Researchers from Cider Security published a new research report, “Top 10 CI/CD Security Risks”, detailing the major security risks to the CI/CD (Continuous Integration/Continuous Delivery) ecosystem.
“CI/CD environments, processes, and systems are the beating heart of any modern software organization. They bring great opportunities and advantages to engineering, but introduce an equal amount of opportunities for adversaries, which are targeting CI/CD as an efficient way to access the crown jewels of every organization - their production environment,” said Daniel Krivelevich, Co-Founder and CTO of Cider Security. “We developed this to help defenders have a better understanding of their evolving attack surface, and spark the much-needed discussion around the relevant preventative measures required to optimize CI/CD security”.
This research report serves as a guide to defenders, helping them identify and minimize CI/CD security risks by providing a breakdown of today’s most prominent attack vector as well as tips for mitigation. It was compiled on the basis of extensive research based on analysis of hundreds of CI/CD environments, discussions with industry experts, and publications of security incidents and security flaws within the CI/CD security domain.
The risks outlined are:
CICD-SEC-1: Insufficient Flow Control Mechanisms
CICD-SEC-2: Inadequate Identity and Access Management
CICD-SEC-3: Dependency Chain Abuse
CICD-SEC-4: Poisoned Pipeline Execution (PPE)
CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)
CICD-SEC-6: Insufficient Credential Hygiene
CICD-SEC-7: Insecure System Configuration
CICD-SEC-8: Ungoverned Usage of 3rd Party Services
CICD-SEC-9: Improper Artifact Integrity Validation
CICD-SEC-10: Insufficient Logging and Visibility
This research report was created in collaboration with global industry experts across multiple verticals and disciplines, including Michael Coates, former CISO at Twitter, Adrian Ludwig, Chief Trust Officer at Atlassian, Astha Singhal, Director of Information Security at Netflix, Jonathan Claudius, Director of Security Assurance at Mozilla, Jonathan Jaffe, CISO at Lemonade Insurance, Ron Peled, Founder & CEO at ProtectOps, Travis McPeak, Head of Product Security at Databricks, Ian Amit, Advisory CSO at Rapid7, and others.
You can access the full research report here.