Skip to content

DevSecOps

Self-learned Hacking Techniques

Concepts

Learning Resources

CI/CD Hardening

CICD-SEC-1: Insufficient Flow Control Mechanisms

Map your attack premieter. I recommend threat modelling your CI/CD pipleine - just like you would any other highlevel system. - Can internal malicious actors push code and trigger the build pipeline? - Automerging code to production if it meets certain rules? - Can artifacts, libraries or build dependencies be used to execute code? - Can pipeline code be modified and executed?

Recommendations: - Ensure no single person can push code and deploy it simultaneously. Ensure at least one or more reviewer is needed before code is pushed and build.

CICD-SEC-2: Inadequate Identity and Access Management

Identities should not be:

  • Overly permission: principle of least privilege
  • Stale (not used)
  • Local: these are hard to manage and secure
  • External: the security premieter is shared with other organizations, as the current organization rules are not enforced on them.
  • Self-registered: hard to keep track and enforce rules
  • Shared between programmatic context and human users

Recommendations: - For all identities in the system map the identity provider, level of permissions granted and level of permissions actually used - Disable/Remove any identity which has surpassed the predetermined period of inactivity. - Create dedicated accounts for each specific context - Prevent employees from using any address not owned by the organization

CICD-SEC-3: Dependency Chain Abuse

The main attack vectors:

  • Dependency confusion
  • Dependency hijacking
  • Typosquatting
  • Brandjacking

Recommendations: - Whenever 3rd party packages are pulled from an external repository, ensure all packages are pulled through an internal proxy - Disallow pulling of packages directly from external repositories. Configure all clients to pull packages from internal repositories - Enable checksum verification and signature verification for pulled packages. - Prefer configuring a pre-vetted version or version ranges *TBC

Tools

SAST

Secret Scanning

Tutorials

Tools

Resources