The research was compiled by Cider Security along with experts from Netflix, Atlassian, Mozilla, Lemonade Insurance, Rapid7, Databricks, and the former CISOs of Twitter and LivePerson
[Tel Aviv, Israel – March 16, 2022] – Researchers from Cider Security, the world’s first AppSec Operating System, today published a new research report, “Top 10 CI/CD Security Risks”, detailing the major security risks to the CI/CD (Continuous Integration/Continuous Delivery) ecosystem.
“CI/CD environments, processes, and systems are the beating heart of any modern software organization. They bring great opportunities and advantages to engineering, but introduce an equal amount of opportunities for adversaries, which are targeting CI/CD as an efficient way to access the crown jewels of every organization – their production environment,” said Daniel Krivelevich, Co-Founder and CTO of Cider Security. “We developed this to help defenders have a better understanding of their evolving attack surface, and spark the much-needed discussion around the relevant preventative measures required to optimize CI/CD security”.
This research report serves as a guide to defenders, helping them identify and minimize CI/CD security risks by providing a breakdown of today’s most prominent attack vector as well as tips for mitigation. It was compiled on the basis of extensive research based on analysis of hundreds of CI/CD environments, discussions with industry experts, and publications of security incidents and security flaws within the CI/CD security domain.
The risks outlined are:
CICD-SEC-1: Insufficient Flow Control Mechanisms
CICD-SEC-2: Inadequate Identity and Access Management
CICD-SEC-3: Dependency Chain Abuse
CICD-SEC-4: Poisoned Pipeline Execution (PPE)
CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)
CICD-SEC-6: Insufficient Credential Hygiene
CICD-SEC-7: Insecure System Configuration
CICD-SEC-8: Ungoverned Usage of 3rd Party Services
CICD-SEC-9: Improper Artifact Integrity Validation
CICD-SEC-10: Insufficient Logging and Visibility
This research report was created in collaboration with global industry experts across multiple verticals and disciplines, including Michael Coates, former CISO at Twitter, Adrian Ludwig, Chief Trust Officer at Atlassian, Astha Singhal, Director of Information Security at Netflix, Jonathan Claudius, Director of Security Assurance at Mozilla, Jonathan Jaffe, CISO at Lemonade Insurance, Ron Peled, Founder & CEO at ProtectOps, Travis McPeak, Head of Product Security at Databricks, Ian Amit, Advisory CSO at Rapid7, and others.
You can access the full research report here.
About Cider Security
Cider Security is a first-of-its-kind AppSec Operating System that provides Security and Engineering teams a single, consistent method to orchestrate and implement end-to-end CI/CD security through a single, unified platform. The company takes a holistic approach to the security of the engineering processes and systems, from code to deployment. It establishes a comprehensive Technical DNA of the engineering environment, giving Security teams the transparency and visibility needed to optimize AppSec and achieve full resilience. Founded in late 2020 by cybersecurity industry veterans, Guy Flechter and Daniel Krivelevich, Cider Security’s mission is to solve the most commonly encountered challenges CISOs and security engineers face today. For more information, visit www.cidersecurity.io/.
Press Contact
Raanan Loew
IL:+972 54 467 6317
US:+1 347 897 9276
UK:+44 203 769 2689