As engineering becomes increasingly fast-paced, dynamic and influential across organizations, AppSec must evolve. Agile development methodologies — such as continuous integration and continuous development (CI/CD) pipelines — are commonplace in this modern cloud-native development landscape. But these technologies are outside the purview of traditional AppSec programs, and attackers have taken note. CI/CD pipelines are now viewed as a relatively easy target by cloud threat actors.
CI/CD pipelines are responsible for a wide range of mission-critical workflows, have access to sensitive information (like secrets) and are mostly overlooked by security teams. For these reasons, cloud attacks targeting engineering environments have grown rapidly both in magnitude and severity.
Recent incidents make it clear that a single unsecure step in your CI/CD pipeline can have an outsized impact on your organization. For example, some major incidents involved compromised Git infrastructure, such as in the PHP incident — or leaked customer secrets, like the Codecov incident.
Other incidents — such as SolarWinds, in which a bad actor used the CI system to spread malware to 18,000 clients — point to the significant blast radii of CI/CD-based attacks. It’s no coincidence that the CircleCI incident is one of the largest cloud attacks to date in terms of potential impact and organizations involved.
Given the major consequences of cloud attacks, it’s time to think differently about how we approach application security for cloud-native apps.
With the shift-left movement, we’re seeing more security teams collaborating with engineers in an effort to reduce runtime misconfigurations and vulnerabilities. While this helps organizations move beyond reacting to runtime incidents, it isn’t enough to reduce the application attack surface.
We must give engineers the information they need to avoid mistakes and protect their environment from compromise. With this training, organizations can enable their engineers to ship apps that are secure by default.
At its core, effective AppSec in modern organizations is about maintaining engineering velocity without compromising on risk management.
An effective AppSec program can be divided into three simple steps:
Before we look at each step, it’s important to remember that engineering is a jungle of languages, artifacts, repos and pipelines. Preserving these relationships is critical when deciphering attack pathways throughout the application lifecycle. For this reason, we use a security graph to apply the SIP, SOP and SAP framework.
Addressing insecure code is the first step. This requires mapping everywhere we store code and all the languages and frameworks we use. Mapping needs to be done continuously, to account for the dynamic nature of the engineering ecosystem.
We must also evaluate all the deployed security tools — such as infrastructure as code (IaC) scanning, secrets scanning, SAST, etc. — and ensure that the right scanner is looking at the right code repo. The reality is that every scanner has its own output, so all these signals need to be normalized for an accurate risk score and actionable alerting.
Historically, cloud breaches happened in two ways. Bad actors could take advantage of exposure via open pathways, SQL injections, RCE vulnerabilities, resource abuse, etc. Or, they could find a way to run malware in production.
An alphabet soup of security solutions — such as web application firewalls (WAFs), cloud security posture management (CSPMs), endpoint detection and response (EDRs), etc. — now exist to protect against these risks. But these technologies neglect the complete engineering ecosystem and don’t provide the full protection cloud-native organizations need to be resilient in the cloud.
Implementing posture management of pipeline systems is the next crucial step. From source control to artifact and container repositories, attackers are finding misconfigurations in these systems to exploit. Source control management (SCM), CI platforms and developer workstations all need to be securely configured to achieve the goal of establishing and maintaining security of the pipeline.
Let’s say we have a production environment connected to a CI/CD pipeline. In this environment, the code and artifacts continuously flow from a DevOps workstation to runtime. The final step to secure this environment involves setting up flow control mechanisms.
The goal with these mechanisms is to ensure that no single human or machine user can directly connect to and modify cloud resources. For example, with the correct guardrails in place, a single user can’t connect directly to Kubernetes to ship a malicious container. They also won’t be able to directly modify any cloud resources, which would introduce cloud infrastructure drift.
This final step is to ensure that your new golden pipeline isn't bypassed. To pressure test this, answer these two questions:
This three-step model helps organizations build scalable AppSec workflows in the cloud. Once organizations achieve optimal visibility and governance over their engineering ecosystem, it’s important to test realistic attack scenarios to measure your program’s effectiveness.
Attackers know engineering workstations are an easy way to obtain access to an organization’s secrets and the crown jewels that those secrets unlock. Incidents like the CircleCI event highlight the significant role the engineering ecosystem now plays in an organization’s attack surface.
For 2023, security and risk leaders should prioritize hardening CI/CD systems and processes as they begin to rearchitect their AppSec programs to account for the changing threat landscape.
This will be my focus as I help Prisma Cloud users build effective cloud AppSec workflows. Achieving code-to-cloud observability over the engineering ecosystem will enable security teams to detect, investigate and respond to risks before they become significant incidents.
Once you’ve implemented the SIP, SOP, SAP framework in your organization, it’s important to test your CI/CD pipeline’s security with different attack scenarios. Read this technical guide on the Top 10 CI/CD Security Risks to learn which attack vectors to prioritize as you test your organization’s CI/CD security.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.