuous security scanning process as advocated by the CISA and NSA.
|
- Minimize the use of long-term credentials
- Secure user accounts
- Secure secrets
|
StepSecurity shows the names and “Days since last rotated” metadata for all CI/CD secrets, to aid in secrets rotation. In addition, StepSecurity helps find instances where long-terms credentials can be replaced with short term OIDC based credentials.
In the future, we will offer more advanced detections to detect if secrets are found in the build log or if developer credentials have been compromised.
|
- Restrict untrusted libraries and tools
|
With StepSecurity you can view a list of different 3rd party components being used in the CI/CD pipeline and view the OpenSSF Scorecard scores for these components to help decide which of them are trustworthy.
|
Conclusion
As the CISA and NSA emphasize the criticality of securing CI/CD pipelines, we at StepSecurity stand ready with solutions that address their recommendations and deliver security that goes above and beyond.
With StepSecurity, you can rest assured that your software supply chains are safe. We encourage you to experience the benefits of our security solutions firsthand. Try our product at https://app.stepsecurity.io/securerepo or install our GitHub App to harden your CI/CD pipelines today.
Have any questions or need more information? Feel free to contact us via the contact form on our website.
Introduction
Last week, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) detailing recommendations for strengthening the security of Continuous Integration/Continuous Deployment (CI/CD) pipelines. This document reflects the growing importance of CI/CD security, which is at the core of our work here at StepSecurity.
As per the document, which you can find here, "CI/CD environments are attractive targets for malicious cyber actors (MCAs) whose goals are to compromise information by introducing malicious code into CI/CD applications, gaining access to intellectual property/trade secrets through code theft, or causing denial of service effects against applications."
The Rising Importance of CI/CD Security
As CI/CD pipelines have become integral to IT modernization efforts and DevSecOps approaches, they have concurrently grown as prime targets for malicious cyber actors (MCAs). The increasing number of supply chain attacks on CI/CD environments, such as the infamous SolarWinds, Codecov, and ua-parser-js attacks, paints a vivid picture of the growing threat.
StepSecurity has extensively researched past CI/CD attacks and created a public GitHub repository https://github.com/step-security/attack-simulator. This simulator allows users to mimic past CI/CD attacks. It showcases how StepSecurity's solutions can stop these attacks, demonstrating our solutions' effectiveness in real-world scenarios.
Unpacking the recommendations
In their comprehensive Cybersecurity Information Sheet (CSI), CISA and the NSA have provided several key recommendations to enhance the security of CI/CD pipelines.
The table below lists the high-level recommendations from the document and how StepSecurity can help implement them.
|
CISA’s Recommendation for CI/CD Security
|
How StepSecurity can help
|
- Implement network segmentation and traffic filtering
- Remove unnecessary applications
- Implement endpoint detection and response (EDR) tools
- Keep Audit logs
|
Our first-of-its-kind EDR solution for CI/CD pipelines, Harden-Runner, works for GitHub-hosted runners and Actions Runtime Controller (ARC) self-hosted runners to:
- Implement network segmentation and traffic filtering, and serve as an EDR by continuously surveilling the CI/CD environment.
- Prevent the exfiltration of credentials from the build server.
- Detect tampering of source code during the build process, ensuring the integrity of your release builds.
- Identify compromised dependencies and build tools.
- Retain provenance and logs so artifacts can be traced back to the pipeline and code repository.
Harden-runner is used by 1,200 public GitHub repositories in their GitHub Actions workflows, including those of industry giants like Microsoft, Google, and DataDog, and numerous enterprises for their private repositories.
|
- Keep CI/CD tools up-to-date
- Implement least-privilege policies for CI/CD access.
- Integrate security scanning as part of the CI/CD pipeline
- Implement software bill of materials (SBOM) and software composition analysis (SCA)
|
Our platform features a unique orchestration capability that automates the integration of security tools and pipeline security best practices using automation and pull requests.
Over 500 public repositories have utilized our orchestration component to:
- Limit GitHub token permissions, thereby reducing the potential impact of a token compromise.
- Pin GitHub actions and Docker images, ensuring that only approved and secure versions of tools and images are used, thereby reducing the risk of introducing vulnerabilities.
- Update Dependabot configuration to keep CI/CD tools updated.
- Integrate Static Application Security Testing (SAST), Software Composition Analysis (SCA), and secret scanning tools into the pipeline, creating a thorough and continuous security scanning process as advocated by the CISA and NSA.
|
- Minimize the use of long-term credentials
- Secure user accounts
- Secure secrets
|
StepSecurity shows the names and “Days since last rotated” metadata for all CI/CD secrets, to aid in secrets rotation. In addition, StepSecurity helps find instances where long-terms credentials can be replaced with short term OIDC based credentials.
In the future, we will offer more advanced detections to detect if secrets are found in the build log or if developer credentials have been compromised.
|
- Restrict untrusted libraries and tools
|
With StepSecurity you can view a list of different 3rd party components being used in the CI/CD pipeline and view the OpenSSF Scorecard scores for these components to help decide which of them are trustworthy.
|
Conclusion
As the CISA and NSA emphasize the criticality of securing CI/CD pipelines, we at StepSecurity stand ready with solutions that address their recommendations and deliver security that goes above and beyond.
With StepSecurity, you can rest assured that your software supply chains are safe. We encourage you to experience the benefits of our security solutions firsthand. Try our product at https://app.stepsecurity.io/securerepo or install our GitHub App to harden your CI/CD pipelines today.
Have any questions or need more information? Feel free to contact us via the contact form on our website.
.png)
%20(2).png)
