Secure Continuous Integration (CI) Pipelines

This series of articles aims to identify the best practices to implement in order to secure your delivery process and your CI/CD pipelines:

0. DevSecOps & CI/CD Pipelines: understand the fundamentals.
1. Version Control System Security
2. Secure Continuous Integration (CI) Pipelines
3. Secure Continuous Delivery (CD) Pipelines

By Gologic with the collaboration of Alexandre Couëdelo.

The continuous integration security (CI) pipeline is central to the software delivery system, yet it represents a security hotspot with multiple attack vectors. On one side, we need to secure the system itself, striving to build efficient systems; on the other, we need to ensure that the artefacts we produce will not result in vulnerable applications. Our DevOps services provide specialized solutions to strengthen security at every stage of the integration process.

In this article, to address these security concerns, Gologic introduces a set of best practices and tools that can be integrated into your CI pipeline. Following these practices can improve your pipeline security standards and ensure your artefacts are free from known vulnerabilities.

Producing secure artefacts

The CI pipeline’s primary role is compiling or assembling the source code of your software/application into an executable or deployable form called an artefact. But any modern application comprises 10% of the code you write and 90% of the code taken from open-source projects (libraries and frameworks mainly).

This raises the question: How do you ensure those dependencies are secure?

In short, you need to validate all the pieces that compose your system, and this validation is twofold. On one side, we need to validate your code; on the other, we need to validate the code you import into our application.

To solve this concern, you need to adopt two techniques:

1. Static code analysis (SAST): Scans the code for actual vulnerabilities by detecting common patterns leading to vulnerabilities.
2. Software Bill of Materials (SBOM): Create a list of all the sources and their versions that compose your application, then search in a database (eg. OWASP) if those have known vulnerabilities.

💡 SAST & SBOM with Azure DevOps

Many tools exist and can be integrated via a job in your pipeline, for instance, Sonarqube/Sonarcloud (SAST), and Cyclonedx/Mend (SBOM).

Microsoft also recently announced and released (May 2023) its own set of services:

• Defender for DevOps: reviews the security-related configuration of Azure DevOps
• GitHub Advanced Security (GHAS) for Azure DevOps: dependency scanning (Dependabot), SAST (CodeQL) and Secret scanning

Using a Secure CI System

The CI system, over time, needs access to various resources to perform its tasks, from code repositories to artefact stores, secrets, APIs, etc. The worst thing you could do is to give global credentials to your CI system so that any build can use those same set of credentials to perform any action they want on the related systems.

This would make the life of an attacker who breached your CI system much easier as he would be immediately granted access to get access to absolutely everything.

In the realm of security, especially when dealing with access control, it’s of utmost importance to adhere to the principle of least access. It is essential to recognize that the CI pipeline represents a point of attack for external threats. Ensuring that each link in the security chain, represented by every pipeline, is exclusively endowed with the precise permission it requires and possesses its own dedicated set of credentials is fundamental.

This meticulous approach not only strengthens security but also helps in mitigating common risks associated with shared credentials, thereby streamlining the process of identifying and nullifying compromised secrets.

💡 Managed Identity in Azure DevOps Pipelines

Managed Identity securely authenticates and authorizes your Azure Pipelines to access resources within the Azure or any application supporting OpenID Connect (OIDC) protocol. Ensuring least privileged are granted to pipelines.

Conclusion

By utilizing Static Code Analysis (SAST) and a Software Bill of Materials (SBOM), following key practices, it’s crucial to validate both your code and the components you import (libraries and OSS software).

Additionally, you should embrace the principle of least privilege in your pipelines, thereby increasing the detection and limitation of potential damage from a security breach. Too often, CI systems are granted administrator credentials for all systems and/or environments, making them prime targets for cyberattacks.

This article is the third in the series. We previously tackled the security risk concerns about Version Control Systems that come upstream from your continuous integration security system. In the next issues, we will look at the next system in the process, namely the continuous deployment pipeline.

Are you ready to enhance the security of your CI/CD pipelines? Contact our DevOps teams today for a personalized consultation and discover how our solutions can help you secure your development and deployment process. Don’t let potential vulnerabilities compromise your workflow—take action now for optimal security.

By Gologic with the collaboration of Alexandre Couëdelo.