Software supply chains (SSC) are continuing to be a growing target for cyberattacks. Most recently, after the large CrowdStrike outage, malicious actors took advantage of the opportunity to try and infiltrate the SSC by sending out fixes that had malware inserted into them. Strategies, publications and executive orders have been released to help organizations secure their SSC, but there are many facets to the SSC, one being the process known as Continuous Integration/Continuous Delivery (CI/CD) pipeline. These areas need to be considered for risk as well and have security measures in place to ensure bad actors don’t take advantage of them.
Earlier this year, the National Institute of Standards and Technology (NIST) released a special publication highlighting this, the NIST SP 800-204D: Software Supply Chain Security in DevSecOps CI/CD Pipelines. This special publication was released to help organizations understand the dynamic of Continuous Integration/Continuous Delivery (CI/CD) pipelines and develop actionable measures to integrate SSC security into CI/CD pipelines. It outlines strategies on how to fit SSC security measures into CI/CD pipelines, and it emphasizes the importance of starting with a strong attestation process with code signing and securing of cryptographic keys and digital certificates.
What are CI/CD pipelines?
CI/CD pipelines include the stages and tasks that take code from start to finish. This automated process, as named, is continuous, to help get code fixes done quickly and out the door faster. Looking at the two parts separately, CI, or continuous integration, is when source code changes are frequently merged into a main branch to detect issues early. CD stands for continuous deployment or continuous delivery, which automates the deployment process through a set of criteria set by DevOps teams. The overall goal of a CI/CD pipeline is to utilize automation to detect and fix issues early and get application updates out to users faster.
How do CI/CD pipelines fit into software supply chain security?
Within SP 800-204D, it is mentioned that a common approach to SSC security is to generate as much provenance data as possible. Within the CI/CD pipeline, security practices must be applied during the various stages of the cycle to defend the process and ensure the integrity of the code from the repository it has been sourced from. DevOps teams should ensure that the code from a repository is safe, especially when utilizing open-source repositories, as this code can come from malicious attackers and potentially introduce malware into the application. With an automatic deployment process, systems need to be in place to ensure any security threats are caught and mitigated before the application reaches consumers. introduce malware into the application. With an automatic deployment process, systems need to be in place to ensure any security threats are caught and mitigated before the application reaches consumers.
Looking at SP 800-204D, the first layer of a secure SSC within the CI/CD pipeline comes from securing and providing evidence for the build process.
CIO Study: Software Build Pipelines Attack Surface Expanding | Current Security Controls No Match for Modern Attack Methods
Securing the build process and attestation
The first phase of the CI pipeline is building, and within that section are the first layers of security that need to be placed, such as strict build policies and the automation of evidence collection. After that is when the code signing piece comes into play; attestation must be created by a specified user, using cryptographic signatures with secure keys to evaluate policy compliance and the authenticity of each build step. Code signing ensures that the build process adheres to the build policies put in place, and that there is no evidence of potential malicious activity.
NIST specifically outlines that the keys used for attestation must be stored in a secure “tamper-proof and protected” location that uses access control policies to ensure the keys are not at risk of being stolen and maliciously used. The best way to do this is to store the keys in a secure hardware security module (HSM).
But sometimes these HSMs are difficult to connect to common tools and platforms, making it difficult to utilize the secure keys for code signing activities. Also, with the goal of CI/CD being to maintain a quick, continuous process, it can be difficult to manage the workflow of code signing processes with the amount of code that needs to be signed daily. Code signing is usually a labor-intensive process that is often performed manually and lacks the level of security recommended by NIST. However, with automation, a balance between security and efficiency can be found.
Tackling the roadblocks
Being able to automate the workflow of code signing and securing keys can ensure that standards for SSC security are being met, while also not slowing down the CI/CD process with manual code signing workflows. Venafi CodeSign Protect allows organizations to handle these needs in multiple ways:
- Set up and enforce policies within the platform such as who approves requests, who can access keys and certificates, and what code signing tools can be used. With role-based access, users are set up to access only what they need for their role, and automated workflows for code signing can be established.
- Secure private keys in the Venafi Trusted Vault or connected HSM to ensure code signing keys never leave secured, encrypted storage, even during a code signing operation.
- Monitor all code signing activities for compliance and audit reporting
- Continue with CI/CD workflows used today with the ability to use the same tools used by DevOps. Plug directly into native code signing tools for an automated code signing service to eliminate the hassle of DevOps separately managing and requesting code signing certificates.
Integrating SCC security into CI/CD pipelines is critical to protect the security of an enterprise. While this fast-moving process provides immense value in getting application updates out quickly, it does present an attack vector for malicious intent. Understanding and implementing the recommendations from NIST SP 800-204D can help secure the CI/CD pipeline and starts with a focus on being able to specify build policies, enforce them, and attest that those policies have been adhered to with proper code signing. Ensuring that attestations are secure and do not slow down the CI/CD pipeline means utilizing automatic workflows for code signing and being able to store those keys in a trusted vault.
How secure is your code signing process?
With CodeSign Protect, organizations can balance both needs, providing secure access to signing identities with role-based access policies, and securing keys in a centralized location. Learn more about what CodeSign Protect can do for your organization.