There is growing concern amongst security teams about securing cloud-native applications. With cloud applications innovating at warp speed and cloud-based IT infrastructure always in a state of flux, security teams are struggling to keep pace to secure these environments. According to Unit 42 research, 80% of security exposures are found in cloud environments, which have become a prime target for hackers who look to exploit misconfigurations and vulnerabilities throughout the application lifecycle.
Within this space is a rising issue, and one that is not so well understood. This is how to secure. Continuous Integration/Continuous Delivery (CI/CD) pipelines that organizations are dependent on for quickly building and testing code changes. These environments must also maintain a consistent code base for the relevant applications and dynamically integrate code changes. Having become so central to how organizations streamline software development and manage applications, naturally, they have become of interest to criminal hackers and nation-state-backed groups.
Despite the risks, these environments often fall out of the purview of security teams. As such, there is a lack of awareness of the possibility that hackers are using CI/CD pipelines to steal intellectual property and corporate secrets, deploy a denial of service attack, or even introduce malicious code into the application.
With events such as SolarWinds, the PHP breach, and MOVEit, it is clear that securing the delivery pipeline is now as important as securing the application that is delivered. Let’s look at where to start.
Director of Systems Engineering for the Western Europe Region at Palo Alto Networks.
Chaos in the CI/CD
While attackers have quickly adapted their techniques to target CI/CD pipelines, defenders have been slower to respond. Striking the right balance between security and engineering speed is difficult, but a range of issues need to be taken into account.
CI/CD flows are there to streamline development processes, meaning that new code can be created on a developer’s machine and reach production within minutes: a process that is often largely automated and thus lacks much oversight. Without proper flow control mechanisms in place, this can easily lead to security issues and allow an attacker who gains permission to push malicious code or artefacts down the pipeline. This is what happened in the PHP breach, with malicious unreviewed code creating a backdoor in a formal version of PHP. Organizations must make sure that controls are in place that prevent any single entity, whether human or machine, from shipping sensitive code without validation by someone or something else.
Identity and access management is a problem. Given the lack of understanding or focus on the potential threats, user profiles for CI/CD environments are often highly permissive and do not align with the principles of least privilege. With multiple systems connected to the software delivery process, there is complexity created by the various provisioning methods, security policies and methods of access relevant to each one.
With, at best, hundreds of identities connected to a CI/CD pipeline this permissibility and complexity quickly become a real issue. Organizations need to make sure that there is continuous mapping of accounts, with inactive accounts and unnecessary permissions removed. Measures should also be in place to prevent or limit as much as possible the creation of shared, self-registered or local accounts, with the creation and management of identities being done via a centralized organization component instead.
Getting to grips with the problem
With the number of languages, frameworks, and tools within a delivery pipeline all having increased, there is a clear need to get a handle on improving visibility into the application delivery environment, understand the attack surface, and move to secure it.
The average organization relies on six to ten tools for securing cloud infrastructure, but to improve the visibility that they have, security teams should deploy a tool which creates a unified inventory of the application development environment. This single view of all of the technologies in use should include all the languages, frameworks, and executables. From here organizations can scan for security risks across different code types, visualize the software supply chain and understand all of the code risks across their engineering environment, identify and prioritize the critical risks exposed in their codebase, and ultimately track and understand the attack surface of the CI/CD pipeline.
With greater visibility in place, organizations can start the process of shoring up their CI/CD security. As well as making sure that the code in the pipeline is secure, the code that makes up the pipeline itself also needs to be scanned, any misconfigurations fixed, and native controls implemented to stop poisoned pipelines and other attacks. Secrets scanning should also be implemented across the environment in order to find and remove any exposed credentials so that bad actors cannot leverage them to gain unauthorized access.
Given the extent of the cloud attack surface, and thus that of the CI/CD pipeline, this can change on a sometimes daily basis and gaining visibility is one thing but it also needs to be maintained. Responding to an attack requires that you have readily accessible, up-to-date information and as much of an early warning as possible. Implementing a robust approach to visibility and logging requires having visibility into both human and programmatic access, generating audit logs of human behavior and application logs that document events such as artefact uploads or pushes to a repository. It should be noted that many systems do not create logs by default, so this is something that teams have enabled themselves. From here, security teams can much more quickly and easily analyze logs across systems to investigate security incidents and can enable automated alerts for unusual behavior that needs closer inspection.
CI/CD pipelines are by their nature highly dynamic, ever-changing environments and they are part of a cloud attack surface that is constantly on the move. As attackers have quickly adapted their attentions and methods to exploiting CI/CD weaknesses, security teams now need to quickly catch up and ensure that application delivery pipelines are not so easily exploited. The fact is that the security of the environment in which code is developed and deployed has always been as important as the security of the code itself, but the increase in pressure from hackers on the software supply chain now means that any weaknesses cannot be ignored.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Simon Crocker is Senior Director of Systems Engineering at Palo Alto Networks. Palo Alto Networks, the global cybersecurity leader, continually delivers innovation to enable secure digital transformation—even as the pace of change is accelerating.