search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.75k stars 3.89k forks source link

New CS proposal: CI/CD Security #1262

Closed EbonyAdder closed 9 months ago

EbonyAdder commented 9 months ago

What is the proposed Cheat Sheet about?

This cheatsheet would cover topics related to CI/CD security, including common vulnerabilities, potential impact, and mitigations.

What security issues are commonly encountered related to this area?

Secrets (mis)management, access control, misconfiguration, lack of monitoring and visibility, lack of integrity validation,etc.

What is the objective of the Cheat Sheet?

The objective of this cheatsheet is to highlight common security risks in CI/CD processes and technologies and provide recommended responses to reduce risks.

What other resources exist in this area?

Please let me know if you need more details. I haven't put together an outline of example content yet, but can do so if there is sufficient interest.

jmanico commented 9 months ago

I think this is a fantastic idea!

szh commented 9 months ago

Agreed, love the idea. Do you want to work on an outline?

EbonyAdder commented 9 months ago

Thanks for the feedback and sorry for the delay. Here is a rough outline:

Introduction

Explain purpose of cheatsheet, scope, etc.

Background and Definition

Although I assume the audience will be at least somewhat familar with CI/CD concepts, I think it would be beneficial to explcitly (but briefly) define what is meant by CI/CD in the context of this CS since different individuals may include different components within the umbrella "CI/CD" concept.

Understanding CI/CD Risk

Will provide a high-level overview of how hackers can exploit CI/CD tools and processes, why CI/CD pipelines can be such an appealing target to attackers, and attack surface.

Secure Configuration

Will focus on secure configuration of repositroies and tools such Jenkins. Addresses issues raised in CICD-SEC-1, CICD-SEC-4, and CICD-SEC-7.

Branch and Repository Management

Trigger and Step Configuration

Execution Node and Environment Management

IAM

Will map primarily to CICD-SEC-2, CICD-SEC-5, and CICD-SEC-6.

Secrets Management

Least Privilege

Identity Lifecycle Management

Managing Third-Party Code

Will map primarily to CICD-SEC3 and CICD-SEC-8.

Dependency Management

Plug-In and Integration Management

Integrity Assusrance

Will map primarily to CICD-SEC-9.

Visibility and Monitoring

Will map primarily to CICD-SEC-10

Logging

Anomaly Detection

jmanico commented 9 months ago

I like this direction 👍🏼

szh commented 9 months ago

Nice. The next step is to create a draft PR and start working on it! That way others can review and add suggestions as you go.