Sep 27, 2023

OWASP Top 10 CI/CD

Most developers are familiar with the OWASP Top 10 that describes the most critical risks to web applications. OWASP also produce a lesser known artefact called the OWASP Top 10 CI/CD Security Risks that describes risks that modern build and deployment systems face that is essential reading for all development teams.

Build systems are essential tools in modern software development offering numerous benefits around productivity and maintaining code quality. However they often run with high privileges, fall outside the scope of traditional penetration tests and their logs are rarely reviewed. Combine these factors with heavy use of third-party open source components and libraries in most solutions and this presents some interesting opportunities for attackers and malicious insiders.

Let’s look at some recent incidents that exploited these issues and map some of the vulnerabilities exploited onto the OWASP Top 10 CI/CD:

BreachOverviewVulnerability
CodeCovAttackers were able to view client repositories through a vulnerability in how CodeCov (Code Coverage Tool) had configured its Docker containers. This vulnerability was then used to obtain credentials contained in client repositories.Credential Hygiene (CICD-SEC-6)
SolarWindsMalicious code “Sunburst” added to SolarWinds code base and then distributed to SolarWinds customers. Malware provided a backdoor for attackers to access customer systems.Dependency Chain Abuse (CICD-SEC-3)
ua-parser-jsMalicious code inserted into popular open source component ua-parser-js that mined crypto currency and harvested credentials. Customers referencing this third-party dependency would install and run malicious version.Ungoverned Usage of 3rd Party Services (CICD-SEC-8)

There are several controls that can be put in place to mitigate or reduce the risk of the above we wanted to call out the following approaches:

For those interested in learning more we explore issues contained in CI/CD systems in our App Security training by Kodez at a deep level and look at easy to implement controls and processes that can reduce risk to organizations.

In summary we believe these types of attacks will become more common in future and recommend all development teams review the OWASP Top 10 CI/CD Security Risks.

Interested in hearing more?
Lets connect.
January 17, 2024
AWS re:Invent 2023 (Part 02) Compute / Container / Serverless and Storage Major Announcements

At the re:Invent 2023 conference, AI became a major focus, with AWS introducing exciting updates in Compute, Container, Serverless technologies, and Storage. These advancements highlight AWS's commitment to pushing the limits of cloud computing, showcasing their dedication to innovation.

learn more
December 20, 2023
AWS re:Invent 2023 (Part 01) Generative AI / Machine Learning Major Announcements

The recently concluded AWS re:Invent 2023 in Las Vegas highlighted artificial intelligence as a central theme, with special attention given to Amazon Bedrock and Amazon Q. These cutting-edge technologies, particularly Amazon Q a new generative AI-powered assistant, took center stage during the keynote presentations. AWS re:Invent serves as a premier learning conference for the global cloud-computing community, providing an in-person platform for keynote revelations, extensive training and certification opportunities, over 2,000 technical sessions, the Expo, engaging after-hours events, and more.

learn more
November 16, 2023
Unlocking Remote Software Engineering Team Productivity

learn more
SERVICES
INSIGHTS
WHO WE ARE
CONTACT