Sep 27, 2023


Most developers are familiar with the OWASP Top 10 that describes the most critical risks to web applications. OWASP also produce a lesser known artefact called the OWASP Top 10 CI/CD Security Risks that describes risks that modern build and deployment systems face that is essential reading for all development teams.

Build systems are essential tools in modern software development offering numerous benefits around productivity and maintaining code quality. However they often run with high privileges, fall outside the scope of traditional penetration tests and their logs are rarely reviewed. Combine these factors with heavy use of third-party open source components and libraries in most solutions and this presents some interesting opportunities for attackers and malicious insiders.

Let’s look at some recent incidents that exploited these issues and map some of the vulnerabilities exploited onto the OWASP Top 10 CI/CD:

CodeCovAttackers were able to view client repositories through a vulnerability in how CodeCov (Code Coverage Tool) had configured its Docker containers. This vulnerability was then used to obtain credentials contained in client repositories.Credential Hygiene (CICD-SEC-6)
SolarWindsMalicious code “Sunburst” added to SolarWinds code base and then distributed to SolarWinds customers. Malware provided a backdoor for attackers to access customer systems.Dependency Chain Abuse (CICD-SEC-3)
ua-parser-jsMalicious code inserted into popular open source component ua-parser-js that mined crypto currency and harvested credentials. Customers referencing this third-party dependency would install and run malicious version.Ungoverned Usage of 3rd Party Services (CICD-SEC-8)

There are several controls that can be put in place to mitigate or reduce the risk of the above we wanted to call out the following approaches:

For those interested in learning more we explore issues contained in CI/CD systems in our App Security training by Kodez at a deep level and look at easy to implement controls and processes that can reduce risk to organizations.

In summary we believe these types of attacks will become more common in future and recommend all development teams review the OWASP Top 10 CI/CD Security Risks.

Interested in hearing more?
Lets connect.