On the intricate challenges of setting up a secure CI/CD pipeline
Software is essential for most enterprises. Proper management of the software lifecycle - whether through acquisition or development - and ensuring that the software is fit-for-purpose and available are key success factors. The landscape of frameworks and tools used in software development is rapidly evolving. This makes securing the development environment challenging. Recent events have shown that attackers are targeting these environments as, more often than wanted, this environment becomes the weakest link in the IT infrastructure of a company. The SDLC environment might become the next target to attack organisations or their clients.
The requirements for fast and automated software development capabilities (introduced by agile and devops software development methodologies) have further proven the benefits of cloud computing. That’s why businesses often opt for managed cloud services that simplify and speed up the implementation, execution and maintenance of SDLC environments and their CI/CD pipelines. However, this cloud-based setup comes with inherent risk.
The article focuses on CI/CD pipelines implemented in the Amazon Web Services (AWS) cloud environment and sets out the risk of pipeline poisoning by developers when using CodeBuild. In particular, three vulnerabilities in the IT environment are identified:
In the article, we show how each of these risks can manifest, and demonstrate this with a proof-of-concept.
In the article we explain the risk of CI/CD pipeline poisoning that can negatively impact a company’s IT environment when using the CodeBuild service provided by AWS. Identifying this risk requires an in-depth understanding of the service, its functionalities and interactions with other services. We believe that AWS customers are not routinely anticipating this risk as part of their risk management process. Moreover, security controls commonly implemented in secure SDLC environments, such as peer code review and static application security testing (SAST) analysis, become less effective in this context. Therefore, specific security controls should be put in place in order to reduce risk.
Cloud security is complex. Identifying and understanding intricate functionalities is key for implementing a secure cloud-based infrastructure. We want to stress the need for AWS customers to perform an in-depth review of their AWS services and to evaluate how these services fit their security needs. In particular, we recommend limiting access to the StartBuild action of the CodeBuild service as much as possible, and to isolate sensitive tasks in different CodeBuild projects with limited access.