CI/CD and the Software Supply Chain

Cloud-native software supply chains combine third-party software components like open-source packages, plus the underlying delivery pipelines required to store, manage and deliver software. So, delivery pipelines, such as repositories (Git) and CI/CD pipelines are the lifeblood of agile methodologies.

Software supply chains are only as strong as their weakest link, and CI/CD pipelines are the latest attack vectors left vulnerable by not assuming DevOps teams. So, one Continuous Integration/Continuous Delivery (CI/CD) misconfiguration can expose sensitive data and can then be used as an entry point for injecting malicious code and leaking sensitive data. So, this can corrupt the whole CI/CD pipeline and the software supply chain also.

CI/CD Weaknesses and Software Supply Chain Risks

Common CI/CD weaknesses to watch out for

1. Allowing the use of deprecated commands/beta features
2. Secrets exfiltration with the use of unprotected command executions.
3. Not preventing network call command that can be used for code injection.
4. Allowing tests to run in privileged pods that can be hijacked for nefarious purposes
5. Using arbitrary and vulnerable images to execute build and testing, which opens them up to poisoning and attacks

Read More: Successfully Integrating Dynamic Security Testing into Your CI/CD Pipeline

Examples of Software Supply Chain Attacks

On July 2, 2021, some ninety days later, a sophisticated ransomware group exploited a vulnerability in Kesaya Virtual System Administrator (VSA) servers –affecting an estimated 1,500 small businesses. Unlike the above case mentioned, Kesaya detected the breach the same day, perhaps because the attackers demanded ransoms from affected parties ranging from approximately $45,000 to $5 million. Kesaya advised customers to shut down their VSA servers while they fixed the problem. Fortunately, paths were available as early as two days later and were available until July 22, when Kesaya obtained a working decryption tool from the third party. Technical support continued, and an advisory was subsequently issued in the month.

In December of 2021, after the Kesaya incident a few months later, what is arguably the most simple but pervasive software supply chain attack occurred. Following the disclosure of the proof of concept (POC) regarding remote code execution (RCE) in Apache Log4j, the popular Java logging framework, attackers began as the exploitation of a vulnerability. Named CVE-2021-44228, the vulnerability allowed attackers to push malware onto vulnerable, Lightweight Directory Access Protocol (LDAP) servers. Although an update addressing the problem came relatively, lingering log4j vulnerabilities have continued to pop up prompting the recent Cyber security and Infrastructure Security Agency (CISA) advisory in April 2022.

Why Securing your CI/CD Pipelines should be a top Priority

To start with DevSecOps, Development, Security, and operation is a procedural approach to development, automation, and platform architecture that prioritizes security in every level of decision-making in the IT lifecycle.

Not only do security vulnerabilities put sensitive data at risk? They are expensive to fix. In 2020 the average cost of a data breach was $3.86 million. By the end of 2021, costs of dealing with cybercrime were expected to reach close to $6 trillion.90 % of web apps are assumed to be unsafe, especially via hacking. 68% of them are presumed to be vulnerable o data breaches. On top of that, over 1000 data breaches in the US alone in 2020, impacting over 155 million people. So need to secure CI/CD pipeline on t priority is important.

Read More: What is CI/CD and how does intelligent automation change it?

How can we automate supply chain security with CI/CD pipelines

• The simple and best way to automate the security chain is with a robust continuous integration and continuous delivery pipeline. With CircleCI, you can seamlessly integrate application security (AppSec) and development security Operations (DevSecOps) tools to check for vulnerabilities from the version control system (VCS) through the build, test, and deployment stages of your pipeline.
• At the VCS stage, developers might make the mistake of committing secrets in plain text to a repository, Which an attacker can uncover in Git history CircleCI integrates with your preferred Version Control System(VCS) provider and enables you to scan commits for secrets using relevant orbs, such as the GitGuardian orb. You can securely store as well as manage your secrets within CircleCI with encrypted at-rest environment variables or with container-stored contexts for use across projects.
• Alternatively, you can fetch your stored secrets from Third-party solutions dynamically or commit the encrypted version and keep the decryption tool in a context so that you can execute a decryption job to retrieve the secrets at the build and test stages in your CI/CD pipeline.
• At the VCS stage, you can also use the LightSpin orb to scan and provide advice for remediation on IAM misconfiguration, exposed credentials, and insecure configurations in infrastructure as code (IaC) templates found in your codebase
• At the time of the build stage of your pipeline, you can run static application Security testing (SAST) jobs on your code and open-source libraries using relevant orbs. For example, you can use the Snyk orb to scan your codebase for dependency vulnerabilities.If the scan revels a potential threat in your software supply chain, your build will fail and Synk will output recommendations for improving the security of your code.
• At the development stage, you can run Dynamic security testing (DAST) jobs to catch vulnerabilities at runtime in production. For example, the Deep Factor orb provides prioritized insights on application code, package dependencies, web API, and compliance CVEs based on app behavior.

Securing Your CI/CD pipeline

Best Practice for CI/CD Security

1. Embedding security gates
   The purpose of this is to detect security issues early and also prevent them before they reach at the production, such as documented vulnerabilities, common misconfigurations, permissions etc.
2. Avoid hardcoading secrets
   Secrets are not hardcoded in the code and can be easily changed without any modification in the code itself.
3. Isolate configurations from dev, production, and non-production
   The recommended approach is to place config variables within different files using usecase-case-specific naming conventions to avoid conflicts and crashes in both non –prod and prod environments.
4. Implement explicit and private/protected variable
   As global and implicit values in the code complicate refactoring and debugging, a recommended practice is to use explicit, private, protected and immutable variables.
5. Restrict pipeline access with dedicated policies
   It is recommended to restrict security policies and resource access to limited groups for enhanced security and trust
6. Implement logging and tracking
   It is crucial to keep a tab on what went wrong which part of the workflow is susceptible to attack vectors.

Why we use DAST

1. Anyone on the internet can scan your app with a DAST and find vulnerabilities. They can use those vulnerabilities against you! It’s true that this is not legal, but that isn’t going to stop a malicious actor.
2. DAST do not require a lot of setup time and can integrate into several stages of the software development life cycle.
3. IT don’t require advanced cyber security knowledge to operate. Any developer can use it, even if they do not know anything about cyber security .

Conclusion

Software supply chain attacks are increasingly rampant. And with the interconnectedness of modern business, coupled with the increasingly rate of change in the software ecosystem. bad actors have plenty of attack points to target. This underscores the need to prevent successful vulnerability exploitation as much as possible. Using CicleCI, you can create workflows with jobs that perform vulnerability scans provide advisory on codebases, open source libraries , dependencies and other third –party tools, you can detect IaC miss configurations in infrastructure ,securely build and deploy artifacts and validate compliance stiulations in your CI/CD pipeline using a variety of automatic pipeline triggers .