CI / CD Software Build Pipeline Assessment

Our Vision

Software CI/CD build pipelines are the heart of software production and must meet the highest security standards to ensure the availability and foremost the integrity of your delivered service or software.  

About CI/CD Build Pipelines

Software build pipelines are  of utmost importance to delivering secure software. Organizationally those CI/CD pipelines are often operated by the development teams themselves and in some cases (devops) are part of the productive environment of the operated service. In any case, these landscapes sit between the development and operations/delivery organizations often with no clearly defined lines of responsibilities.  During our assessment we organize workshop sessions with the key stakeholders and ensure that roles and responsibilities are clearly defined and no gaps exist.

CI/CD Software Delivery Build Pipelines consist of three major components and the utilization, configuration and security of each of those three components is of utmost importance for the security of the delivered service/software. The three components are the Source Code Repository (such as GIT, SVN, GitLab, GitHub, GitHub Enterprise, Perforce, Bitbucket, etc.), the Build Scheduler (Jenkins, TeamCity, Concourse CI, Cruise Control, Bamboo, etc.) and the Binary Repository (JFrog Artifactory, Nexus, etc.). There is a wide range of products that provide the functionality and the complexity may vary widely depending on the scenarios. The following depicts a high level abstraction of a software build pipeline.

The heart of the CI/CD Build Pipeline is the Build Scheduler. Usually, in an automated fashion, the Build Scheduler collects the source code, compiles it on build nodes, packages binary artifacts, performs automated testing and scanning,  uploads binary artifacts to binary repositories, triggers automated deployments, reports back the status of a build to the source code management tool, etc. In order to meet these needs, the Build Scheduler requires privileged access (often related to WRITE permissions on the Source Code Management and Binary Repositiories) to all components of the build landscape. While compromising source code or binary repositories would allow malicious modification of the build outcome, unauthorized access to the Build Scheduler would often yield compromise of the security of all related components. Therefore, we put the Build Scheduler in the center of our assessments.

In all cases, common IT operations processes must be in place for all components in order to ensure security of the build pipeline. Highly relevant processes that should be rigorously executed are:

Thorough understanding of the architecture of the landscape, the system dependencies and data flows are the basis for performing a threat-modelling exercise to identify weaknesses. Complementing this with a Security Assessment/Pentest against the environment would provide you with an excellent overview of a CI/CD Build Pipeline's state.  

Our Service

We have deep understanding and expertise in the field of Build landscapes. We know the best practices and the operational difficulties of pipeline operations teams, which helps us provide you with viable improvement recommendations. 

We perform security assessments for CI/CD build pipelines by organizing workshop sessions with build pipeline operations teams and development process stakeholders in order to get an understanding about the common IT processes mentioned above. We discuss the development and release management processes and map those to the technology layer. Through the workshop sessions we gain valuable knowledge for the next phase where we perform a penetration test on the CI/CD Build pipeline. We document any identified issues and provide mitigation recommendations  to improve the security state of the pipeline.

We help clients achieve secure, reliable and reproducible builds by ensuring the security of the Continuous Integration/Continuous Delivery Build Pipelines.

Useful Links

Blog - Software Build Pipeline = The Finest Hacker Target