CISA and NSA Guidelines for CI/CD
Share this:
The US NSA and the CISA have published a comprehensive set of guidelines aimed at defending Continuous Integration/Continuous Delivery (CI/CD) environments.
The guidelines address the rising threat of malicious cyber actors exploiting vulnerabilities in CI/CD pipelines, particularly through the exposure of secrets.
CI/CD pipelines are essential in modern software development, enabling seamless and efficient integration and deployment processes. However, relying on secrets such as private keys and passwords for authentication purposes has made them prime targets for cyberattacks.
The guidelines highlight three key threat scenarios:
- MCAs acquiring developer’s credentials for accessing a Git repository service,
- Supply chain compromise of an application library or container image in a CI/CD pipeline.
- Supply chain compromise of a CI/CD environment that modifies configurations or injects malicious dependencies.
The document recommends mitigations. These include minimizing the use of long-term credentials, implementing two-person rules (2PR) for code updates, securing user accounts, and enforcing least-privilege policies for CI/CD access.
The guidelines emphasize the importance of secure code signing, network segmentation, regular vulnerability scanning, and integrating security measures throughout the CI/CD pipeline.
Organizations can significantly enhance the security posture of their CI/CD environments, reducing the risk of unauthorized access, supply chain compromise, and code injection attacks.
