Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

NSA, CISA provide guidelines focused on safeguarding cloud CI/CD environments from malicious cyber hackers

June 29, 2023
NSA, CISA provide guidelines focused on safeguarding cloud CI/CD environments from malicious cyber hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released Wednesday a joint guidance on defending Continuous Integration/Continuous Delivery (CI/CD) environments. The Cybersecurity Information Sheet (CSI) provides recommendations and best practices for organizations to strengthen the security of their CI/CD pipelines against the threat of malicious cyber actors.

The cybersecurity agencies explain how to integrate security best practices into typical software development and operations (DevOps) CI/CD environments, without regard for the specific tools being adapted, and leverage several forms of government guidance to collect and present proper security and privacy controls to harden CI/CD cloud deployments. As evidenced by increasing compromises over time, software supply chains and CI/CD environments are attractive targets for malicious cyber actors.

Safeguarding the harden the CI/CD infrastructure is essential for ensuring a strong cybersecurity posture for National Security Systems (NSSs); the Department of Defense (DoD); the Defense Industrial Base (DIB); federal, state, local, tribal, and territorial (SLTT) governments; and private sector information system owners.

“The virtual cloud environment relies on software, making development and delivery a crucial component of providing services in the cloud,” Dr. Ethan Givens, NSA’s Technical Director, Critical & Emerging Technologies, said in a media statement. “Failure to effectively defend the CI/CD pipeline can provide an attack vector that circumvents security policies and products.”

Software supply chains and CI/CD environments are attractive targets for malicious hackers, as these pipeline compromises are increasing, making recognition of these threats significant. The agencies outline that software development and delivery supply chains are attractive targets for malicious cyber actors, who can use these environments to compromise cloud deployments throughout the automated software development and delivery lifecycle.

Some of the common examples listed by the agencies include insecure first-party code that authorized developers check in but that contains security-related bugs that are not detected by either the software developers or by security tooling. It also identified insecure third-party code that is compiled into a CI/CD pipeline from a third-party source, such as an open-source project. Furthermore, it also included poisoned pipeline execution, whose exploitation of a development/test/production environment could allow the attacker to insert code of its choosing. 

The agencies also listed insufficient pipeline access controls, such as unauthorized access to source code repositories or build tools. It also added insecure system configurations across various infrastructure, network, and application configurations vulnerable to known exploitation techniques. It further included the usage of insecure third-party services created by an external individual or organization that intentionally or negligently has security vulnerabilities. 

Lastly, the agencies exposed secrets through security key compromise and insecure secrets management within the pipeline. Examples include hardcoding access keys or passwords into infrastructure as code (IaC) templates.

Recommendations in the CSI for hardening CI/CD pipelines include best practices for authentication and access control, development environments and tools, and the development process as a whole. NSA and CISA recommend organizations and network defenders implement the mitigations in this CSI to reduce compromise of their CI/CD environments and create a challenging environment for malicious cyber actors.

The agencies also recommend organizations implement a zero trust approach, where no user, endpoint device, or process is fully trusted, which will help detect and prevent successful compromise of the environment. Organizational transition to zero trust can be aided by referencing CISA’s Zero Trust Security Maturity Model and NSA’s Advancing Zero Trust Maturity Throughout the User Pillar.

The latest guidance comes amidst a host of initiatives by the CISA, including calling for public comment on a self-attestation form to be used by software producers. It also facilitated the 2023 CISA SBOM-a-Rama public event to build on existing community-led work around the Software Bill of Materials (SBOM) on specific topics. The agency also rolled out a binding operational directive to secure internet-facing networked device systems and mitigate risk.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights