The company’s research was designed to improve attack surface comprehension and spark discussion on preventative measures
Researchers from Cider Security, which develops the first AppSec Operating System, published a new research report titled “Top 10 CI/CD Security Risks”, detailing the major security risks to the CI/CD (Continuous Integration/Continuous Delivery) ecosystem.
“CI/CD environments, processes, and systems are the beating heart of any modern software organization. They bring great opportunities and advantages to engineering, but introduce an equal amount of opportunities for adversaries, which are targeting CI/CD as an efficient way to access the crown jewels of every organization - their production environment,” said Daniel Krivelevich, Co-Founder and CTO of Cider Security.
“We developed this to help defenders have a better understanding of their evolving attack surface, and spark the much-needed discussion around the relevant preventative measures required to optimize CI/CD security.”
This report serves as a guide to defenders, helping them identify and minimize CI/CD security risks by providing a breakdown of today’s most prominent attack vector as well as tips for mitigation. It was compiled on the basis of extensive research based on analysis of hundreds of CI/CD environments, discussions with industry experts, and publications of security incidents and security flaws within the CI/CD security domain.
The risks outlined are:
CICD-SEC-1: Insufficient Flow Control Mechanisms
CICD-SEC-2: Inadequate Identity and Access Management
CICD-SEC-3: Dependency Chain Abuse
CICD-SEC-4: Poisoned Pipeline Execution (PPE)
CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)
CICD-SEC-6: Insufficient Credential Hygiene
CICD-SEC-7: Insecure System Configuration
CICD-SEC-8: Ungoverned Usage of 3rd Party Services
CICD-SEC-9: Improper Artifact Integrity Validation
CICD-SEC-10: Insufficient Logging and Visibility