Virtualization Technology News and Information
VMblog Expert Interview: Securing the pipelines with the pipelines - Checkov introduces developer-first CI/CD security


Bridgecrew has introduced some big updates to their open source project Checkov, related to CI/CD and supply chain security more broadly. To find out more, VMblog spoke with Guy Eisenkot, Sr. Director of Product at Bridgecrew by Prisma Cloud.

VMblog:  Can you start by explaining the importance of CI/CD security and why Checkov is introducing these new policies now?


Guy Eisenkot: CI/CD adoption has grown significantly - almost half of all developers use CI/CD delivery platforms. In order to operate, these tools necessarily have to act in risky ways, such as having privileged access to run tests and deployments. Some recent high-profile attacks (e.g., Codecov) and threat research show the impact one compromise can have on an organization and its end customers. Good posture for your CI/CD pipelines is the starting point for ensuring that simple entry points for exfiltration or code injection aren't left open to attackers.

VMblog:  How does CI/CD security tie into the broader picture of the entire supply chain?

Eisenkot: CI/CD security is an essential part of software supply chain security. The standard layout of a supply chain is:
  • All of the inputs that make up the software code (e.g., open-source packages, infrastructure as code, custom code), 
  • The place where code is versioned and stored (i.e., version control systems)
  • The CI/CD pipelines to build, test, merge, and deploy code
  • The runtime environment that runs the software

Each of these components is critical to secure. You can have the most secure software inputs with thorough automated and manual security reviews, but a compromised CI/CD pipeline could negate all of that. One stolen API token could mean bad actors could own your supply chain and inject malicious code wherever they want.

That's also why we're starting to see new supply chain benchmarks like SLSA and the CIS Software Supply Chain Security Guide released that include policies for both version control systems like GitHub and CI/CD systems like GitHub Actions.

VMblog:  What is the role of developers in making sure the pipelines are secure?

Eisenkot: In a DevOps world, developers are often tightly involved in or create their own CI/CD pipelines. Developers know what compromises they had to make their testing suite work and how to resolve security issues without breaking their builds. As critical as it is to secure CI/CD pipelines, you don't want to make security lockdowns in a vacuum that can cause unexpected blockers. For example, if a developer goes to merge a hotfix only to find they are blocked by a policy or change they didn't know about. 

On the flip side, working with developers and DevOps teams to secure their pipelines using their existing tools is a huge advantage. Rather than taking a purely security-centric or top-down approach to securing the pipelines that make up supply chains, embedding policies into the very builds you're protecting is a great way to get continuous, automated coverage much like IaC or open source security scanning.

VMblog:  The new CI/CD security policies work across a number of partners including GitHub and CircleCI. Did custom policies need to be written for each partner separately?

Eisenkot: When we developed these policies, we found a number of differences between providers. Oftentimes it came back to the flexibility versus security debate we see in the software world. Some vendors lock down their CI/CD pipeline options such that secrets exfiltration is not possible through code injection. They do this at the cost of usability, making it harder for pipelines to leverage secrets or for testing on changes to the pipeline before merging a pipeline configuration update. Others are on the opposite end of the spectrum where they run in fully self-managed, completely configurable Kubernetes environments. This is great for flexibility, but opens a lot more doors for compromise and thus policies.

VMblog:  Can you let the readers know some of the policies that will be coming out of the box for Checkov users?

Eisenkot: Here are a few policies that were included in most of the provider checks: 
  • Preventing the use of deprecated commands/beta features
  • Preventing run commands that are vulnerable to shell injection
  • Preventing the use of curl with secrets (secrets exfiltration)
  • Blocking privileged workflow pods
Published Wednesday, August 03, 2022 9:00 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2022>