In the previous article, I suggested you identify the components of your infrastructure involved in your CI/CD pipeline. Why? Because you can't protect something that you don't know. First, you need to know all the assets in your environment and document them.
A short example:
Servers inventory: hostname, network information, location, responsible for the asset, purpose, and so on.
Applications: name, purpose, integrations and interactions, version, vendor, responsible, where does it run, and so on.
Processes: if you have a process it needs to be documented.
People: how are your people organized? Which departments? What are their tasks? What are the minimum permissions they need to comply with it?
It might be helpful to ask yourself:
What is it?
What is it for?
Who uses it
Who is responsible for it?
What does it need to function right?
Where is it located (off/on-premise)?
Has any quality and security standard?
All this may sound boring and unnecessary. Boring? It may be; unnecessary? Ever.
What difference does it make?
I will not dwell on this matter because this is not the main objective of the series, but here are some differentiating points:
It gives you control over your assets and makes them more manageable.
Easy and organized scaling.
Everyone saves time because they don't have to research and request information for every project or activity they require. They simply refer to the inventory or documentation and that's it.
Knowing your infrastructure and assets in detail allows you to focus solely on what interests you: how to protect your environment and create a threat map:
Threat Modeling and Map Threats
Keep this in mind: each step in the CI/CD pipeline is a door, and it's your responsibility to keep it closed. First, we drew the house to then look for doors (or windows) to enter the house. Once found, we will try to keep them closed.
Let's tie together what we learned in the first article with what we see in this one to get started with threat modeling. We already know the big picture of a CI/CD pipeline (source → CI → CD -delivery and/or deployment → step to production). Now put your inventory and documentation process assets into the CI/CD pipeline (think of it like a puzzle: drag and drop). With each piece in place, you know what you need to protect and can start to focus on how.
Your task: time to be - or think like - a bad boy. Find out how a vulnerability could go into production and how an attacker could compromise your environment through your CI/CD pipeline. This is how you can start thinking about a threat model. In the following article, we will pick up where we left off and compare your results with our third article on asset protection.