Aligning CI/CD Pipeline Security with NSA & CISA Guidance

Posted by Anne-Marie Avalon
July 13, 2023

Securing the Backbone of Software Development with Secrets Management

CI/CD pipelines, the lifeblood of today’s software development, are becoming increasingly crucial for organizations of all sizes. However, the strength of this backbone hinges on the security we wrap around it. That’s where the heart of our blog post, “Aligning CI/CD Pipeline Security with the NSA & CISA Guidance,” lies.

In this post, we’ll dissect the recent NSA and CISA guidelines and reveal how to align your CI/CD pipeline security with their advice. Additionally, we’ll spotlight the critical role of managing secrets within your pipelines. You’ll learn how SaaS Secrets Management is a significant game-changer in this endeavor.

Before we dive into the deep end, it would be useful to acquaint ourselves with a few key terms in the CI/CD pipeline security.

CI/CD & DevSecOps: A Shared Lexicon

To ensure clarity and comprehension, let’s kick off by defining a few key terms:

CI/CD Pipeline: This is a component of a broader toolchain that includes continuous integration, version control, automated testing, delivery, and deployment. It automates the integration and delivery of applications and allows organizations to deploy applications swiftly and efficiently.
Development Operations (DevOps): This is a set of practices that merges software development and information technology (IT) operations. The primary goal of DevOps is to shorten the systems development lifecycle, thereby facilitating continuous delivery with high software quality.

DevSecOps: An evolution of DevOps, DevSecOps incorporates elements of development (Dev), security (Sec), and operations (Ops) in the software systems process. This integrated approach considerably reduces the time from identifying a need to the availability of the capability. As a result, it supports continuous integration and continuous delivery (CI/CD) while maintaining a high standard of software quality.

Malicious Cyber Actors (MCAs): These are the proverbial wolves in the digital landscape. They engage in unauthorized access, data breaches, or system disruptions, often targeting CI/CD pipelines.

Threat Landscape: Knowing Your Digital Adversaries

The NSA and CISA have pointed out several common threats that organizations should be alert to:

Insecure Code: MCAs can exploit code vulnerabilities to gain unauthorized access or execute malicious activities.
Poisoned Pipeline Execution: The insertion of malicious code or unauthorized changes into the CI/CD pipeline, resulting in compromised software builds or deployments.
Insufficient Pipeline Access Controls: Weak or improperly configured access controls may allow unauthorized individuals to manipulate the pipeline.
Insecure System Configuration: Poorly secured or misconfigured CI/CD infrastructure components might be exploited by MCAs.
Usage of Third-Party Services: Insecure or compromised third-party services integrated into the CI/CD pipeline could lead to data breaches or unauthorized access.
Exposure of Secrets: The accidental exposure or insecure management of sensitive information, such as API keys, credentials, or encryption keys.

Understanding these threats and counteracting them with appropriate security measures is crucial for any organization. Having looked at the threats, it’s time we turn our attention to some of the scenarios where they play out.

Threat Scenarios

To comprehend the real-world implications of the above threats, CISA and the NSA listed possible scenarios within the CI/CD pipeline to consider:

Scenario 1: MCAs acquire a developer’s credentials to access a Git repository service. These credentials could be in the form of stolen personal tokens, SSH keys, browser cookies, or login passwords. An MCA typically targets one of three things: Valid accounts for a source code repository, valid accounts for a CI/CD Service, or valid admin accounts for a server hosting a source code repository.

Scenario 2: Supply chain compromise of an application library, tool, or container image in a CI/CD pipeline leads to a poisoned DevSecOps environment.

Scenario 3: Supply chain compromise of a CI/CD environment that modifies the CI/CD configuration, injects code into the Infrastructure as Code (IaC) configuration, injects code into the source code, or injects a malicious or vulnerable dependency.

By planning for these scenarios, organizations can devise appropriate safeguards to minimize the impact of potential attacks.

Now, armed with the knowledge of possible scenarios, let’s examine how we can shield ourselves against these threats.

Strengthening the Defenses: Active Hardening

Active hardening refers to the proactive implementation and constant reinforcement of security protocols aimed at minimizing vulnerabilities and mitigating potential threats in the CI/CD pipeline. Following NSA and CISA’s guidance, let’s explore active hardening measures:

Authentication and Access Mitigations

Use NSA-Recommended Cryptography:
Employ cryptographic algorithms and protocols endorsed by the NSA to safeguard sensitive pipeline information.
Minimize Long-Term Credential Usage:
Favor short-lived credentials or tokens that are automatically rotated and revoked to limit exposure.
Digitally Sign and Verify CI/CD Configuration:
Digitally signing and verifying guarantees the pipeline configuration’s integrity and authenticity, preventing unauthorized modifications.
Two-Person Rule for Code Updates:
Ensure changes are reviewed and approved by multiple individuals, reducing the risk of unauthorized or malicious code modifications.
Least-Privilege Policies for CI/CD Access:
Regularly review and update access permissions to prevent unauthorized access, and ensure that employees only have access to what they need to do their jobs.
Secure User Accounts:
Implement strong password policies, enforce regular password rotations, and monitor user account activities.
Secure Secrets:
Implement robust secrets management practices, including secure storage, encryption, and access controls for API keys, credentials, or encryption keys.
Implement Network Segmentation and Traffic Filtering:
Prevent lateral movement and restrict the impact of potential breaches.

By adopting these active hardening measures, organizations can create a resilient defense for their CI/CD pipelines. To further broaden these measures, the NSA and CISA also suggest several specific steps to harden the development environment and process and protect it against cyber threats.

Development Environment Mitigations

NSA and CISA proposed specific measures for the development environment:

Maintain up-to-date software and operating systems
Keep CI/CD tools up-to-date
Remove unnecessary applications
Implement Endpoint Detection and Response (EDR) tools

Development Process Mitigations

Integrate security scanning as part of the CI/CD pipeline
- Restrict untrusted libraries and tools
- Analyze committed code
- Remove any temporary resources
Keep audit logs
Implement Software Bill of Materials (SBOM) and Software Composition Analysis (SCA)
Plan, build and test for resiliency

These mitigations can substantially boost the security of CI/CD pipelines, ensuring the integrity of software builds and deployments.

Summing up, NSA and CISA guidelines stress the urgent need for active hardening and development environment and process mitigations to fortify CI/CD pipelines. These measures are crucial in today’s high-risk cyber environment. However, fully implementing these complex guidelines can prove to be a significant challenge.

This is where Akeyless fits in. Its Secrets Management solution streamlines compliance with these guideline’s recommendations. In our next section, we’ll examine how Akeyless’s Secrets Management solution simplifies adherence to these protocols, without compromising on security, providing an effective tool for safeguarding your CI/CD pipelines.

Akeyless Secrets Management: Aligning CI/CD Pipeline Security with NSA & CISA Guidance

Akeyless Secrets Management aligns with NSA and CISA’s guidance, providing a centralized platform for managing secrets throughout the CI/CD pipeline lifecycle. These are just some of the ways Akeyless Secrets Management can enhance your CI/CI pipeline security:

Enhancing Security in Insecure Code and System Configuration

By centralizing the storage and access of secret keys, Akeyless mitigates the risk of unauthorized access due to code vulnerabilities. The use of dynamic secrets further reduces the risk by minimizing the lifespan of secrets. Additionally, Akeyless provides a unified platform to manage the configuration of secrets across different environments, thus ensuring a secure and consistent configuration steeped in Zero Trust.

Preventing Poisoned Pipeline Execution and Unauthorized Access

By enforcing strict access control policies and integrating with identity providers, Akeyless ensures that only authorized individuals have access to secrets. It also enables role-based access control, which limits the permissions granted to each user, reducing the potential damage in case of a security breach. In the case of a poisoned pipeline, the integration of Akeyless with CI/CD tools ensures that only verified and authorized code changes are made, thus preventing the insertion of malicious code.

Securing Third-Party Services and Protecting Secrets Exposure

As organizations increasingly rely on third-party services, the secure management of secrets associated with these services is paramount. Akeyless’ ability to seamlessly integrate with these services provides an additional layer of security. With Akeyless, secrets are never exposed in logs or config files and are encrypted at rest and in transit, reducing the risk of secrets exposure. Furthermore, Akeyless uses just-in-time access and offers Secure Remote Access, ensuring that secrets are only accessible when needed, thereby reducing the risk of exposure.

Automating Secret Rotation

Akeyless’s automated secrets rotation feature bolsters the security of CI/CD pipelines, aligning with NSA’s guidelines. It automates the rotation of keys and credentials across a diverse range of environments, from databases and cloud service providers to on-premise systems, without IT overhead. Furthermore, this rotation seamlessly integrates into existing development pipelines, ensuring only up-to-date credentials are in use.

Enabling Temporary Dynamic Secrets

Embracing the principles of Zero Trust, Akeyless can manage secrets by assigning unique credentials for each session or task, thereby nullifying risks associated with long-term credentials. Following task completion, these secrets are automatically revoked, limiting potential damage from unauthorized access. This strategy of ephemeral, short-lived secrets significantly bolsters your security posture in the face of potential cyber threats.

Securing Cryptography through DFC™ Technology

At the heart of Akeyless’s cryptographic system is the Distributed Fragments Cryptography (DFC™) approach, which divides and randomizes encryption keys in separate environments, ensuring that no entity besides the organization possesses the full key. Compliant with the NSA’s guidance on cryptographic protocols, DFC adds an extra layer of protection to your secrets storage, effectively mitigating full-key exposure risk. This innovative cryptographic strategy, underpinned by Zero Trust principles, fortifies your CI/CD pipeline’s security, ensuring the trustworthiness of your software delivery process.

Conclusion

We’ve sifted through NSA and CISAs’ guidelines and have seen firsthand the looming threats to our CI/CD pipelines. And we’ve reviewed active hardening and mitigation strategies in the development environment to fortify cyber defenses. Through this exploration, we discovered Akeyless Secrets Management is a standout centralized platform for managing secrets during the CI/CD pipeline lifecycle.

Akeyless boosts security in code and system configurations. It blocks poisoned pipeline execution and unauthorized access. It even strengthens third-party services, guarding against secrets exposure.

We get it.

You are the gatekeeper of your organization’s digital assets. You want to be proactive with threats, not reactive. Akeyless offers that peace of mind. It combines solid security and ease of use. You can focus on managing your pipelines securely and aligning with NSA and CISA guidance; leaving you free to do what you do best, adding value to your organization.

Don’t wait for a security incident to take action. Securing your CI/CD pipelines is crucial. Take control of your digital assets now. Let Akeyless guide you in building a sturdy, future-ready CI/CD pipeline. One that aligns with the best industry advice.