Software development and delivery supply chains have emerged as highly desirable targets for malicious cyber actors due to the potential for significant impact and widespread damage. These adversaries recognise the inherent vulnerabilities within these environments. It can also exploit them to compromise cloud deployments across the entire automated software development and delivery lifecycle.
The allure of targeting software supply chains lies in their critical role in the modern digital landscape. As organisations increasingly rely on software to power their operations, software development and delivery efficiency and speed have become significant. However, this drive for agility and rapid deployment has created opportunities for cyber attackers to infiltrate the software supply chain and introduce malicious components or code.
In light of this, recently, a Cyber Security Information Sheet (CSI) titled “Defending Continuous Integration/Continuous Delivery (CI/CD) Environments” was released by the National Security Agency (NSA) and the Cyber Security and Infrastructure Security Agency (CISA).
This publication recommends incorporating security best practices into conventional software development and operations (DevOps) CI/CD environments. By sharing these insights, the agencies intend to assist organisations, fortifying their CI/CD cloud deployments and encouraging the adoption of these recommended measures.
Dr Ethan Givens, NSA’s Technical Director, Critical & Emerging Technologies, emphasised that the development and delivery is a crucial component of providing service in the cloud as the virtual cloud environment relies on software. He also mentioned that if the defence of the CI/CD pipeline is not adequately implemented, it can create a vulnerable entry point that bypass established security policies and tools.
“Failure to effectively defend the CI/CD pipeline can provide an attack vector that circumvents security policies and products,” he explained.
Malicious cyber actors find typical DevOps CI/CD environments highly appealing targets due to various reasons. They can exploit these environments by introducing malicious code into CI/CD applications, resulting in compromised information.
Additionally, these actors may seek to gain unauthorised access to valuable intellectual property or trade secrets through code theft. Furthermore, they can cause disruptive denial of service effects against applications, leading to service interruptions and potential financial or reputational damage.
DevOps is an approach that integrates software development and IT operations, aimed at streamlining the software development lifecycle and ensuring the continuous delivery of top-quality products. The process of incorporating security practices into DevOps is commonly referred to as DevSecOps.
In the DevSecOps approach, the CI/CD pipeline plays a pivotal role by seamlessly integrating security and automation across the entire development lifecycle. Its primary objective is to automate applications’ secure, rapid, and efficient integration and delivery.
Typically, CI/CD pipelines are implemented within commercial cloud environments. Organisations leverage DevSecOps CI/CD tools and services to effectively streamline software development processes and efficiently manage applications and programmable infrastructure within the cloud while maintaining a strong focus on security.
Furthermore, the Cyber Security Information Sheet (CSI) recommends strengthening CI/CD pipelines, covering areas such as authentication and access control, development environments and tools, and the overall development process. The NSA and CISA encourage organisations and network defenders to adopt these mitigations outlined in the CSI. By doing so, they can effectively decrease the risk of compromise to their CI/CD environments and create a more formidable deterrent for malicious cyber actors.
