Discover how a trailblazing company in the blockchain and cryptocurrency sector, employing 120 developers, revolutionized their GitHub Actions security with StepSecurity. This case study discusses their journey towards robust CI/CD security in a highly dynamic and sensitive industry.
Industry: Cryptocurrency & Blockchain
Runners: Self-Hosted
Developers: 120
This company is a market leader in the blockchain platform. As a vanguard in blockchain platforms, this company not only hosts cutting-edge blockchain cloud services but also develops client SDKs. Their platform is a cornerstone for crypto and blockchain entities to craft and host services like smart contracts, underscoring the criticality of security measures. In the rapidly evolving and security-sensitive world of cryptocurrency and blockchain, maintaining robust and impenetrable CI/CD processes isn't just a preference; it's a vital necessity to stay ahead in the industry.
Since its inception, this company has been using GitHub Actions as its CI/CD provider. Because of the sensitive nature of their CI/CD workload, they self-host GitHub Actions runners on Kubernetes using Actions Runner Controller (ARC). Their ARC cluster runs on GCP GKE. This gave them control over their runner infrastructure. They segmented their GitHub Actions pipelines based on security sensitivity across four distinct ARC Kubernetes clusters.
The company's prominence and growing customer base intensified the urgency to fortify their CI/CD pipelines, a critical component in safeguarding their operations and maintaining their industry-leading reputation. The company uses numerous third-party GitHub Actions in their CI/CD pipelines. Given the crypto industry’s history of being targeted by CI/CD software supply chain attacks, securing their pipelines was a paramount concern.
For securing ARC based Actions runners, first they evaluated the security controls available within their cloud environment. They found that the security services provided by the cloud vendor hosting the Kubernetes Actions Runner Controller cluster were ineffective to defend against CI/CD security attacks. After ruling out security controls offered by their cloud platform provider, they evaluated a few application security vendors but none of them catered to their requirements. None of the security vendors offered any security controls for actions runners.
The decision to choose StepSecurity was driven by:
1. Its unique ability to cater to the specific challenges of the cryptocurrency sector, offering a level of security and flexibility for GitHub Actions security unmatched by other vendors.
2. The features of the platform, such as its Kubernetes-aware Harden-Runner for ARC, directly addressed the company's need for a robust defense against the unique vulnerabilities present in their GitHub Actions workflows.
3. StepSecurity’s effective approach to apply proactive as well as reactive security controls to manage third-party risk in CI/CD.
As StepSecurity is an open-core startup rooted in open-source, StepSecurity offers some services to open-source communities for free. The solution came from within: one of their lead security engineers had been using StepSecurity Platform to secure their personal open-source projects with GitHub hosted runners.
After StepSecurity announced the support for Actions Runner Controller (ARC) based self-hosted runners, the lead engineer reached out to StepSecurity to evaluate if the StepSecurity platform will satisfy their requirements. In the first meeting with StepSecurity itself, the security team decided to acquire an enterprise license and came up with the onboarding plan.
Initially, the StepSecurity’s Kubernetes aware Harden-Runner was deployed in one of their ARC clusters. As the customer used several namespaces for running ARC runner pod instances, it made it easier to inclemently roll-out StepSecurity on their first Actions Runner Controller Kubernetes cluster without impacting their CI/CD pipelines. After letting Harden-Runner monitor their workflow runs for a few days on the first cluster and confirming that the StepSecurity platform meets their requirements, ARC Harden-Runner was rolled out to all ARC clusters.
The security team was concerned about the security risk posed by several third-party GitHub Actions in use in their CI/CD pipelines. Utilizing StepSecurity Actions Advisor, the team conducted a thorough analysis and prioritized replacing risky third-party GitHub Actions with safer alternatives. The StepSecurity team is currently working with them to replace these risky third-party GitHub Actions with StepSecurity Maintained Actions.
With StepSecurity, the company implemented:
1. Network egress filtering and runtime security for their Actions Runner Controller (ARC) clusters.
2. Paved path for developers to use safe and reliable StepSecurity Maintained actions which reduces risk and improves developer productivity.
3. Continuous monitoring of compliance with GitHub Actions best practices and auto-mated remediation.
StepSecurity proved to be the missing piece in their security puzzle, providing robust controls for their ARC-based self-hosted runner environment. The customer secure more than 500 GitHub Actions workflows across 100 code repositories. The implementation not only enhanced their runtime security but also offered a comprehensive view of third-party risks, enabling proactive measures to mitigate these vulnerabilities.ter security controls compared to their legacy CI/CD provider.
This strategic enhancement not only fortified their CI/CD infrastructure but also significantly bolstered client confidence and reinforced their position as a secure and reliable leader in the blockchain market. Looking ahead, the company is well-positioned to continue its trajectory of innovation and growth, secure in the knowledge that their CI/CD pipelines are protected against emerging threats.
Google Automates GitHub Actions Security for their Open-Source Projects with StepSecurity
This case study talks about how Google leverages StepSecurity’s GitHub Actions security platform to harden their GitHub-hosted runners and automate various GitHub Actions security best practices in several of their open-source projects.
CISA Enforces Network Egress Control and CI/CD Infrastructure Security to Harden their GitHub-hosted Runners
CISA’s case study talks about how it leverages StepSecurity Harden-Runner 's network egress control and runtime security in over 175 GitHub repositories to prevent Codecov and SolarWinds-style attacks.
