The risk of CI/CD pipeline poisoning via CodeBuild

On the intricate challenges of setting up a secure CI/CD pipeline

Securing SDLC is complex and fast changing

Software is essential for most enterprises. Proper management of the software lifecycle - whether through acquisition or development - and ensuring that the software is fit-for-purpose and available are key success factors. The landscape of frameworks and tools used in software development is rapidly evolving. This makes securing the development environment challenging. Recent events have shown that attackers are targeting these environments as, more often than wanted, this environment becomes the weakest link in the IT infrastructure of a company. The SDLC environment might become the next target to attack organisations or their clients.

The requirements for fast and automated software development capabilities (introduced by agile and devops software development methodologies) have further proven the benefits of cloud computing. That’s why businesses often opt for managed cloud services that simplify and speed up the implementation, execution and maintenance of SDLC environments and their CI/CD pipelines. However, this cloud-based setup comes with inherent risk.

Pipeline poisoning

The article focuses on CI/CD pipelines implemented in the Amazon Web Services (AWS) cloud environment and sets out the risk of pipeline poisoning by developers when using CodeBuild. In particular, three vulnerabilities in the IT environment are identified:

The risk of sensitive data leakage from the SDLC pipeline.
The potential to abuse the CodeBuild functionality to introduce malicious elements, such as malware or backdoor features.
The possibility that a developer could execute privileged commands in a deployment server and take full control over the system.

In the article, we show how each of these risks can manifest, and demonstrate this with a proof-of-concept.

Download The risk of CI/CD pipeline poisoning via CodeBuild: On the intricate challenges of setting up a secure CI/CD pipeline

Considerations for securing your cloud environment

Understand the services you use. These services are implemented for general use cases, not for your particular needs
Services are not silos: investigate how services integrate and interact

Become comfortable with the shared responsibility model
Adapt your security policies to the new cloud challenges

Be critical with security, don’t assume de facto security
Apply the basics: least privilege, segregation of duties, defense in depth, etc.
Tighten the cloud to your needs, adapt general use cases and setups

Be proactive: implement customised controls, leverage serverless to your benefit
Monitor, validate, and verify tasks and assets

Safeguarding through limited access

In the article we explain the risk of CI/CD pipeline poisoning that can negatively impact a company’s IT environment when using the CodeBuild service provided by AWS. Identifying this risk requires an in-depth understanding of the service, its functionalities and interactions with other services. We believe that AWS customers are not routinely anticipating this risk as part of their risk management process. Moreover, security controls commonly implemented in secure SDLC environments, such as peer code review and static application security testing (SAST) analysis, become less effective in this context. Therefore, specific security controls should be put in place in order to reduce risk.

Cloud security is complex. Identifying and understanding intricate functionalities is key for implementing a secure cloud-based infrastructure. We want to stress the need for AWS customers to perform an in-depth review of their AWS services and to evaluate how these services fit their security needs. In particular, we recommend limiting access to the StartBuild action of the CodeBuild service as much as possible, and to isolate sensitive tasks in different CodeBuild projects with limited access.