Guidelines for Securing Continuous Integration/Continuous Delivery Environments
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published guidelines for securing Continuous Integration/Continuous Delivery (CI/CD) environments. The document describes the attack surface, offers three potential threat scenarios, and makes recommendations for threat mitigation and hardening CI/CD cloud deployments.
The threat scenarios in this document are good starting points for tabletop exercises. CI/CD pipelines and DevOps processes are often tightly coupled with business processes and very different between organizations. A really good playbook to protect CI/CD for Business/Agency A might not work at all for Business/Agency B.
The report explains the conditions, threats, and issues in language that is easy to understand, and can help you build understanding of the issues without mentioning Log4-J or SolarWinds. The recommendations, including validation of code signatures, using accounts with limited lifespan, MFA, and keeping systems and services patched/updated are a conversation you can have with your teams to see where you can raise the bar as well as better understand your developers’ needs.
If adversaries gain access to a software developer’s environment, then undoubtably bad things can happen. The same is true if they gain access to any organization’s enterprise. The guidance published by CISA and NSA is useful, but first, adopt and implement an established cybersecurity framework (i.e., NIST CSF, NIST 800-53, CIS) for the entire enterprise.