The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published a comprehensive set of guidelines aimed at defending Continuous Integration/Continuous Delivery (CI/CD) environments.
The guidelines address the rising threat of malicious cyber actors (MCAs) exploiting vulnerabilities in CI/CD pipelines, particularly through the exposure of secrets.
CI/CD pipelines are essential in modern software development, enabling seamless and efficient integration and deployment processes. However, relying on secrets such as private keys and passwords for authentication purposes has made them prime targets for cyberattacks.
“The virtual cloud environment relies on software, making development and delivery a crucial component of providing services in the cloud,” commented Dr. Ethan Givens, NSA’s technical director of critical & emerging technologies.
“Failure to effectively defend the CI/CD pipeline can provide an attack vector that circumvents security policies and products.”
Read more on these attacks: Human Error Fuels Industrial APT Attacks, Kaspersky Reports
The guidelines highlight three key threat scenarios: MCAs acquiring developer’s credentials for accessing a Git repository service, supply chain compromise of an application library or container image in a CI/CD pipeline and supply chain compromise of a CI/CD environment that modifies configurations or injects malicious dependencies.
The document then recommends corresponding mitigations for each. These include minimizing the use of long-term credentials, implementing two-person rules (2PR) for code updates, securing user accounts and enforcing least-privilege policies for CI/CD access.
Additionally, the guidelines emphasize the importance of secure code signing, network segmentation, regular vulnerability scanning and integrating security measures throughout the CI/CD pipeline.
By implementing these recommendations, organizations can significantly enhance the security posture of their CI/CD environments, reducing the risk of unauthorized access, supply chain compromise and code injection attacks.
The new guidelines come weeks after a new report from cybersecurity firm Kaspersky suggested almost half of all industrial sector computers were affected by malware in 2022.