A compromise of any of the steps, in addition to the underlying CI/CD environments and platforms can have a downstream impression on the integrity of the software program artifacts which might be produced and distributed.
Organizations should take security measures for each internally developed (first-party) code, in addition to third-party parts, akin to open supply software program, that are more and more making up the majority of contemporary software program, at the least from a supply code perspective.
Organizations are finally wanting to make sure that attackers can’t tamper with the software program manufacturing course of, introduce malicious software program updates, or compromise the integrity of CI/CD pipeline artifacts and actions. NIST gives the under desk demonstrating the artifacts that must be trusted in typical CI/CD environments, in addition to the repository the artifacts typically reside in/rely on:
| Artifact | Repository |
| First-party code – supply code or binary | SCM |
| Third-party code – open supply or industrial | Artifact managers for language, container, and many others. |
| Builds | Construct Repository |
| Packages | Package deal repository |
Software program provide chain security in CI/CD pipelines
Now that we have mentioned a few of the background, security objectives and entities concerned in trusted CI/CD pipelines, let’s check out a few of the particular SSC security actions that NIST emphasizes of their steerage.
It ought to come as no shock that NIST evangelizes zero-trust rules right here as effectively, given their publication of 800-207 “Zero Belief Structure”. The suggestions cited embody defining roles for system operators, mapped to particular permissions and implementing least-privileged entry aligned with the idea of role-based entry management (RBAC). Actions like these mitigate the danger ought to a selected actor’s account or property get compromised.
NIST additionally recommends automating the usage of SAST and DAST, in addition to declaratively defining the event and deployment of utility code and CI/CD actions via methods akin to infrastructure-as-code (IaC) and coverage/configuration-as-code, which might specify runtime settings for security and compliance functions. The workflows of CI/CD pipelines should even be safe, together with construct, push/pull of artifacts from repositories and software program updates or code commits.
NIST suggestions for builds
On the construct entrance, suggestions embody key actions akin to specifying construct insurance policies and the usage of remoted construct platforms in addition to permissions for these performing construct actions. Organizations also needs to make use of coverage enforcement engines and be certain that throughout the software program construct course of proof and attestations of safe construct processes is produced.
These might embody attestations for the atmosphere, course of, supplies, and artifacts concerned. NIST recommends the usage of hashing to incorporate the ultimate construct artifact, recordsdata, libraries, and occasions that produce the ultimate artifacts.
There’s then a advice to signal the attestation and securely retailer it the place it may be used to show coverage compliance. Doing so might help show that software program was constructed by approved entities, instruments and with alignment to outlined insurance policies and compliance necessities.
Along with the necessity for safe construct actions NIST additionally recommends securing pull-push operations on SCM repositories. This contains the pull of code from repositories by builders, its modification after which the push of code again to the repository, every of which presents a chance for tampering. Suggestions embody automated security checks on artifacts, guaranteeing confidence within the supply code origin, and requiring express approval for all exterior collaborators seeking to push and pull from a repository.
Unhealthy actors slip malicious code into repositories
The under picture from Francois Proulx demonstrates how a malicious actor can take numerous actions to realize unauthorized entry to a GitHub repository and submit malicious code to a repository.
NIST demonstrates how a malicious actor can take numerous actions to realize unauthorized entry to a GitHub repository.
Francois Proulx
Amongst its different key suggestions, NIST advises sustaining the integrity of proof era throughout software program updates, securing code commits, and securing workflows in CD pipelines. Attackers might look to erase or tamper with software program replace trails to mitigate investigation and detective controls.
As well as, to make sure code commits do not introduce malicious code or weak code, NIST recommends the usage of SAST/DAST tooling in CI/CD pipelines with broad language protection, and the usage of SCA tooling to confirm the security of OSS parts and dependencies.
Since CD pipelines revolve round workflows and lots of fashionable environments are making use of applied sciences akin to containerization, NIST recommends guaranteeing that containers being deployed have been really generated by the outlined construct course of and that they’ve been scanned for vulnerabilities in alignment with a corporation’s vulnerability administration necessities.
Lastly, given the myriad of high-profile secret exposures the trade has seen currently, NIST recommends organizations scan for the presence of secrets and techniques in code, akin to keys or entry tokens, which might be abused by malicious actors for nefarious functions.
