Search

Cider Security identifies top 10 CI/CD security risks

The company’s research was designed to improve attack surface comprehension and spark discussion on preventative measures


BIGSTOCK/Copyright: Mohailo.K
BIGSTOCK/Copyright: Mohailo.K

Researchers from Cider Security, which develops the first AppSec Operating System, published a new research report titled “Top 10 CI/CD Security Risks”, detailing the major security risks to the CI/CD (Continuous Integration/Continuous Delivery) ecosystem.


“CI/CD environments, processes, and systems are the beating heart of any modern software organization. They bring great opportunities and advantages to engineering, but introduce an equal amount of opportunities for adversaries, which are targeting CI/CD as an efficient way to access the crown jewels of every organization - their production environment,” said Daniel Krivelevich, Co-Founder and CTO of Cider Security.


“We developed this to help defenders have a better understanding of their evolving attack surface, and spark the much-needed discussion around the relevant preventative measures required to optimize CI/CD security.”


This report serves as a guide to defenders, helping them identify and minimize CI/CD security risks by providing a breakdown of today’s most prominent attack vector as well as tips for mitigation. It was compiled on the basis of extensive research based on analysis of hundreds of CI/CD environments, discussions with industry experts, and publications of security incidents and security flaws within the CI/CD security domain.


The risks outlined are:


CICD-SEC-1: Insufficient Flow Control Mechanisms

CICD-SEC-2: Inadequate Identity and Access Management

CICD-SEC-3: Dependency Chain Abuse

CICD-SEC-4: Poisoned Pipeline Execution (PPE)

CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)

CICD-SEC-6: Insufficient Credential Hygiene

CICD-SEC-7: Insecure System Configuration

CICD-SEC-8: Ungoverned Usage of 3rd Party Services

CICD-SEC-9: Improper Artifact Integrity Validation

CICD-SEC-10: Insufficient Logging and Visibility

29 views0 comments