TL; DR: Our Build Pipeline Security Assessment prepares you against modern and sophisticated threats using the same Tactics, Techniques and Procedures (TTP’s) an adversary would use against your CI/CD pipeline.

Continuous Integration and Continuous Delivery or Deployment (CI/CD) pipelines play a fundamental role in building code, running tests and guaranteeing that any changes pushed to a code repository can be swiftly integrated to the final product. However, like all integrated systems, CI/CD pipelines are prime targets for adversaries looking to compromise your company and your product. Successful attacks against a vulnerable build pipeline can be disastrous.

Vulnerabilities or misconfigurations in CI/CD pipelines can grant adversaries unauthorised access to sensitive information, the ability to move laterally across accounts, deliver malware, and even backdoor applications.

TantoSec has recently helped some customers to understand the significant risk to their CI/CD pipelines revealing to them serious and unexpected pathways into their organisation. Among the types of vulnerabilities reported by our team are the Compromise of Building Hosts via Malicious Commits, Privilege Escalation, Lateral Movement from DEV to PROD environment, Backdooring Deployment Artefact without leaving traces in the pipeline and other serious findings that posed real and immediate risks to our clients.

But don’t just take our word for it… Here is some feedback from one of our customers:

"Just wanted to reach out and thank you for the awesome, yet very scary, job you guys did." -- Head of Technology from the Gaming Industry

Following the success of these engagements and the good feedback received from our customers, we are officially launching our Build Pipeline Security Assessment service. This assessment can:

  • Identify security gaps in the build process that might allow unexpected actions such as lateral movement and/or privilege escalation.
  • Analyse build and deployment configurations to ensure they adhere to the best security practices.
  • Inspect coding and packaging processes to avoid unintentional introduction of vulnerabilities or backdoors in the end product.
  • Mitigate risks stemming from compromised build machines by showing how to secure resources and enforce least privilege access.

Each assessment is tailored to your specific objectives ensuring you get the most out of it. Below are some objectives clients have chosen during previous CI/CD pipeline assessments:

  1. Restricted Environment Breakout - How long would it take you to discover a new developer acting maliciously? Could they push malicious code to production? Could they use their Dev/UAT CI/CD build environment access to move laterally to the production environment?

  2. Compromised Code Repository Account - An adversary gains access to your company’s code repository through an employee’s compromised API or SSH key. How far can they move into your build pipeline?

  3. Detection of Malicious Code Implanted During Build - A build machine is compromised. Can adversaries implant malicious code in your application? What controls are in place to detect these changes?

  4. Is my CI/CD Pipeline well configured against supply chain attacks? - An adversary attempts a series of attacks like dependency confusion, Docker Image poisoning, and library take-overs. Would these be detected? Do you understand the risk posed by third-party libraries, how often they are used, and whether you are using the latest versions?

The Build Pipeline Security Assessment blends our own expert in-house Tactics Technicals and Procedures (TTPs) with those used by well-known threat actors to build realistic attack scenarios. It throws light on the potential avenues for compromise before an incident can take place.

Examples of major CI/CD pipeline incidents include:

  1. Capital One (2019) - A former employee exploited a misconfigured CI/CD pipeline in Capital One’s infrastructure, resulting in a breach that exposed personal information of around 100 million customers.

  2. SolarWinds (2020) - Adversaries in one of the most infamous breaches of software supply chains compromised the SolarWinds’ Orion Platform IT management suite. They manipulated the system’s software supply chain to gain access to government and private networks resulting in massive global data breaches that had far-reaching impacts to national security.

  3. Codecov (2021) - Another major software supply chain attack happened against Codecov that impacted thousands of organisations worldwide. Adversaries modified a script that allowed them to send the environment variables from the CI of Codecov customers to a remote server under their control. Private git repositories credentials were present in the CI environment and hardcoded secrets within these repositories.

  4. Kaseya (2021) - Ransomware actors compromised Kaseya’s VSA remote monitoring and management software through its CI/CD pipeline. Adversaries pushed malicious updates to VSA servers impacting thousands of managed service providers and their clients.

Industry bodies have recognised that CI/CD pipelines are under threat. Peak cyber security agencies including the National Security Agency in the United States released a detailed security best practice guide for software development and CI/CD environments.

The respected Open Worldwide Application Security Project (OWASP) also took action against this rising threat and released its top 10 CI/CD security risks listed below:

  • Insufficient Flow Control Mechanisms
  • Inadequate Identity and Access Management
  • Dependency Chain Abuse
  • Poisoned Pipeline Execution (PPE)
  • Insufficient PBAC (Pipeline-Based Access Controls)
  • Insufficient Credential Hygiene
  • Insecure System Configuration
  • Ungoverned Usage of Third Party Services
  • Improper Artefact Integrity Validation
  • Insufficient Logging and Visibility

The TantoSec Build Pipeline Security Assessment enables you to evaluate and improve the security of your CI/CD process, implementing measures to keep adversaries at bay.

Reduce the threats to your build pipeline, protect your applications from hidden defects, increase trust in your deployment process, and give your stakeholders confidence in your commitment to security. Talk to us today about how you can leverage our Build Pipeline Security Assessment.