Continuous Integration and Continuous Deployment (CI/CD) are the core of modern development lifecycles. But while these practices can significantly improve developer productivity, they can also be exploited by attackers, and are often overlooked in traditional IT health checks or penetration tests.
The exact steps will vary depending on the specifics of the environment, but will typically include:
- Working with the team to understand the existing CI/CD and secure development practices.
- Configuration review of the source code repositories, including key areas like repository and branch permissions, pull request approvals and deployment gateways.
- Reviews of the configured CI/CD pipelines.
- Build and configuration reviews of the CI/CD servers and agents.
- Attempts to subvert any existing security controls and approval processes.
- Attempts to run malicious pipelines under the context of a normal user.
- Escalating privileges or moving laterally within the environment using the pipelines.