[CDP-development] CISA and NSA Help Organizations Defend Their CI/CD Environments

Masse, Theresa theresa.masse at cisa.dhs.gov
Wed Jun 28 10:50:17 PDT 2023 

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) published a joint Cybersecurity Information Sheet<https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF> (CSI) titled, “Defending Continuous Integration/Continuous Delivery Environment,” which can help organizations improve their defenses in cloud implementations of development, security, and operations (DevSecOps). Specifically, this joint guide explains how to integrate security best practices into typical software development and operations (DevOps) CI/CD environments, without regard for the specific tools being adapted.



The CI/CD environment is a development process for quickly building and testing code changes that helps organizations maintain a consistent code base for their applications while dynamically integrating code changes. Also, it is a key part of the development, security, and operations (DevSecOps) approach that integrates security and automation throughout the development lifecycle.



Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one are both critical to securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security.



The recommended actions for securing CI/CD pipeline include applying mitigations into the development process, development environment, and authentication and access phases, which are outlined in detail in this guide. Organizations should be aware that applying a zero trust approach, where no user, endpoint device, or process is fully trusted, will help detect and prevent successful compromise by a malicious cyber actor.



Read the joint CSI<https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF> for a complete overview of the security risks, attack surface, as well as recommended mitigations to protect against this threat.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D9A9AE.453364E0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230628/705ceb6e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230628/705ceb6e/attachment-0001.png>

More information about the CDP-development mailing list