CI/CD Security

avatar
Created by
RetailTortoise38285

Cards (7)

  • CI/CD:
    • People, processes, and technology are all required for CI/CD and all can be avenues of attack; code repositories, automation servers such as Jenkins, deployment procedures, and the nodes responsible for running CI/CD pipelines are just a few examples of CI/CD components which can be exploited by malicious entities.
    • CI/CD steps are frequently executed using high-privileged identities, successful attacks against CI/CD often have high damage potential. 
  • Insufficient Control Flows:
    • Insufficient flow control mechanisms refer to the ability of an attacker that has obtained permissions to a system within the CI/CD process (SCM, CI, Artifact repository, etc.) to single handedly push malicious code or artifacts down the pipeline, due to a lack in mechanisms that enforce additional approval or review.
  • CICD-SEC-1: Insufficient Flow Control Mechanisms
    • An attacker with access to the SCM, CI, or systems further down the pipeline, can abuse insufficient flow control mechanisms to deploy malicious artifacts. Once created, the artifacts are shipped through the pipeline - potentially all the way to production - without any approval or review
  • 1: Insufficient Flow Control Mechanisms
    For example, an adversary may:
    • Push code to a repository branch, which is automatically deployed through the pipeline to production.
    • Push code to a repository branch, and then manually trigger a pipeline that ships the code to production.
    • Directly push code to a utility library, which is used by code running in a production system.
    • Abuse an auto-merge rule in the CI that automatically merges pull requests that meet a predefined set of requirements, thus pushing malicious unreviewed code.
  • 1: Insufficient Flow Control Mechanisms
    For example, an adversary may:
    • Abuse insufficient branch protection rules—for example, excluding specific users or branches to bypass branch protection and push malicious unreviewed code.
    • Upload an artifact to an artifact repository, such as a package or container, in the guise of a legitimate artifact created by the build environment. In such a scenario, a lack of controls or verifications could result in the artifact being picked up by a deploy pipeline and deployed to production.
  • 1: Insufficient Flow Control Mechanisms
    For example, an adversary may:
    • Access production and directly change application code or infrastructure (e.g AWS Lambda function), without any additional approval/verification.
  • 1: Insufficient Flow Control Mechanisms: Prevention:
    • Establish pipeline flow control mechanisms to ensure that no single entity (human / programmatic) is able to ship sensitive code and artifacts through the pipeline without external verification or validation.