What is CI/CD Security and What Tools Do You Need to Do it?
When we look at the software supply chain, much of the focus is on the output, the software artifacts we develop and deploy – and rightfully so. That said, a key part of the modern software supply chain attack surface is the underlying Continuous Integration/Continuous Delivery and Deployment (CI/CD) tooling and pipelines we utilize to facilitate software development and delivery.
In this article, we will:
- Define CI/CD security
- Discuss why it matters
- Walk you through the tools that can help with CI/CD security
So let's dive in!
What is CI/CD security?
CI/CD represents a streamlined, automated pipeline designed to deliver new versions of software. This pipeline is key in integrating automation and continuous monitoring into the app development lifecycle. The primary objectives are to reduce human error, accelerate the development process, and ensure the consistent delivery of high-quality code.
However, it's important to understand that CI/CD pipelines often have few security controls out-of the box. This gap can lead to the introduction of vulnerabilities and malware in software by malicious actors, which in turn can compromise the integrity, confidentiality, and availability of the application and its data.
CI/CD Security, also called Software Pipeline Security, is the series of security and compliance safeguards integrated into the building, testing, and deployment steps of your software factory. If code scanning tools help you secure the code itself, CI/CD Security helps you secure the pipelines that build and deploy that code. Ideally, these security measures don’t come at the expense of development speed or agility.
A great way to visualize the modern software supply chain comes from the Security Levels for Software Artifacts (SLSA), which can be found below:
Why does CI/CD security matter?
CI/CD security is crucial for making DevSecOps and modern software development work smoothly. If there’s a malicious attack or incident in your CI/CD environment or toolchain, it can cause a ripple effect, impacting the software you deliver and the environments it’s deployed to—whether that’s within your organization or out to your customers. Keeping CI/CD secure is essential to protect the entire process, from development to deployment.
We’re even seeing industry leaders such as NIST beginning to publish resources on securing CI/CD pipelines, such as their “Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines”, more on that here.
NIST breaks down some main risk factors in Software Supply Chain Security (SSC) into three phases:
- Artifact, step, or actor compromise
- Propagation
- Exploitation
CI/CD risks show up right in the first phase, where parts of the software development process, along with the toolchains and environments used to develop and distribute software, can be maliciously compromised.
Malicious actors know the vulnerabilities associated with CI/CD pipelines, and they are increasingly targeting CI/CD environments in attempts to undermine the software development process and impact those downstream from it.
Given this reality, hardening your pipelines is crucial for reducing risks to your CI/CD security. In large, complex software development environments, it’s not unusual to run into challenges such as shadow engineering and rogue repositories, gaps in security coverage of CI/CD toolchains/infrastructure, and compliance challenges. These problems often arise because of limited visibility and coverage in these areas.
As discussed above, challenges around shadow engineering and rogue repositories can make it difficult to understand the attack surface you’re looking to protect. It’s a bit like in traditional shadow IT, engineering teams are often moving fast, setting up new infrastructure and tools without looping in the security team. This can make it difficult to keep track of everything and ensure it’s all secure.
The same goes for security coverage of the actual tools being put in your pipelines. Modern software security oriented around “shifting security left” can feel like an acronym soup, with tools such as SAST, SCA, IaC, and Secret Scanning. Each of these tools comes with its unique considerations, configurations, and the need to understand what tools are deployed and where.
While malicious activities are definitely a concern, another big risk is misconfigurations. Just like in cloud security, misconfigurations in CI/CD environments can lead to organizational risk and downstream impacts for those using your software. They also give attackers an easy way in. That’s where Repository Security Posture Management (RSPM) comes into play. It’s all about keeping an eye on and improving the security of your source code repositories by following industry best practices. This includes checking for common issues like unprotected branches, lack of MFA, and not following principles like least-privileged access—things that can all lead to serious risks if not handled properly.
And let’s not forget about compliance—it’s becoming more important than ever. Policies and compliance frameworks are starting to put the spotlight on the software development process, as well as the infrastructure and tools that support it. For example, we’ve got frameworks like SLSA and NIST’s Secure Software Development Framework (SSDF), which is now being integrated into requirements like CISA’s Secure Software Development Attestation Form. This is a big deal, especially for software suppliers selling to the U.S. Federal Government, where these requirements are becoming mandatory.
Tools that can help
So now that we understand what CI/CD security is and why it matters, what are some of the key tools that can help?
At Endor Labs, we believe five core areas are key for CI/CD security, including:
- Pipeline Discovery
- Repository Security Posture Management
- Secrets Detection
- Code-to-Cloud Traceability
- Artifact Signing
Pipeline discovery
When organizations look to add rigor and governance to their software development processes, one of the most crucial steps is simply knowing what you have. Just like how hardware and software inventory has always been a key control in frameworks like the CIS Critical Controls, the same idea applies here.
That’s where something like Pipeline Discovery becomes essential. It helps you see what tools developers are using in their pipelines across the organization and understand what gaps exist in your security coverage.
The old saying, “you can’t protect what you don’t know exists” applies to your software development process as well. Having pipeline discovery lets you understand the pipelines within your enterprise environment and the associated tools running in those pipelines.
Repository security posture management
Another important factor to consider is the posture and configuration of your repositories. That’s where Repository Posture Management (RSPM) comes into play. Just like we have Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM), the posture of your repositories really matters (and yes, cybersecurity does love its acronyms).
There have been various efforts across the industry to address securing software repositories. For example, OpenSSF’s “Scorecard” project and the collaboration between CISA and OpenSSF’s “Securing Software Repositories” Working Group, who released their “Principles for Package Repository Security”.
Secrets detection
With the rise of cloud-native development, secret exposure and leaks have become a bigger risk. These may be things such as API keys, access tokens, service accounts, and other forms of credentials. According to reports like the Verizon DBIR, compromised credentials are still one of the top causes of security incidents. Attackers are getting crafty with these secrets, using them to break into environments, move around, and access sensitive data and systems. Endor Labs supports detecting secret leaks and can conduct activities such as scanning a specific code reference, completing history, and conducting scans during pre-commits.
Code-to-Cloud traceability
Code-to-Cloud traceability is key in ensuring the integrity and security of software supply chains. By tracing the origin, movement, and ownership of software components throughout the development lifecycle, organizations can build trust with customers and stakeholders. With Code-to-Cloud traceability, developers can quickly identify and address vulnerabilities before they're exploited, ensuring compliance with regulations and mitigating supply chain risks.
At Endor Labs, we know how crucial it is to automate vulnerability remediation. When a cloud or container security tool like Wiz flags an issue, our expertise helps us to trace the affected container back to its source. This lets us quickly assign tickets for the identified vulnerabilities, helping to cut down the Mean Time To Resolve (MTTR) for security problems.
Artifact signing
Last but not least is artifact signing, or in other words, how do you know the integrity of the build process hasn’t been compromised? This involves signing software artifacts to confirm they’re authentic and haven’t been tampered with.
This is a best practice for software and supply chain security from sources such as CNCF, NIST, OWASP, and several others, to make sure your build processes are secure.
At Endor Labs, we make this easy by signing packages and containers with detailed provenance information. This not just covers the artifact itself but also the source code repository, branch, code commit, and even the repository owner. This kind of information is crucial for knowing who was involved in the development and delivery process, what systems were used, and it’s incredibly helpful for incident response, triage, and staying compliant with regulations.
Book a demo to discuss your use cases or start a free trial where you can explore the Endor Labs Software Supply Chain Security platform in a pre-populated demo environment and with your own projects.