CI/CD Security

With the rise in attacks on continuous integration and continuous delivery (CI/CD) environments, it’s no surprise that the U.S. Government recently released guidance to help organizations understand their risks and defend their pipelines. Software Delivery and CI/CD pipelines are critical to cloud-native software development and host highly sensitive data and credentials. In fact, protecting the delivery pipeline is as important as securing the software that it’s built for (Gartner, “How to Select DevSecOps Tools for Secure Software Delivery” Jan ‘23).

However, they often exist outside the purview of the traditional AppSec solutions and therefore not handled by the AppSec teams. With graph-based CI/CD security in the industry’s most comprehensive code-to-cloud cloud-native application protection platform (CNAPP), Prisma Cloud helps AppSec practitioners to secure their pipelines with:

• Unmatched visibility into the engineering ecosystem
• Protection from the OWASP top 10 CI/CD Risks
• Pipeline Posture Management
• Attack Path Analysis with the Cloud Application Graph™

1. Subscribe to CI/CD Security

1. Log in to the Prisma Cloud Console.
2. On the Application Security Configuration page, enable the CI/CD Security module.

2. Connect Prisma Cloud to your VCS and CI/CD Systems

Begin by onboarding your Version Control systems(s) and CI/CD systems on Prisma Cloud.

• GitHub
• GitHub Enterprise
• GitLab
• GitLab Self-hosted
• Bitbucket
• Bitbucket Server
• Azure Repos
• CircleCI
• Jenkins Plugin

3. Explore High-Priority CI/CD Security Risks

Identify and understand the most critical CI/CD risks facing your organization, so you can prioritize and address these risks efficiently.

1. Access the CI/CD Risks dashboard.
   1. Log in to the Prisma Cloud console, and make sure that you have selected Application Security on the Prisma Cloud switcher.
   2. Select CI/CD Risks. The Risk table should already be sorted by severity. If it’s not, click on the severity column header to sort the table based on severity.
2. Review risks. You can explore the risks generated related to CI/CD risk policies across the different integrated systems in the delivery pipeline.
   1. From the list of risks, you can for example locate the risk called "Direct Poisoned Pipeline Execution" or choose any other relevant risk based on your needs.
   2. Click on the name of the selected risk to see its details.
3. Explore the details on a risk. Within the risk details, you will find a detailed description of the risk, including in which phase this risk is located in the pipeline delivery chain, how many open instances (events) of this risk the system has found so far across the environment, and a detailed explanation on how to remediate the risk.
   1. Select Open Events to view all the open instances of the risk.
   2. You can now review each event and understand which assets are at risk. Events of risks that describe an attack vector that is an outcome of multiple misconfigurations across systems, also come with the Kill Chain graph. The graph is used to illustrate the various steps that an attacker takes to penetrate the pipeline, and can help you to better understand the event attack vector. If you selected such a risk you can access each open event kill chain graph by clicking on the graph icon on the right side of each event .
   3. Take action to remediate the risk. Use the suggested remediation steps to fix the issues, one at a time

4. Investigate and Reduce the Attack Surface of the Engineering Ecosystem

Explore your engineering ecosystem thoroughly using no-code searches with Prisma Cloud's CI/CD Security data to help you address and remove issues related to GitOps and CI/CD security.

1. Start your Investigation on the Prisma Cloud console.
2. Log in to the Prisma Cloud console, and make sure that you have selected Application Security on the Prisma Cloud switcher.
3. Select Investigate > Search.
   This is where you can perform various investigations related to your engineering environment and assets.
4. Use the Query Builder build and to find answers to your questions.
5. From the Search Type dropdown, select the Application Asset scope and use the query builder to select the search conditions.

Examples:

• Find all code repositories that have CODEOWNER file but the repo Branch Protection Rule is not utilizing it.
  Utilizing CODEOWNER file in branch protection rule will increase security and code quality. It enables you to define individuals or teams who are responsible for code in a repository, and any pull request that affects code must be approved by that code owner before the pull request can be merged into the protected branch.

• Find all VCS deploy keys that have Write permissions.
  To minimize the risk of a stolen deploy key from being used by an attacker, it is recommended to reduce the level of permissions of all deploy keys to read-only, when write permissions are not necessary for the proper flow of the pipeline.

• Find all private code repositories that can be forked.
  Forks might allow an attacker to create PR’s and trigger a pipeline. So, if this permission is not needed, consider disabling it for each repository and preferably at the organization level.

• Review the results of each query.
  Ensure all findings are recognized and sanctioned by your team. Otherwise, take corrective actions.