ATT&CK-like Threat Matrix for CI/CD Pipeline on GitHub:
Place: CODE BLUE 2021 OpenTalks at Tokyo
Presenter: Hiroki SUEZAWA (https://www.suezawa.net)
With the popularization of Dev(Sec)Ops, the CI/CD (Continuous Integration and Delivery) environment is becoming more and more common in modern application development and infrastructure management. On the other hand, the security of the CI/CD pipelines itself has not been focused on as much as it should be from security perspective.
In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD pipelines.
The purpose of this presentation is to share a comprehensive summary of both the attack methods often used against CI/CD pipelines and our insights in securing the CI/CD infrastructure. While we acquired some of this knowledge the hard way -- through direct incident response, we hope that our experience will be useful to anyone trying to proactively improve the security posture of their CI/CD pipelines.