Today CICD platforms are an integral and critical part of the overall software supply chain. To support the business requirements, it processes a lot of sensitive data, compromise of which can have effect on the entire organization. Security IN CICD is a well discussed topic, now security OF CICD deserves the same attention.
One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.
In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD ecosystem along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.
Also, I will introduce two new open source projects:
First, CICDGuard – a graph based CICD ecosystem visualizer and security analyzer, which 1. Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem 2. Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws 3. Technologies supported as of now: – GitHub – GitHub Action – Jenkins – Spinnaker
Second, ActionGOAT – a deliberate damn vulnerable GitHub Action for learning purposes