

























Last week, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) detailing recommendations for strengthening the security of Continuous Integration/Continuous Deployment (CI/CD) pipelines. This document reflects the growing importance of CI/CD security, which is at the core of our work here at StepSecurity.
As per the document, which you can find here, "CI/CD environments are attractive targets for malicious cyber actors (MCAs) whose goals are to compromise information by introducing malicious code into CI/CD applications, gaining access to intellectual property/trade secrets through code theft, or causing denial of service effects against applications."
As CI/CD pipelines have become integral to IT modernization efforts and DevSecOps approaches, they have concurrently grown as prime targets for malicious cyber actors (MCAs). The increasing number of supply chain attacks on CI/CD environments, such as the infamous SolarWinds, Codecov, and ua-parser-js attacks, paints a vivid picture of the growing threat.
StepSecurity has extensively researched past CI/CD attacks and created a public GitHub repository https://github.com/step-security/attack-simulator. This simulator allows users to mimic past CI/CD attacks. It showcases how StepSecurity's solutions can stop these attacks, demonstrating our solutions' effectiveness in real-world scenarios.
In their comprehensive Cybersecurity Information Sheet (CSI), CISA and the NSA have provided several key recommendations to enhance the security of CI/CD pipelines.
The table below lists the high-level recommendations from the document and how StepSecurity can help implement them.
|
CISA’s Recommendation for CI/CD Security |
How StepSecurity can help |
|
Our first-of-its-kind EDR solution for CI/CD pipelines, Harden-Runner, works for GitHub-hosted runners and Actions Runtime Controller (ARC) self-hosted runners to:
Harden-runner is used by 1,200 public GitHub repositories in their GitHub Actions workflows, including those of industry giants like Microsoft, Google, and DataDog, and numerous enterprises for their private repositories. |
|
Our platform features a unique orchestration capability that automates the integration of security tools and pipeline security best practices using automation and pull requests. Over 500 public repositories have utilized our orchestration component to:
|
|
StepSecurity shows the names and “Days since last rotated” metadata for all CI/CD secrets, to aid in secrets rotation. In addition, StepSecurity helps find instances where long-terms credentials can be replaced with short term OIDC based credentials. In the future, we will offer more advanced detections to detect if secrets are found in the build log or if developer credentials have been compromised. |
|
With StepSecurity you can view a list of different 3 rd party components being used in the CI/CD pipeline and view the OpenSSF Scorecard scores for these components to help decide which of them are trustworthy. |
As the CISA and NSA emphasize the criticality of securing CI/CD pipelines, we at StepSecurity stand ready with solutions that address their recommendations and deliver security that goes above and beyond.
With StepSecurity, you can rest assured that your software supply chains are safe. We encourage you to experience the benefits of our security solutions firsthand. Try our product at https://app.stepsecurity.io/securerepo or try StepSecurity for free to harden your CI/CD pipelines today.
Have any questions or need more information? Feel free to contact us via the contact form on our website.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。