Securing Continuous Integration/Continuous Delivery Environments (CI/CD)

July 11, 2023

The widespread move to the cloud has increased the number of new attack vectors for cybercriminals to exploit, with many gaining access through gaps in permissions security. Unknown code-based vulnerabilities in applications developed in the cloud have dramatically increased the risk of compromise. Microsoft Threat Intelligence reported cloud app development (CI/CD environments) as the top cloud attack vector across organizations.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published guidelines for securing Continuous Integration/Continuous Delivery (CI/CD) environments. The document describes the attack surface, offers three potential threat scenarios, and makes recommendations for threat mitigation and hardening CI/CD cloud deployments.

The guidance published by CISA and NSA is important in securing the software developer’s environment, however, organizations should adopt and implement an established cyber security framework for the entire enterprise.