Addressing large enterprise and government agencies, the UK’s National Cyber Security Center (NCSC) has issued a warning that attacks on a software build pipeline “can have wide-reaching impact”.
The compromise of SolarWinds’s updates, which the US says was “likely” carried out by Russian hackers as part of a broader campaign, has put the software supply chain and software development processes in the spotlight. It wasn’t the first software supply chain attack, but Microsoft has called it the “largest and most sophisticated attack the world has ever seen”.
NCSC doesn’t mention SolarWinds, but notes that the software build process is often “overlooked” despite broad awareness of security for software developers.
SEE: Security Awareness and Training policy (TechRepublic Premium)
It says that the automation of software development through continuous integration and continuous delivery (CI/CD), a popular development approach with regular updates that has built-in security checks, can be a good way of securing the software pipeline.
“It’s crucial that the pipeline is well-defended, and that it protects each build from other builds in the pipeline,” says NCSC.
The key message here is to ensure that different builds are sufficiently isolated from one another to ensure that if other systems are compromised, at least each build is shielded from the other.
Organizations taking advantage of software development automation also need to ensure the processes can demonstrably enforce the security checks have taken place – or those checks won’t be worth much, it says.
Attackers that compromise the software development pipeline can: add malicious code to the software that was built and deployed by that pipeline; access any secrets used by the pipeline; and potentially gain access to other source code repositories and environments.
“The pipeline needs to be defended against attack at least as effectively as the environments it deploys to,” NCSC notes.
Its recommendations are broadly in line with Microsoft, Google, and the NSA. These include using multi-factor authentication, designing system access with the principle of least privilege, and using network security and monitoring for attacks.
But NCSC also has advice on how organizations should select virtual machines for development work.
“Performing each build in a single-use virtual machine will make it very hard for one build to attack another using shared hardware (like the CPU), whereas two builds sharing an OS kernel will have many more ways to interfere with each other,” NCSC notes.
“If a build can access stored information on other builds (such as their source code or build artefacts), then it may be able to steal secrets or modify those builds.”
As far as being able to prove the integrity of a software build, NCSC warns companies to ensure the use of in-transit encryption for code fetched from a code repository and when build artifacts are sent to the artifact repository, as well as when being deployed to the final environment.
Finally, organizations should use cryptographic checksums to record the data processed by the pipeline.