Why the CI/CD pipeline is vulnerable to attack [Q&A]
Recent high-profile supply chain attacks such as SolarWinds have highlighted how vulnerable the software development pipeline can be.
To find out more about why the CI/CD pipeline is particularly vulnerable to attacks and what can be done to prevent them, we spoke to Vickie Li, developer evangelist at ShiftLeft, which has just launched a new product, ShiftLeft CORE, aimed at reducing risk to the software code base.
BN: What is CI/CD? How does it differ from the CI/CD pipeline?
VL: Continuous Integration (CI) and continuous delivery/deployment (CD) enables developers to deliver software changes more frequently, seamlessly, and safely. The CI/CD process is visualized as a pipeline consisting of three connected practices.
CI stands for continuous integration. Continuous Integration refers to an automated process in which developers can consistently build, test, and merge new code changes into repositories. With code frequently written across disparate platforms with different tools, the system must routinely check that changes are validated by creating builds and running automated tests against them.
CD can refer to either continuous delivery and/or continuous deployment. Often the two are used interchangeably. However, slight discrepancies between the two are worth calling out:
- Continuous delivery refers to developers' code changes being automatically tested for bugs and uploaded to code repositories like GitHub. Operations teams are then able to deploy applications to a live production environment, streamlining the deployment process, as well as communications between developers and business teams.
- After delivery, continuous deployment automatically deploys code changes from a code repository to a production environment, where it is then accessible to customers. This takes the burden off operations teams who historically manually pushed changes into production.
BN: How have recent breaches demonstrated the risk posed to this phase of the development pipeline?
VL: Due to the pandemic, organizations rushed to accelerate digital transformation initiatives; a shift that placed a heavy burden on software developers tasked with delivering applications at higher-than-ever velocity to enable remote work. In tandem with this pressure, major recent data breaches like SolarWinds have highlighted a significant risk to the CI/CD pipeline, demonstrating to organizations why they must place a high priority on software supply chain security.
Historically, security was overlooked, as it didn't fit into existing development workflows. However, that position is no longer acceptable in today's digital era. High-profile cyberattacks over the past year and a 430 percent surge in such attacks overall have underscored just how vulnerable software supply chains can be. When successful, supply chain attacks can allow attackers to gain access to a third-party's software, enabling them to manipulate code and insert malicious components to compromise downstream and upstream applications.
The past year in particular has brought light to this looming threat, which is now garnering the attention of governments internationally, with President Biden recently issuing an executive order on supply chain security and the UK's National Cyber Security Center (NCSC) releasing a similar warning.
BN: What are the most significant threats to the CI/CD pipeline?
VL: Two of the most significant threats to the CI/CD pipeline are inside threats and open-source vulnerabilities:
- Insider Threats -- One of the easiest ways to infiltrate an organization's software is through privileged insiders. Verizon's 2020 Data Breach Investigations Report found that one-third of data breaches originate from insider actors. Insider threats can include privileged IT administrators, disgruntled former employees, managerial employees, or attackers who have gained access to employee credentials.
- Open-source Vulnerabilities -- Most modern applications include some open-source components. While using ready-made code simplifies the application development process, it also carries serious security risks. In fact, 99 percent of the codebases contained at least one open-source component, and 91 percent of those codebases contained components that either were more than four years out of date or had seen no development activity in the last two years. Attackers often deliberately compromise open-source software to attack applications that rely on them.
BN: If a supply chain is compromised, what kind of damage can attackers carry out?
VL: Supply chain attacks are not always easily detected. As was the case with the SolarWinds breach -- which infected 18,000 customers across government, consulting, telecom, and technology sectors -- hackers did not immediately initiate attack. Rather, they remained dormant for weeks before initiating contact. By infecting one update, attackers can potentially infiltrate countless organizations on whatever timeline they choose.
Today, every business is reliant on some type of third-party vendor, exponentially expanding the threat landscape. One study found 31 percent of third-party vendors could cause significant damage to organizations if breached. If threat actors can find their way into targets’ systems and infrastructure, they can maneuver across networks and gain access to proprietary and sensitive information.
BN: How can developers and organizations better secure their software development pipelines?
VL: Organizations must ensure that builds are independent of one another so that in the event of a breach, uncompromised builds remain unaffected. Organizations must routinely conduct security checks, as well as insert insider threat detection directly into the software supply chain to establish non-repudiation of software shipped at every stage. Developers should be responsible for the security of the code they write. Builds should be scanned while the code is fresh in their minds, helping them to quickly find and fix vulnerabilities before code is shipped to the next phase. Organizations using open-source software can use automated tools to monitor known open-source vulnerabilities to make sure they don’t get introduced to the code base.
As software supply chain attacks continue to grow in reach and frequency, developers and organizations alike must place increased scrutiny on securing applications at their genesis by increasing security measures around CI/CD pipelines and development practices. Delivering secure code, maintaining visibility, and consistently monitoring architecture are crucial steps to upholding the overall security and integrity of your software supply chain.