Securing your CICD pipeline: 5 security commandments to protect your organisation

by Caleb Eghan

Introduction: The importance of CICD pipeline security

CICD pipelines have primarily been used to enforce security policies, identify vulnerabilities, and run automated tests on functionalities before they are deployed to end users.

However, CICD pipelines which are meant to be security checkpoints are also subject to attacks. Without proper investment, you could be creating vulnerabilities in your pipeline which could allow certain stages of your build and deployment processes to be exploited.

Threats to CICD pipelines

Vulnerabilities have been discovered in GoCD, a CICD solution adopted by numerous organisations for their application release process. The vulnerabilities discovered could give attack vectors the privilege and access to sensitive API keys, private repositories, and sensitive data. This means an attacker can gain the privilege of intellectual property and take control of the release pipeline.

Consider the SolarWind attack, which impacted several government organisations and involved attackers creating backdoors in software delivery pipelines, affecting a large number of software supply chains.

Given the growing threat against CICD pipelines, it is paramount that organisations and stakeholders pay critical attention to the security score or state of their pipelines. This means having visibility of existing threats to help gain awareness to deploy the needed tools and expertise required.

5 security commandments to protect your organisation:

  1. Software and Infrastructure engineers need to be security conscious:
    Build a culture of security first within your organisation. Security must be a shared responsibility irrespective of your role or department.
  2. Pipelines need to be designed and built with security in focus: Consider security at each stage of the build and deployment process. There should be validation checks in place to police every component running through the pipelines before they are promoted to the next stage.
  3. A rigorous credential management system should be considered:
    Compromised credentials mean an open door for attack vectors. API keys and credentials should not be exposed or set as plain text in pipelines. Relevant keys and secrets need to be saved in a secured key management system such as Azure key vault, Amazon Key Management Service and GCP Key Management Service.
  4. Tools adopted in your CICD pipelines need to be audited and reviewed regularly:
    All tools and services should be rigorously analysed and reviewed on a regular basis to better understand the level of privileges exposed by these tools and services, as well as whether an update is required or if the tool must be retired.
  5. Incorporate observability and logging in your pipelines:
    It is impossible to know what kind of assistance or support your infrastructure requires unless you are aware of the existing vulnerability and have visibility of it. Integrating observability and logging into your pipeline provides your team with first-hand knowledge of the pipeline’s health status and what might be compromised or broken.

How RiverSafe can help:

With years of experience and expertise within the security and DevOps space RiverSafe can ensure your organisation is implementing a rigorous security infrastructure in your entire code and cloud infrastructure with compliance in focus.

Contact us to learn more about our expertise and services in CICD pipeline security and how we can help you fortify your pipeline against internal and external threats. 

By Caleb Eghan