This case study shows how InovIntell is using StepSecurity’s Harden Runner to defend against software supply chain attacks in their GitHub Actions based Continuous Integration/Continuous Delivery (CI/CD) pipelines.
Founded in 2022, and based out of Krakow, Poland, InovIntell helps life sciences organizations reach their goals in a smarter and faster way, for the ultimate benefit of patients, with solutions using AI as an ubiquitous and invisible tool. InovIntell delivers AI-based services to pharma and biotech companies along the full drug value chain.
As a custodian of patient data, InovIntell is always innovating to deploy new security controls to secure their data assets, including patients’ medical data.
Software supply chain attacks are at the top of mind for every modern organization. A software supply chain attack occurs when an adversary compromises a software vendor's source code or build process to attack users of the software. Given all modern enterprises use many third-party software and open-source projects, they are exposed substantially to these risks.
Many of these attacks have targeted the CI/ CD pipelines and went undetected for months, allowing bad actors to exfiltrate a trove of confidential data. As an example, in the Codecov breach, credentials were exfiltrated from build servers for over 2 months, before getting detected.
InovIntell needed an easy-to-use solution to harden their CI/ CD pipelines against third-party supply chain threats.
InovIntell discovered StepSecurity open-source solutions and quickly realized the value of Harden Runner, which is a low friction security platform to increase the security of CI/CD build pipelines.
InovIntell created and open-sourced layered template repositories which allow them to quickly bootstrap new projects with necessary CI/CD pipelines, code quality control (read more about the projects vision here).
In order to set the least privileged GitHub token they used step-security/secure-workflows tool and growing permissions database.
Furthermore, they used Harden Runner in order to set whitelisted endpoints during pipeline runs, so each new project is automatically protected after a simple click of “Use this template” button on GitHub.
"StepSecurity’s products are filling an ever-growing security gap by targeting one of the most widely used CI/CD pipeline products - GitHub Actions. We were able to easily use it In our projects without any flexibility sacrifices, while substantially improving the security of our products"
Chief Technical Officer, InovIntell
Through the easy-to-use solution, StepSecurity enabled InovIntell to gain more visibility and confidence in their CI/CD workflows and set policies to immediately detect malicious build tools and packages thereby reducing risk from supply chain attacks.
Mixing this with easy to reproduce GitHub Repository Templates approach makes new projects more secure “out of the box”.
If an attack like Codecov breach was to happen, not only will it get detected immediately, StepSecurity Harden Runner will also prevent exfiltration of sensitive data and service credentials from the workflows.