Securing the CI PipelineView the original Working Session content
This Working Session took an in-depth look at the security risks inherent to the CI Pipeline, and what could be done to mitigate these risks.
Synopsis and Takeaways
Why do we need to secure the CI Pipeline?
- The CI pipeline is huge,consisting of multiple hosts/machines with multiple points of access and processes.
- The pipeline contains high value targets for attackers, such as:
- Access to compilers
- Config files
- Secrets, keys, passwords. Developers often store keys and other secrets in spreadsheets, config files, Git repositories
- Assets accessible on the pipeline can be used to escalate privileges
- Several mechanisms for taking advantage of the above were demonstrated.
- Although risks are lower in a pipeline that fully implements security standards, pipelines practicing less than ideal security hygiene are not uncommon.
Categories of risks identified:
- Secret management
- Environment security
- Developer machines
- Access management
What can you do?
- Enable Authentication and Two Factor Authentication methods.
- Check for misconfigurations:
- secret variables (CI, prod, VCS, artefacts)
- VCS security
- Docker configuration/registry
- Artefact hardening
- Get your code review right
- Implement secure secrets management
- Auditing and monitoring CI/CD servers
- Harden CI boxes
- Protect the CI master machines
- Check registries/artefact storage
- Secure developer’s machines
- Consider using secret management and automated access provision tools (see below)
- Use Docker best practices for security
In general, the security of the CI/CD pipelines should be considered as important as your production security!
Tools for Securing the Pipeline, covered in session:
- Automated access management/provision:
- Secret management and automated access provision
- Hashicorp Vault - getting to know and use Vault is highly recommended
A tool like Hashicorp’s Vault can help by providing:
- Secret management
- Automated and on demand access provision. This provides you with processes that lets you control who has access, how long they have access for (limited time to live)
- Whitelist IPs
- Two Factor Authentication, with team based authentication available
Other Miscellaneous Threats mentioned:
- npm typosquatting
- Logs can be a risk (eg. recent GitHub log incident)
- Docker image integrity and registry mis-configurations