Service Overview
Continuous Integration/Continuous Deployment (CI/CD) is a core methodology in modern software development. However, it also introduces security risks that can broaden the attack surface and enable new potential exploitation paths. This assessment examines the configuration of the CI/CD chain, including its high-level architecture, permissions, dependencies, secret management, access control, and overall security posture. This allows CYE to provide recommendations and mitigation steps to enhance the security of the entire CI/CD environment.
Methodology
The evaluation includes both a white-box review of CI/CD components and gray-box testing, such as privilege escalation attempts or unauthorized access to data and infrastructure. CYE provides actionable recommendations and mitigation steps to strengthen the CI/CD environment's security posture and improve overall maturity.
Deliverables
All discovered findings are shown in Hyver, CYE’s Continuous Threat Exposure Management (CTEM) platform
Recommendations for continuous improvement and actionable guidance on continuous monitoring and security enhancement
Prerequisites
Before starting the assessment, the following are required:
A direct communication channel with relevant stakeholders in the organization (e.g., DevOps, IT, R&D team leaders). This communication channel should be established before the project begins
A kickoff meeting two weeks before the project begins
A high-level workflow diagram illustrating the process from development to deployment. If no diagram exists, one will be created in collaboration with the relevant technical entities (DevOps, IT, R&D team leaders or representatives) of the organization during the kickoff meeting
Two accounts are needed to perform the assessment: A standard user account and a privileged account, as described below:
Standard User Account:
A full copy of a non-privileged internal developer (and third-party developer, if applicable) for each main product
This user should have a non-elevated account, which will be used for gray-box testing.
Required Permissions:
Read and Write permissions for all relevant repositories of the product
Read and Execute permissions for all relevant pipelines in the CI solution
Privileged User Account:
Full read access and permissions to all CI/CD components
This account will be used for the white-box evaluation of the CI/CD process.
Table 1.1 represents the most common systems, tools, and permissions that are part of this engagement.
Additional Materials:
Access to CI/CD pipeline configurations and associated repositories
A guided walkthrough of the CI/CD pipeline architecture
Supporting documentation, if available
Customer Engagement
To support a successful assessment, the client is expected to:
A kickoff meeting two weeks before the project begins
Grant access to pipeline configurations and related repositories
Provide a guided walkthrough of the client’s CI/CD pipeline architecture
Collaborate with our assessment team to answer queries and address specific concerns
Allocate the necessary resources for implementing recommended security enhancements
Relevant Standards
The methodology is based on the following:
NIST Cybersecurity Framework
OWASP Top 10 CI/CD Security Risks
Center for Internet Security (CIS) Critical Security Controls
Security Domains Covered
Cross organization policies, procedures and governance
Security operations, monitoring and incident response
Identity management and remote access
Sensitive data and information management
Appendix
Table 1.1
Category | System | Settings/Permissions Needed | Permission Level |
CI |
|
|
|
CI Tools | Jenkins | Job configurations, security settings, plugins, credentials, system settings | Admin |
CI Tools | CircleCI | Project settings, environment variables, contexts, security policies | Admin |
CI Tools | Travis CI | Repository settings, environment variables, build configurations, security settings | Admin |
CI Tools | Drone IO | Repository settings, secrets, pipeline configurations, security settings | Admin |
CI\CD |
|
|
|
CI/CD Tools | AWS CodePipeline | Pipeline configurations, action settings, permissions, security policies | Admin |
CI/CD Tools | Azure DevOps | Project settings, pipeline configurations, variable groups, security policies | Admin |
SAST\DAST |
|
|
|
Code Quality | SonarCloud | Project settings, scan results, issues, quality gates, organization settings | Admin |
Configuration Management |
|
|
|
Configuration Management | Ansible | Projects, inventories, templates, playbooks, configuration files | Admin |
Container Registry |
|
|
|
Container Registry | AWS ECR | Repositories, images, repository policies, tags | Admin |
GitOps |
|
|
|
GitOps | Flux CD | Kubernetes cluster settings, namespaces, deployments, GitOps configurations | Admin |
Identity Management |
|
|
|
Identity Management | OKTA | Security policies, user roles, application configurations, organization settings | Super Admin/Org Admin
|
Identity Management | OneLogin | Security policies, user roles, application configurations, organization settings | Super Admin/Org Admin
|
Infrastructure as Code | Terraform | Workspaces, state files, configurations, workspace settings, variable sets, policy checks | Super Admin/Org Admin
|
CWPP\CSPM |
|
|
|
Security Tools | Wiz | Account configurations, security policies, security alerts, compliance reports | Admin |
SCM |
|
|
|
Source Control | GitHub | Repository settings, branch protection rules, secrets, organization settings | Admin |
Source Control | GitHub | Github script | GIthub RO API key |
Source Control | Bitbucket | Repository settings, branch permissions, security settings, access keys | Admin |
Source Control | GitLab | Project settings, CI/CD configurations, secrets, security settings | Admin |