Secure CI/CD Series - Assets and Risk map

In the previous article, I suggested you identify the components of your infrastructure involved in your CI/CD pipeline. Why? Because you can't protect something that you don't know. First, you need to know all the assets in your environment and document them.

A short example:

• Servers inventory: hostname, network information, location, responsible for the asset, purpose, and so on.

• Applications: name, purpose, integrations and interactions, version, vendor, responsible, where does it run, and so on. 

• Processes: if you have a process it needs to be documented.

• People: how are your people organized? Which departments? What are their tasks? What are the minimum permissions they need to comply with it?

It might be helpful to ask yourself:

• What is it? 

• What is it for?

• Who uses it

• Who is responsible for it?

• What does it need to function right? 

• Where is it located (off/on-premise)? 

• Has any quality and security standard?

All this may sound boring and unnecessary. Boring? It may be; unnecessary? Ever.

What difference does it make?

I will not dwell on this matter because this is not the main objective of the series, but here are some differentiating points:

• It gives you control over your assets and makes them more manageable.

• Easy and organized scaling.

• Everyone saves time because they don't have to research and request information for every project or activity they require. They simply refer to the inventory or documentation and that's it.

• Knowing your infrastructure and assets in detail allows you to focus solely on what interests you: how to protect your environment and create a threat map:

Threat Modeling and Map Threats

Keep this in mind: each step in the CI/CD pipeline is a door, and it's your responsibility to keep it closed. First, we drew the house to then look for doors (or windows) to enter the house. Once found, we will try to keep them closed.

Let's tie together what we learned in the first article with what we see in this one to get started with threat modeling. We already know the big picture of a CI/CD pipeline (source → CI → CD -delivery and/or deployment → step to production). Now put your inventory and documentation process assets into the CI/CD pipeline (think of it like a puzzle: drag and drop). With each piece in place, you know what you need to protect and can start to focus on how.

Your task: time to be - or think like - a bad boy. Find out how a vulnerability could go into production and how an attacker could compromise your environment through your CI/CD pipeline. This is how you can start thinking about a threat model. In the following article, we will pick up where we left off and compare your results with our third article on asset protection.

Secure CI/CD Series - Intro

The goal of this series is to inform you about all the elements involved in the process of securing a CI/CD pipeline and help you to take the right steps. We will explore the main topic throughout articles every two weeks. 

First things first

The golden rule is you can’t protect something that you don’t even know about (it will be the central axis of our next article). So, first of all, let’s recall what CI/CD is so that it is possible to start thinking about how to secure it. 

CI/CD stands for Continuous Integration, Continuous Delivery, and/or Continuous Deployment. It basically is a set of techniques or a method intended to improve the software development process so that it can be possible to deliver builds faster and in a more efficient way. CI must ensure that the code input is tested and bugless and then send it to the CD where it will be tested in the hardest way and, if it’s all good, the build will be ready to manually deployment (in a Continuous Delivery scheme) or it will be directly deployed (in a Continuous Deployment scheme)

It’s worth saying that this is a general explanation due we assume that if you are reading how to secure a CI/CD pipeline, you already know what it is.

What a Secure CI/CD includes?

The CI/CD pipelines themselves came about to improve the way the software development process was carried out. In the old days, the development process consisted of sporadic, gigantic commits without as much testing, while a new build was released infrequently. Today, the trend of using CI/CD is to make small changes through more commits per day, which is more manageable allowing bugs and vulnerabilities to be detected and remediated more easily.

While it is true that one of the CI/CD focuses is security in terms of code (preventing and detecting known vulnerabilities when coding), that is just the tip of the iceberg in terms of a secure CI/CD pipeline.

The process of securing a CI/CD pipeline involves many other things besides the code. It involves the whole picture in a transversal way: 

• Programmer habits and routines

• Coding best practices

• IDEs and plugins used to code in a secure way

• Infrastructure security (servers, workstations, PaaS and SaaS security)

• Automations tools used by Continuous Integration and Continuous Delivery/Deployment

• Identity Access Management and secure authentication

• Security management

• Step to production and actively monitoring

The first conclusion is the pipeline must be monitored and secured from end to end. And there is a difference between securing the code through the CI/CD pipeline and securing the CI/CD pipeline itself.

Why should a CI/CD pipeline be secured? When is it important?

This is important if you care about the CIA triad, your long-term business budget, your clients, your reputation, and most of all if you value your time. Now that we've established why it's important, in future articles we'll look at different recommendations to cover these topics, such as Identity Access Management, infrastructure security, repository policies, threat mapping, and even developer best practices.

Exercise for the next article

I would like to give you the first exercise heading to the next article.

You must identify the components of your infrastructure and every step into your CI/CD pipeline, from start to end. Try to break each activity into several smaller ones, down to the atom.

חיפוש עבודה בתחום אבטחת מידע למתחילים

איך מתחילים?

אני רוצה לעבוד בתחום אבטחת המידע בגלל המון סיבות, כמובן צריך לדעת אותם ולהישתמש בהם נכון בריאיון העבודה.
סיימתי קורס בתחום אבטחת מידע והסייבר, מצויין!
עדכנתי את הקורות חיים עם הקורס החדש ועכשיו צריך למצוא מקום עבודה, איפה מחפשים?

התשובה היא מאוד פשוטה! בכל האמצעים הקיימים שעומדים לרשותנו, הרשתות החברתיות נותנות לנו שפע של מקורות למציאת עבודה.

איך מתחילים 2?

דבר ראשון, חשוב להשתמש בסוכן החכם ולקבל התראות למייל!

דבר שני, קורות החיים חייבים להיות גם באנגלית.

רשימת אתרים מומלצים לחיפוש:

https://www.drushim.co.il/

https://www.jobnet.co.il/

https://www.drushim.co.il/

https://www.jobmaster.co.il/

https://www.glassdoor.com/index.htm

https://woo.io/candidates/candidate

https://il.indeed.com/

קבוצות מומלצות ב Facebook:

כל אנשי ההייטק הישראלי

משרות אבטחת מידע

הקבוצה ‏‎Israel Cyber Security‎

"דרושים" בענף הסייבר ואבטחת מידע בישראל

משרות הייטק בין חברים, לפני שמתפרסמות בחברות כ"א
משרות הייטק - ללא ניסיון

קבוצות מומלצות בטלגרם:

Israel Cyber Jobs

בסייבר עובדים בכייף

Log-On Software- משרות בהייטק

איך מתחילים הדבר הבא?

מומלץ מאוד לעדכן פרופיל בלינקדאין, מקבלים המון פניות וחשוב לייצר רשת קשרים עיסקית.

דוגמא לפרופיל הלינקדאין שלי - Linkedin Oren Ben Shalom.
בהצלחה!

. . . והכי חשוב, לא להתייאש!