Yesterday, CISA and the National Security Agency (NSA) published a joint Cybersecurity Information Sheet (CSI), Defending Continuous Integration/Continuous (CI/CD) Delivery Environment, to help organizations improve their defenses in cloud implementations of development, security, and operations. Specifically, the guide explains how to integrate security best practices into typical software development and operations CI/CD environments, without regard for the specific tools being adapted. 

The CI/CD environment is a development process for quickly building and testing code changes that helps organizations maintain a consistent code base for their applications while dynamically integrating code changes. Also, it is a key part of the development, security, and operations (DevSecOps) approach that integrates security and automation throughout the development lifecycle. Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical to securing a CI/CD environment. Network defenders can reference a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security.     

The recommended actions for securing CI/CD pipeline include applying mitigations into the development process, development environment, and authentication and access phases, which are outlined in detail in this guide. The reporting agencies encourage organizations to read the joint CSI for a complete overview of the security risks, attack surface, as well as recommended mitigations to protect against this threat. Access the full guide at the NSA here.