Monday, March 7, 2022

Secure CI/CD Series - Assets and Risk map

In the previous article, I suggested you identify the components of your infrastructure involved in your CI/CD pipeline. Why? Because you can't protect something that you don't know. First, you need to know all the assets in your environment and document them.


A short example:

  • Servers inventory: hostname, network information, location, responsible for the asset, purpose, and so on.

  • Applications: name, purpose, integrations and interactions, version, vendor, responsible, where does it run, and so on. 

  • Processes: if you have a process it needs to be documented.

  • People: how are your people organized? Which departments? What are their tasks? What are the minimum permissions they need to comply with it?


It might be helpful to ask yourself:

  • What is it? 

  • What is it for?

  • Who uses it

  • Who is responsible for it?

  • What does it need to function right? 

  • Where is it located (off/on-premise)? 

  • Has any quality and security standard?


All this may sound boring and unnecessary. Boring? It may be; unnecessary? Ever.


What difference does it make?

I will not dwell on this matter because this is not the main objective of the series, but here are some differentiating points:

  • It gives you control over your assets and makes them more manageable.

  • Easy and organized scaling.

  • Everyone saves time because they don't have to research and request information for every project or activity they require. They simply refer to the inventory or documentation and that's it.

  • Knowing your infrastructure and assets in detail allows you to focus solely on what interests you: how to protect your environment and create a threat map:


Threat Modeling and Map Threats

Keep this in mind: each step in the CI/CD pipeline is a door, and it's your responsibility to keep it closed. First, we drew the house to then look for doors (or windows) to enter the house. Once found, we will try to keep them closed.


Let's tie together what we learned in the first article with what we see in this one to get started with threat modeling. We already know the big picture of a CI/CD pipeline (source → CI → CD -delivery and/or deployment → step to production). Now put your inventory and documentation process assets into the CI/CD pipeline (think of it like a puzzle: drag and drop). With each piece in place, you know what you need to protect and can start to focus on how.


Your task: time to be - or think like - a bad boy. Find out how a vulnerability could go into production and how an attacker could compromise your environment through your CI/CD pipeline. This is how you can start thinking about a threat model. In the following article, we will pick up where we left off and compare your results with our third article on asset protection.


Sunday, February 20, 2022

Secure CI/CD Series - Intro

The goal of this series is to inform you about all the elements involved in the process of securing a CI/CD pipeline and help you to take the right steps. We will explore the main topic throughout articles every two weeks. 


First things first

The golden rule is you can’t protect something that you don’t even know about (it will be the central axis of our next article). So, first of all, let’s recall what CI/CD is so that it is possible to start thinking about how to secure it. 

CI/CD stands for Continuous Integration, Continuous Delivery, and/or Continuous Deployment. It basically is a set of techniques or a method intended to improve the software development process so that it can be possible to deliver builds faster and in a more efficient way. CI must ensure that the code input is tested and bugless and then send it to the CD where it will be tested in the hardest way and, if it’s all good, the build will be ready to manually deployment (in a Continuous Delivery scheme) or it will be directly deployed (in a Continuous Deployment scheme)

It’s worth saying that this is a general explanation due we assume that if you are reading how to secure a CI/CD pipeline, you already know what it is.



What a Secure CI/CD includes?

The CI/CD pipelines themselves came about to improve the way the software development process was carried out. In the old days, the development process consisted of sporadic, gigantic commits without as much testing, while a new build was released infrequently. Today, the trend of using CI/CD is to make small changes through more commits per day, which is more manageable allowing bugs and vulnerabilities to be detected and remediated more easily.

While it is true that one of the CI/CD focuses is security in terms of code (preventing and detecting known vulnerabilities when coding), that is just the tip of the iceberg in terms of a secure CI/CD pipeline.


The process of securing a CI/CD pipeline involves many other things besides the code. It involves the whole picture in a transversal way: 

  • Programmer habits and routines

  • Coding best practices

  • IDEs and plugins used to code in a secure way

  • Infrastructure security (servers, workstations, PaaS and SaaS security)

  • Automations tools used by Continuous Integration and Continuous Delivery/Deployment

  • Identity Access Management and secure authentication

  • Security management

  • Step to production and actively monitoring


The first conclusion is the pipeline must be monitored and secured from end to end. And there is a difference between securing the code through the CI/CD pipeline and securing the CI/CD pipeline itself.


Why should a CI/CD pipeline be secured? When is it important?

This is important if you care about the CIA triad, your long-term business budget, your clients, your reputation, and most of all if you value your time. Now that we've established why it's important, in future articles we'll look at different recommendations to cover these topics, such as Identity Access Management, infrastructure security, repository policies, threat mapping, and even developer best practices.


Exercise for the next article

I would like to give you the first exercise heading to the next article.


You must identify the components of your infrastructure and every step into your CI/CD pipeline, from start to end. Try to break each activity into several smaller ones, down to the atom.