OWASP Top 10 CI/CD Security Risks: How to Mitigate

OWASP Top 10 CI/CD Security Risks

The software development landscape works on speed and efficiency, making CI/CD pipelines essential. While it streamlines software delivery, its rapid adoption has opened doors to new security threats.

In this blog, we’ll find:

  • What exactly is CI/CD,
  • Its Significance
  • OWASP’s top 10 security threats, and
  • Ways to mitigate them.

What is CI/CD?

Continuous Integration (CI) is the technique of early and frequent integration of all the code changes in the primary branch of a common source code repository.

On the other hand, Continuous deployment (CD) is a two-step procedure that involves the integration, testing, and distribution of the code changes – without human interaction.

Why is Continuous Integration (CI) and Continuous Deployment (CD) needed?

When we imagine the failure of CI/CD pipelines, it seems terrifying.

It is! The failure of these pipelines can cause major turmoil, impede teamwork, and delay the provision of new code to the end users, which overall results in financial loss, reputational damage, and even legal ramifications.

Well, that’s not it!

What happens if attackers compromise these pipelines? And even worse, what if the security incident goes undetected for a long time?

One instance is the SolarWinds CI/CD security incident, where the attackers targeted the pipeline and gained undetected access to over 18,000 organizations’ networks, systems, and data for over 14 months.

Another is the StackOverflow incident, where the build system vulnerabilities led to stolen source code and leaked secrets, the CodeCov exploit, and the PHP backdoor attack.

These incidents define the importance of protecting the CI/CD process.

CI/CD Enables Organizations:

  • to avoid defects and code failures while maintaining an ongoing software development cycle and upgrades,
  • can help boost productivity, reduce complexity, and streamline operations,
  • with automation and no manual intervention, downtime is further reduced, and code releases occur more quickly,

Top 10 Security Threats to CI/CD Pipelines

Security Risk 1 – Insufficient Flow Control Mechanisms.

Insufficient flow control mechanisms refer to an attacker’s ability to push malicious code or artifacts down the pipeline after gaining access to a system within the CI/CD process (SCM, CI, Artefact repository, etc.) due to a lack of mechanisms that require additional approval or review.

Security Risk 2 – Inadequate Identity and Access management

This refers to a lack of adequate identity & access management in CI/CD ecosystems due to the large number of identities to manage and the complexity of interconnected systems, such as SCM and CI, which frequently use multiple authentication and authorization mechanisms.

The existence of many identities, along with weak identification and access management, allows hackers to gain control of the systems involved in the CI/CD process.

Security Risk 3 – Insufficient PBAC (Pipeline-Based Access Controls)

PBAC denotes access controls that are applied at the pipeline level. These controls specify which resources the pipeline can access and what actions it can take. Insufficient PBAC indicates that the access controls are not granular enough, allowing a pipeline step to have more permissions than necessary.

With this, an attacker can

  • utilize an overly permissive stage to access secrets and/or connect to any resources accessible through the pipeline.
  • travel inside and beyond the execution environment, accessing sensitive systems and exfiltrating secrets.

Security Risk 4 – Insufficient Credential Hygiene

Credentials are the most important thing attackers seek. Due to an insufficient credential hygiene (failure to maintain and secure secrets), attackers can access high-value resources, allowing them to change the build process or send malicious code to production.

Security Risk 5 – Dependency Chain Abuse

Dependency chain abuse occurs when hackers abuse how dependencies are retrieved, allowing them to retrieve and execute malicious packages.

Once downloaded, the software can execute a range of malicious operations, including

  • stealing sensitive data,
  • compromising passwords, and
  • even creeping into the production environment.

Dependency misunderstanding, hijacking, typosquatting, and brandjacking are examples.

Security Risk 6 – Ungoverned Usage of 3rd-Party Services

The uncontrolled use of third-party services is a common threat. CI/CD systems frequently rely on various third-party services and plugins to complete functions such as code scanning and linting.

Recommended: Researchers Demo New CI/CD Attack in PyTorch Supply-Chain that Exploiting GitHub Self-Hosted Action Runner

While these connections can be quite valuable, they also pose a considerable risk because they frequently allow extensive access to CI/CD system resources for third-party services. This can considerably increase the organization’s attack surface.

If a third-party service or plugin is hacked, overly liberal access can allow attackers to push malicious code and compromise the CI/CD or even the production environment.

Security Risk 7 – Improper Artifact Integrity Validation

Proper artifact integrity validation is critical for ensuring that only trusted code is deployed within the CI/CD pipeline. However, attackers can readily exploit the lack of tools to validate artifacts or code, resulting in a slew of security flaws.

Recommended: NIST Supply Chain Security Guidance for CI/CD Environments

A deployable artifact is composed of several sources, such as third-party dependencies and internal artifacts.

These create several access points for artifacts to be tampered with, and without sufficient validation, an artifact containing malicious code can simply pass through.

Security Risk 8 – Poisoned Pipeline Execution (PPE)

Poisoned Pipeline Execution (PPE) risks refer to an attacker’s ability to manipulate the build process by injecting malicious code/commands into the build pipeline configuration, effectively ‘poisoning’ the pipeline and running malicious code as part of the build process.

A PPE assault can lead to:

  • Access to any secret available to the CI task and grant direct access to the cloud provider and source control system.
  • Attackers can execute malicious code if they gain access to another project pipeline via an exposed system.

Security Risk 9 – Insecure System Configuration

Security settings and hardening configure systems to reduce vulnerabilities and make them more resistant to attack.

It includes placing suitable access restrictions, limiting network exposure, and patching and updating systems regularly.

  • If not, attackers can get unauthorized access to the pipeline, accessing the entire system.
  • This can lead to the attacker collecting sensitive secrets, compromising the build process, or gaining access to sensitive resources within and outside the engineering ecosystem.

Security Risk 10 – Insufficient Logging and Visibility

The most troubling threat is a lack of visibility into what is happening. Attackers can take advantage of this by committing malicious acts undetected.

Insufficient recording and visibility can make identifying the attacker’s strategies, techniques, and procedures difficult during a post-incident investigation. This makes repair more difficult, as there may be insufficient information to direct the approach.

How to Secure a CI/CD Pipeline?

Integrating Source Composition Analysis (SCA)

SCA is an AppSec approach that examines a project’s open-source components and dependencies for potential vulnerabilities, faults, or dangers.

It can help reduce dependency chain abuse (CICD-SEC-3), such as dependency hijacking and misunderstanding.

Implementing Static Application Security Testing (SAST)

SAST (Static application security testing) is an AppSec approach that examines project source code, byte code, and binaries for flaws or vulnerabilities such as SQL injection, broken access control, unsafe design, etc.

It works hand in hand with SCA to detect and mitigate the vulnerabilities in source code. Integrating SAST allows you to uncover risks early in the development cycle, saving time and costs.

Securing Containers and Registry

With the growing use of containers in software development and delivery, their security becomes increasingly important. To reduce container risks, scan images and registries regularly to detect and rectify potential security concerns or vulnerabilities.

Access Control

Pipelines are important to software development, testing, and distribution, and many identities require access to them. Attackers can hack its access and use it to migrate laterally through the engineering ecosystem and cause severe harm.

So, managing them effectively is important; identities should not be shared and regularly audited to mitigate all risks. And no pipelines should share similar permissions or nodes they run on unless their functions are similar.

Threat Modeling

Threat modeling is a proactive strategy for identifying potential hazards and threats to the CI/CD pipeline. This technique entails analyzing the system to find potential flaws and weaknesses that attackers could exploit.

So, organizations may maintain the security and resilience of their CI/CD pipelines by undertaking threat modeling exercises regularly.

Auditing

Auditing is an essential component of running a secure CI/CD workflow and regular auditing ensures that the systems and processes within the pipeline comply with the organization’s security standards and policies.

They assist in identifying system weaknesses or vulnerabilities that could be exploited by an attacker and determining whether the security measures effectively protect the system.

Protect CI/CD Configurations

The CI/CD configurations are typically preserved with the code. For this, the branch protection rules are necessary for branches configured to initiate a pipeline in the CI/CD system, and any configuration modifications must be checked before execution.

Alternatively, these configurations can be controlled in a branch other than the one used to push code. The branch containing the configuration should be safeguarded.

Dependency Management

Dependency management can help to prevent dependence chain abuse. Checksum & signature verification should be enabled to ensure that clients obtain the appropriate dependencies. Also, lock the package version and avoid pulling the most recent versions without first checking that they are free of vulnerabilities.

Logging, Monitoring, Observability, and Alerts

A lack of visibility can result in an assault remaining undetected, making it difficult to investigate an incident and determine the scope of the breach.

For that,

  • Effective logging, such as configuration changes, code execution context, etc., can help with issue investigation.
  • Proper monitoring allows the system to be observed and discover anomalies, indicating a security event or vulnerability.

Alerts complement recording and monitoring by bringing observed anomalies to the surface in real-time.

Secure Secrets Management

Secret and credential management is important to safeguarding a CI/CD pipeline since it can prevent poor credential hygiene.

Here, avoid hardcoding secrets and ensure they are not checked into the source code. Secrets should be encrypted, and permissions should be based on the principle of least privilege. Rotate all static secrets regularly and eliminate any that are no longer valid.

DigiCert EV Code Signing CTA

Related posts:

  1. What are OWASP Secure Coding Practices? Top 10 Web App Security Vulnerabilities
  2. Top 10 Web App Security Risks & Tips to Prevent
  3. Top SaaS Security Risks & How to Prevent Them?
  4. Top 11 API Security Best Practices to Prevent Security Threats

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *