- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: Worried about supply chain attacks? The software supply chain is a common entry point for data breaches, and many businesses haven’t protected their DevOps resources with sufficient CI/CD security. Thankfully, strong CI/CD pipeline security can reduce the risk of exposing your applications to cyber attackers. Here’s everything you need to know to protect your CI/CD pipeline.
What Is a CI/CD Pipeline?
A continuous integration, continuous delivery pipeline—or CI/CD pipeline—is a process workflow companies use to streamline and automate software development. A CI/CD pipeline automatically builds and tests code changes to detect bugs before the new code is merged and deployed.
Developers are frequently introducing new features and improvements to their software applications. The CI/CD pipeline ensures that code additions are safe to merge with the central code repository.
CI/CD pipeline automation also confirms that the new code won’t break the application in any known or predictable ways.
Automatically building and testing code offer developers a critical feedback loop that reduces errors during code changes so they can release new software versions faster.
What is CI/CD Security?
CI/CD security is the process and security controls organizations use to secure applications and reduce risk throughout the software development pipeline.
DevOps processes introduce a series of new endpoints into a company’s IT environment. DevSecOps initiatives like CI/CD pipeline security prevent malicious actors from breaching the security perimeter through development tools or processes.
If a bad actor gains access to a DevOps environment, CI/CD security can also detect and prevent them from introducing dangerous code.
The CI/CD pipeline security is designed to catch insecure code before it is integrated into the central code repository or application. CI/CD pipeline security can go a step further and detect irregular code patterns or find loopholes in new code that could expose the application to a breach risk.
A secure CI/CD pipeline relies on a combination of continuous monitoring and code analysis to keep DevOps processes and resources safe.
Importance of CI/CD Security
The CI/CD pipeline plays a vital role in speeding up the development process. CI/CD security ensures that the faster and more streamlined development process doesn’t come at the cost of application security.
Yet, fewer than 10% of companies have monitoring in place throughout the software development lifecycle.
Without sufficient security in the CI/CD pipeline, the software supply chain is rife with breach risks. A CI/CD pipeline breach not only poses a threat to company secrets and data, it can also prompt a larger supply chain attack and expose application users to security risks, too.
The CI/CD pipeline primarily protects the application from insecure code when new code changes are introduced. Continuous integration allows multiple developers to work together on improving an application while maintaining a clean code base. Meanwhile, continuous delivery helps companies quickly and reliably deliver new, secure software versions.
Despite the controls within the CI/CD pipeline, companies need more support to mitigate threats across all DevOps processes and fully protect their applications.
CI/CD Security Risks
Continuous integration security is important to have in place to reduce the risk of supply chain attacks. In 2022, supply chain attacks increased 633% year over year, accounting for more than 88,000 breaches.
Many of these attacks—like the infamous SolarWinds breach—were the result of software tampering and insecure code.
Most developers use open source code libraries to develop new features more quickly, but this can introduce insecure code if those code snippets aren’t properly managed. For example, the Log4Shell vulnerability put more than 19,000 applications using the popular open source logging tool Log4j at risk.
Breaches like these show that the CI/CD pipeline alone is not enough to keep applications secure.
While automated testing in the CI/CD pipeline may expose broken or insecure code before it’s integrated, the pipeline is only designed to test new code additions. Existing code must be monitored and tested regularly to avoid and mitigate these types of breaches.
Companies should also introduce additional security controls throughout the development process. Strong access management policies, accurate system configuration, and consistent monitoring are crucial to avoid common risks found in CI/CD pipelines.
Top 10 CI/CD Security Risks
Despite these risks, there’s no indication that developers plan to stop using open source software in their projects. That’s why the community needs to work together to mitigate CI/CD pipeline security risks and safeguard open source code used in multiple applications.
The Open Web Application Security Project (OWASP)—a coalition of open-source developers committed to better software security—has identified 10 risks commonly found in DevOps environments.
- Not Enough Security Controls to Manage Process Flow: a lack of approval or review processes enables attackers to introduce malicious code
- Weak Identity and Access Management: poorly managed accounts and access controls give attackers more ways to break into systems
- Fetching and Executing Dangerous Dependencies: misconfigurations cause systems to pull and execute malicious code packages, allowing attackers to steal credentials
- Poisoned Pipeline Execution (PPE): attackers inject commands into the build process
- Missing Access Controls within the Pipeline: poorly scoped access gives attackers free rein within pipeline systems
- Poor Credentialing Practices: maintaining static credentials, unnecessary access, or unchanged admin credentials gives attackers ongoing access
- System Misconfigurations: overlooked security settings leaves CI/CD systems exposed to breaches
- Excessive Access Granted to Third Parties: connecting external resources to the CI/CD pipeline without managing access expands the DevOps attack surface
- Poor Artifact Validation: without validation controls, attackers can push infected artifacts or code through the pipeline
- Lack of Observability: inability to detect threats due to poor logging or visibility
CI/CD Security Best Practices
Many DevOps teams prioritize speed over security, which leaves many companies wondering about how to secure the CI/CD pipeline.
One of the most useful CI/CD pipeline security best practices is creating a dedicated DevSecOps team to design security controls that support developer workflows. This team can work with developers to design processes that maintain efficiency while limiting access and enforcing the principle of least privilege.
IT teams should also use CI/CD security tools to automate security testing, provide better observability, analyze open source code, or scan your application’s code repository.
Consistency is at the core of all CI/CD security best practices. Organizations committed to pipeline security count on automation to find and address vulnerabilities within their code base. They also regularly audit their third-party providers to stay ahead of supply chain attacks that may infiltrate their CI/CD pipeline.
Alongside specific CI/CD security measures, organizations must also maintain observability across their pipeline to detect and mitigate threats quickly. Comprehensive monitoring allows companies to find threats early, while logging, metrics, and traces help security teams discover the root cause of a breach or vulnerability.
Access CI/CD Automation
Excessive permissions are common in DevOps environments, but unfettered access to CI/CD resources presents a significant risk. When a malicious actor gains access to one account, that often allows them to move freely within the environment.
Access automation can help secure the CI/CD pipeline by:
- Limiting access for admins and super users
- Eliminating static credentials or secrets
- Streamlining automatic provisioning based on role-based or attribute-based access control
- Providing just-in-time access to developers
- Maintaining comprehensive logs of all access activity
With access automation, DevSecOps and DevOps teams can work together to address four of the top 10 OWASP security risks above without bogging down developer workflows.
Here’s how these automation capabilities make securing the CI/CD pipeline easy.
Automated Provisioning Workflows
Many companies prefer to limit developer access to production environments, but others leave it open so they can perform debugging or data validation tasks. If all developers have the same access, however, they may have ongoing access beyond what they need and open the CI/CD pipeline to unnecessary risk.
Automated access workflows allow companies to define how they provision access, using either role-based or attribute-based access control, and apply those controls automatically based on predefined criteria. More nuanced access controls help companies maintain the separation of duties often required by regulatory agencies, regardless of how teams are structured.
These access workflows can automatically deprovision access, too. Automatically revoking access when an employee leaves the company or switches roles ensures that internal and external threats can’t gain unauthorized access to the development pipeline.
By automatically deprovisioning access, companies can mitigate insider attacks by disgruntled employees or external attacks that leverage inactive accounts.
Just-in-time access uses automation to temporarily give users access to CI/CD resources without interrupting their workflows.
With a just-in-time access solution, developers no longer have to maintain static credentials, standing permissions, or shared account access to access the resources they need to work. Temporary passwords reduce the chance of a cyber attacker stealing a valid user’s credentials and using them to access other systems within or beyond the CI/CD pipeline.
When developers request elevated access, security teams can quickly review their requests and provision on-demand temporary access for as long as they need it. Access automatically expires when the user is done.
Logging and Reporting
Resolving security threats depends on having full visibility into who uses which resources within your DevOps environment.
Alongside continuous monitoring, comprehensive logging and reporting capabilities can help security teams expose vulnerabilities within the CI/CD pipeline. Real-time, centralized visibility allows teams to see every account and every action taken within every system, simplifying auditing, reporting, and threat resolution.
How StrongDM Simplifies CI/CD Pipeline Security
There’s a constant battle between developers and the security teams who support them.
Often, security teams are asked to overlook best practices so developers can meet aggressive deployment deadlines. Yet, security teams are to blame when a supply chain attack occurs. They just can’t win.
That’s where StrongDM comes in. StrongDM’s People-First Access Platform makes managing and automating infrastructure access a breeze, without slowing down developer workflows.
Our customers love that StrongDM helps them meet rapid rollout deadlines without compromising security. They tell us that StrongDM makes it fast and easy to allow and revoke access to developers, even as they build, test, roll out, and roll back multiple products and services.
“Being able to match simplicity with security is a very hard thing to do, and StrongDM nailed it. It’s easy to deploy, simple to use as an engineer, and simple to use...If innovation is your thing, StrongDM is a must-have.”
- Steeve Bisson, Director of Data Engineering, App Direct (source)
See how StrongDM can make your CI/CD pipeline more secure in just a few clicks. Sign up today to try StrongDM free for 14 days.
About the Author
Schuyler Brown, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.