T0122 - Vulnerability in third-party CI/CD actions
The use of 3rd party Github actions is very common. Similar to using 3rd party libraries this can also introduce security risks - a malicious Github action has access to very sensitive information - i.e exfiltrating environment variables, including backdoors or malware in source code, infecting build artifcats.
Tactic: Initial Access
Summary: Vulnerability in third-party CI/CD actions
Store credentials in vault
Use only trusted third-party Github actions from reputable sources
Using only trusted third-party Github actions from reputable sources is an important security practice that reduces the risk of vulnerabilities in the CI/CD pipeline. Reputable sources include established Github action providers with a history of creating high-quality, secure actions. Organizations can verify the reputation of a third-party Github action by researching the provider, reviewing their Github action repositories, and checking for reported security issues.
Review the Github action source code
Reviewing the Github action code and checking if it has been audited or reviewed by security experts is an important security practice to reduce the risk of vulnerabilities in the CI/CD pipeline. By inspecting the code and checking if it has been audited, organizations can identify potential security issues and increase their confidence in the security of the Github action.
Limit the permissions granted to third-party Github actions
Limiting the permissions granted to third-party Github actions to only the necessary access required for the task is a security practice that can reduce the risk of vulnerabilities in the CI/CD pipeline. This involves evaluating the required permissions of each action and granting access on a least privilege basis, meaning that only the minimum level of access required for the intended task is granted. By limiting permissions, organizations can reduce the risk of unauthorized access or exposure of sensitive data, thereby improving the overall security of the CI/CD pipeline.
Implement regular security audit and review
Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage. This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
Implement penetration testing
Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks. It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
Implement vulnerability assesment
Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application. It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
Implement continuous monitoring and logging of the CI/CD process
Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow. This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.