3 CI/CD Pipeline Security Best Practices

Beyond Identity Blog | Thursday, November 18, 2021

Companies are increasingly switching to agile development practices that enable them to more quickly and efficiently develop and release software. Often this switch to agile involves leveraging automation and continuous integration and continuous deployment (CI/CD) solutions to reduce friction and bottlenecks in development pipelines.

While agile development strategies help to streamline and expedite the development process, they often overlook security. As a result, software vulnerabilities in production code are constantly on the rise, and development pipelines are a growing target of cyberattacks.

What is CI/CD security?

For many companies, the software that they create is their product, and software vulnerabilities and hacks hurt their brand reputation and bottom line. However, many of these companies also leave this software vulnerable to exploitation.

CI/CD security is the practice of implementing security controls throughout an organization’s development process. The speed and automation that is central to agile development processes creates an environment where vulnerable or malicious code can slip through the cracks. By deliberately integrating security into the DevOps pipeline, companies better protect their code and reputation against attack.

Many companies are failing to secure their DevOps pipelines, leading to high profile cyberattacks like the SolarWinds hack. Here are three best practices for securing your CI/CD pipeline.

1. Shift security left

For many DevOps teams, minimizing time to release is their primary goal. Often, compensation is based on how quickly a team can release new software or versions, and anything that slows down development is a hindrance. As a result, security testing for software is often performed as an afterthought at the end of the development lifecycle, if it’s done at all.

The objective of DevSecOps and “shift left” security is to integrate security into every stage of the development lifecycle. However, for software developers to adopt these practices, they must be painless and not create roadblocks on the road to development. Effective CI/CD pipeline security should be easy to use, automated, and fully integrated into existing software development workflows.

2. Establish device-based access controls

With the rise of work from anywhere and bring your own device (BYOD) policies, employees are increasingly working from personal and dual-use devices. However, this creates significant security risks for organizations as these devices may not be compliant with corporate security policies and are more vulnerable to cyber threats.

The code that an organization’s developers write is a company’s intellectual property and needs to be protected against potential leaks or breaches. If developers make copies of code repositories on untrusted machines, this potentially exposes this code to data breaches and leaks.

Controlling access to an organization’s intellectual property requires device-based access controls. When managing access to code repositories, companies should not only manage access based on who is requesting access but also what is being requested. This allows the company to ensure that its intellectual property is only being accessed and stored on devices that are secured against cyber threats.

3. Be able to identify if someone or something has tampered with source code and components at any time

Recent supply chain cyberattacks have demonstrated the risk of inadequate integrity protection and version control for software. The SolarWinds hack is a classic example of this. The attackers gained access to SolarWinds’ production environment and were able to add malicious code to an update to the company’s Orion network monitoring solution. 

Since this malicious functionality was added within SolarWinds’ development pipeline, the final, malicious update was digitally signed using the company’s private key and distributed to customers. As a network monitoring solution, Orion had deep visibility into customer environments, enabling it to potentially steal sensitive data from tens of thousands of SolarWinds customers.

The SolarWinds breach was possible because integrity protection was only applied to the final release of the Orion update. The implicit assumption that all valid changes to the codebase were legitimate allowed the SolarWinds attackers to insert malicious functionality into the code without detection.

As cybercriminals become more sophisticated and supply chain attacks grow more common, companies need the ability to protect the integrity of their source code at every stage of the development process, not just the end. Development teams need to be able to identify if an application’s source code or the third-party components and libraries that it relies upon have been tampered with during the development process, whether it’s by an outside attacker or insider threat.

Tie every commit to a verified identity with Beyond Identity

As long as security is only considered at the very end of the development process, SolarWinds and similar hacks will keep occurring. Companies need to integrate security testing and code integrity protection into every stage of their CI/CD pipelines.

An important first step towards securing development is integrating identity into DevOps pipelines. By tying each commit to a verified identity, an organization can help to protect itself against attacks like the SolarWinds hack which target DevOps pipelines.

Beyond Identity’s Secure DevOps ensures that only code commits signed by verified corporate identities are accepted into code repositories. See how your organization can integrate security into your DevOps processes with Secure DevOps. Request a demo today.