866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Penetration Testing a CI/CD Pipeline: How to Use a Holistic Approach Blog Feature
Loic Duros

By: Loic Duros

Print/Save as PDF

Penetration Testing a CI/CD Pipeline: How to Use a Holistic Approach

Penetration Testing

When a software production company requests a security assessment of its Continuous Integration (CI) and Continuous Delivery (CD) pipeline, they usually want an evaluation of the strength of its existing security measures and identification of potential security risks associated with the different components involved in storing, updating, building, and deploying their application.

As very experienced penetration testers, we get requests for this sort of thing a lot, and as such, we’ve built up a methodology that examines the entire range of elements within a CI/CD pipeline that enables a variety of broad attack paths that can be employed to compromise its integrity.

Our holistic methodology takes into account this heterogeneous landscape, and in this article, we’re going to detail how you too can take different perspectives during a penetration test of a CI/CD pipeline to ensure a more comprehensive security assessment.

What are the Components of a CI/CD Pipeline?

But before we get into the process, let’s ensure we understand the aforementioned “range of elements” that make up a CI/CD pipeline, as this understanding is a first step in devising an offensive plan.

Continuous Integration and Continuous Delivery are broad terms used to describe systems that automate the process of software development, build, and delivery to customers. While implementations vary, a CI/CD pipeline usually features the following:

Source Code Repository

Details: Because this is a crucial target and a significant attack surface available to the penetration tester, the repository's hosting environment—whether on-premise, cloud-based, or Software-as-a-Service (SaaS)—can significantly influence the attack techniques employed during the test.
(You can also assess the version control tool itself for known or unknown vulnerabilities.)
Examples: GitHub, Gitlab, Bitbucket, etc.

CI Platforms

Details: As another critical component of the pipeline, the CI platform, build server, and its underlying build software, are together responsible for managing and executing the build stage of the final product, but the dependencies used to do so introduce another layer that could be compromised through supply-chain attacks.
(The attack vectors for this category will vary depending on the type of hosting and technology stack in use.)
Examples: Travis CI, CircleCI, Jenkins, and other cloud-based CI solutions.

Container Repositories and Registries

Details: While these play a more static role in the delivery phase of the pipeline, they’re nonetheless a major component as they’re responsible for storing and managing the container images that make up the final product.
(This stage of the pipeline may be vulnerable to tampering if safeguards are not in place.)
Examples: Docker Hub, AWS Elastic Container Registry (ECR).

Infrastructure as a Service (IaaS) Provider

Details: Responsible for the underlying infrastructure on which the pipeline runs, these are leveraged by the pipeline's various other components and include the following within the IaaS provider:

  • Virtual machines
  • Storage
  • Networking

Examples: Amazon Web Services, Google Cloud Platform, or a self-hosted solution like OpenStack.

Questions to Answer During a Penetration Test of a CI/CD Pipeline

 

As we said, this diverse range of components used in the CI/CD pipeline, as well as their interactions with one another, creates a heterogeneous landscape enabling many possible attacks.

That’s why, when you’re engaged to assess these elements within an organization’s CI/CD pipeline implementation, you may be tasked with concretely answering the following security-related questions involving the aforementioned components and regarding the following elements:

  • Intellectual Property: Are measures in place to safeguard source code from unauthorized access or unintentional code leaks?
  • Sensitive Environment Variables and Secrets (e.g., API Keys, Private Keys, Account Credentials): Are they securely stored in source code repository configurations, Jenkins instances, cloud storage, and vaults?
  • Unit Test Suites: Can the development credentials, or any other developmental or QA stage processes they’re using be leveraged to execute unexpected attacks?
  • Version-Controlled Code and Repository Branches: Can these be tampered with, leading to the propagated compromise of the corresponding application builds?
  • Upstream Packages, Dependencies, and Other Trusted Sources: Can the pipeline be affected by a software supply chain attack initiated from these angles?
  • Roles and Permissions for Users with Varying Levels of Access to Code Infrastructure: Have the CI platform, container repository, and cloud infrastructure, been designed with adequate controls to avoid any gaps or authorization vulnerabilities?

CI/CD Pipeline Penetration Test Methodology

To successfully answer and address these, the methodology we use at Schellman in conducting a CI/CD pipeline penetration test involves elements and areas of expertise inherited from other attack vectors, such as our assessments of:

To best conduct a comprehensive penetration test of a CI/CD pipeline, multiple levels of access should ideally be granted within the environment. Such levels could be designed with the following scenarios:

Perspective

Goals

As an attacker outside the company

Apply external network penetration testing techniques with goals such as:

  • Determining if any of the CI/CD pipeline components are public-facing and bypassing authentication required for any of them
  • Gaining unauthorized access to the internal environment hosting the CI/CD pipeline
  • Identifying vulnerable elements within either the CI/CD pipeline components or the supply chain and software ecosystem to gain a foothold into the infrastructure

As a malicious internal employee or contractor without access to the pipeline

Apply internal network penetration testing techniques apply with goals such as:

  • Gaining unauthorized access to any of the components of the CI/CD pipeline using only general in-house credentials
  • Stealing sensitive information or source code from the pipeline by abusing internal company access privileges
  • Disrupting the pipeline's availability by intentionally causing errors or delays in the build and delivery process

As an attacker from within the development team

Apply web application penetration testing techniques with goals such as:

  • Escalating privileges from those of a developer with read-only permissions on the main production branch to those of a repository owner
  • Tricking the system or other employees into approving and merging pull requests to the main production branches and injecting malicious code into the application
  • Tampering with critical repository settings and configurations through authorization bypass or logic flaws
  • Identifying known vulnerabilities or zero-day bugs within the user interfaces and systems available to the developer and attempting to compromise the pipeline through privilege escalation or propagated attacks

As an attacker from within the DevOps team

Apply cloud security penetration testing and security review techniques with goals such as:

  • Bypassing elevated security controls (e.g., multi-factor authentication (MFA))
  • Forging, disabling, or reducing the effectiveness of security configurations, controls, and monitoring processes, including audit logs and alerting systems designed to detect such attacks
  • Tampering with formal change management processes in place, or with business continuity and disaster recovery processes

Interested in Learning More?

CI/CD pipelines are often critical to the success of software developers, and keeping every element secure is of paramount importance. A penetration test of a pipeline is a good start, but to ensure every gap is found, the tester(s) must take a holistic approach to the evaluation—like the one we’ve just laid out.

By examining the elements from multiple levels of privileges, a penetration test can identify weaknesses in a company's ability to protect the CI/CD pipeline from both outsider and insider threats, as well as provide remediation suggestions to better protect this critical business asset.

For more insight into helpful penetration testing techniques, check out our other articles detailing several different methods to different concepts that our team has developed and put to use:

 

About Loic Duros

Loic Duros is a Manager with Schellman. Prior to joining Schellman in 2020, Loic worked as a Senior Security Engineer specialized in application security. As a Senior Associate with Schellman, Loic Duros is focused on Penetration Testing.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.