Securing the CI Pipeline

Outcomes

This Working Session took an in-depth look at the security risks inherent to the CI Pipeline, and what could be done to mitigate these risks.

The CI pipeline is huge,consisting of multiple hosts/machines with multiple points of access and processes.
The pipeline contains high value targets for attackers, such as:
- Access to compilers
- Config files
- Secrets, keys, passwords. Developers often store keys and other secrets in spreadsheets, config files, Git repositories
Assets accessible on the pipeline can be used to escalate privileges
Several mechanisms for taking advantage of the above were demonstrated.
Although risks are lower in a pipeline that fully implements security standards, pipelines practicing less than ideal security hygiene are not uncommon.

Enable Authentication and Two Factor Authentication methods.
Check for misconfigurations:
- hooks
- secret variables (CI, prod, VCS, artefacts)
- VCS security
- Docker configuration/registry
- Artefact hardening
Get your code review right
Implement secure secrets management
Auditing and monitoring CI/CD servers
Harden CI boxes
Protect the CI master machines
Check registries/artefact storage
Secure developer’s machines
Consider using secret management and automated access provision tools (see below)
Use Docker best practices for security

In general, the security of the CI/CD pipelines should be considered as important as your production security!

Automated access management/provision:
- repokid
- hubcommander
Secret management and automated access provision
- Hashicorp Vault - getting to know and use Vault is highly recommended

A tool like Hashicorp’s Vault can help by providing:

Secret management
Automated and on demand access provision. This provides you with processes that lets you control who has access, how long they have access for (limited time to live)
Whitelist IPs
Two Factor Authentication, with team based authentication available