The risk of CI/CD pipeline poisoning via CodeBuild
On the intricate challenges of setting up a secure CI/CD pipeline
Securing SDLC is complex and fast changing
Software is essential for most enterprises. Proper management of the software lifecycle - whether through acquisition or development - and ensuring that the software is fit-for-purpose and available are key success factors. The landscape of frameworks and tools used in software development is rapidly evolving. This makes securing the development environment challenging. Recent events have shown that attackers are targeting these environments as, more often than wanted, this environment becomes the weakest link in the IT infrastructure of a company. The SDLC environment might become the next target to attack organisations or their clients.
The requirements for fast and automated software development capabilities (introduced by agile and devops software development methodologies) have further proven the benefits of cloud computing. That’s why businesses often opt for managed cloud services that simplify and speed up the implementation, execution and maintenance of SDLC environments and their CI/CD pipelines. However, this cloud-based setup comes with inherent risk.
Pipeline poisoning
The article focuses on CI/CD pipelines implemented in the Amazon Web Services (AWS) cloud environment and sets out the risk of pipeline poisoning by developers when using CodeBuild. In particular, three vulnerabilities in the IT environment are identified:
- The risk of sensitive data leakage from the SDLC pipeline.
- The potential to abuse the CodeBuild functionality to introduce malicious elements, such as malware or backdoor features.
- The possibility that a developer could execute privileged commands in a deployment server and take full control over the system.
In the article, we show how each of these risks can manifest, and demonstrate this with a proof-of-concept.
Safeguarding through limited access
In the article we explain the risk of CI/CD pipeline poisoning that can negatively impact a company’s IT environment when using the CodeBuild service provided by AWS. Identifying this risk requires an in-depth understanding of the service, its functionalities and interactions with other services. We believe that AWS customers are not routinely anticipating this risk as part of their risk management process. Moreover, security controls commonly implemented in secure SDLC environments, such as peer code review and static application security testing (SAST) analysis, become less effective in this context. Therefore, specific security controls should be put in place in order to reduce risk.
Cloud security is complex. Identifying and understanding intricate functionalities is key for implementing a secure cloud-based infrastructure. We want to stress the need for AWS customers to perform an in-depth review of their AWS services and to evaluate how these services fit their security needs. In particular, we recommend limiting access to the StartBuild action of the CodeBuild service as much as possible, and to isolate sensitive tasks in different CodeBuild projects with limited access.
Contact us
