Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New CS proposal: CI/CD Security #1262

Closed
EbonyAdder opened this issue Dec 15, 2023 · 5 comments · Fixed by #1268
Closed

New CS proposal: CI/CD Security #1262

EbonyAdder opened this issue Dec 15, 2023 · 5 comments · Fixed by #1268
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. NEW_CS Issue about the creation of a new cheat sheet.

Comments

@EbonyAdder
Copy link
Contributor

What is the proposed Cheat Sheet about?

This cheatsheet would cover topics related to CI/CD security, including common vulnerabilities, potential impact, and mitigations.

What security issues are commonly encountered related to this area?

Secrets (mis)management, access control, misconfiguration, lack of monitoring and visibility, lack of integrity validation,etc.

What is the objective of the Cheat Sheet?

The objective of this cheatsheet is to highlight common security risks in CI/CD processes and technologies and provide recommended responses to reduce risks.

What other resources exist in this area?

Please let me know if you need more details. I haven't put together an outline of example content yet, but can do so if there is sufficient interest.
@EbonyAdder EbonyAdder added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet. labels Dec 15, 2023
@jmanico
Copy link
Member

jmanico commented Dec 15, 2023

I think this is a fantastic idea!

@szh szh added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Dec 15, 2023
@szh
Copy link
Collaborator

szh commented Dec 15, 2023

Agreed, love the idea. Do you want to work on an outline?

@EbonyAdder
Copy link
Contributor Author

Thanks for the feedback and sorry for the delay. Here is a rough outline:

Introduction

Explain purpose of cheatsheet, scope, etc.

Background and Definition

Although I assume the audience will be at least somewhat familar with CI/CD concepts, I think it would be beneficial to explcitly (but briefly) define what is meant by CI/CD in the context of this CS since different individuals may include different components within the umbrella "CI/CD" concept.

Understanding CI/CD Risk

Will provide a high-level overview of how hackers can exploit CI/CD tools and processes, why CI/CD pipelines can be such an appealing target to attackers, and attack surface.

Secure Configuration

Will focus on secure configuration of repositroies and tools such Jenkins. Addresses issues raised in CICD-SEC-1, CICD-SEC-4, and CICD-SEC-7.

Branch and Repository Management

Trigger and Step Configuration

Execution Node and Environment Management

IAM

Will map primarily to CICD-SEC-2, CICD-SEC-5, and CICD-SEC-6.

Secrets Management

Least Privilege

Identity Lifecycle Management

Managing Third-Party Code

Will map primarily to CICD-SEC3 and CICD-SEC-8.

Dependency Management

Plug-In and Integration Management

Integrity Assusrance

Will map primarily to CICD-SEC-9.

Visibility and Monitoring

Will map primarily to CICD-SEC-10

Logging

Anomaly Detection

@jmanico
Copy link
Member

jmanico commented Dec 20, 2023 via email

@szh
Copy link
Collaborator

szh commented Dec 20, 2023

Nice. The next step is to create a draft PR and start working on it! That way others can review and add suggestions as you go.

@szh szh removed the HELP_WANTED Issue for which help is wanted to do the job. label Dec 20, 2023
@EbonyAdder EbonyAdder mentioned this issue Dec 30, 2023
Merged
8 tasks
@szh szh linked a pull request Jan 2, 2024 that will close this issue
Create CI/CD cheatsheet #1268
Merged
8 tasks
@szh szh closed this as completed in #1268 Jan 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. NEW_CS Issue about the creation of a new cheat sheet.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create CI/CD cheatsheet EbonyAdder/CheatSheetSeries
3 participants
@jmanico @szh @EbonyAdder