{"id":5713,"date":"2018-07-12T11:12:13","date_gmt":"2018-07-12T10:12:13","guid":{"rendered":"https:\/\/ee.yelkdev.site\/?p=5713"},"modified":"2024-12-12T12:20:37","modified_gmt":"2024-12-12T12:20:37","slug":"securing-the-production-line","status":"publish","type":"post","link":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/","title":{"rendered":"Securing the production line"},"content":{"rendered":"<p class=\"p3\"><span class=\"s1\">In <a href=\"https:\/\/www.equalexperts.com\/blog\/our-thinking\/rethinking-production-systems\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s2\">my previous post<\/span><\/a>, I explained how the security of your production line is intrinsic to the security of the product you\u2019re building. This post picks up on that theme by exploring some practical steps you can take to improve the security of your pipeline.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">While each production line has its idiosyncrasies, most modern CI\/CD pipelines are fairly similar at a high level. We tend to see a number of core commonalities, such as development environments, source control systems, CI servers, artefact repositories, deployment tooling, etc.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">Each of these tools introduces its own set of security challenges. For example, CI servers often store sensitive credentials to access source repositories, artefact repositories, and cloud infrastructure APIs. These tools wield great power; in the wrong hands, that can be quite disastrous.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">As <a href=\"https:\/\/code.fb.com\/security\/in-pursuit-of-secure-open-source-software\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">Facebook describes<\/span><\/a> of its\u00a0<a href=\"https:\/\/osquery.io\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">osquery<\/span><\/a> host visibility tool:<\/span><\/p>\n<blockquote>\n<p class=\"p5\"><span class=\"s1\"><i>Even when developers think about the security implications of the software they create, it&#8217;s important to bake security into the complete software development, build, and distribution pipeline. [..] If we were to assume the codebase itself is secure, the ability to arbitrarily modify the behavior of packaging hosts could still enable malicious behavior. That&#8217;s why we also invest in the security of our build and packaging infrastructure.<\/i><\/span><\/p>\n<\/blockquote>\n<h3 class=\"p6\"><span class=\"s1\">What can go wrong?<\/span><\/h3>\n<p class=\"p4\"><span class=\"s1\">With <a href=\"https:\/\/www.theverge.com\/2017\/6\/27\/15883110\/petya-notpetya-ransomware-software-update-wannacry-exploit\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">software updates being \u2018weaponized\u2019 to deliver ransomware<\/span><\/a> and <a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/06\/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">backdoored Docker images being used for cryptocurrency mining<\/span><\/a>, there\u2019s clearly no limit to criminal ingenuity\u2026 or as Frank Abagnale puts it: \u201ctechnology breeds crime\u201d. While these stories made the headlines, there are many more that don\u2019t.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">The prevalence of <a href=\"https:\/\/emtunc.org\/blog\/01\/2018\/research-misconfigured-jenkins-servers\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">insecure build servers<\/span><\/a> publicly exposed to the internet is crying out for attention, much like last year\u2019s series of insecure internet-facing NoSQL databases <a href=\"https:\/\/blog.shodan.io\/its-the-data-stupid\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">warned about two years prior<\/span><\/a>. Although NoSQL database insecurity isn\u2019t directly related to pipeline security, it hints at a similar problem &#8211; a lot of software tends to be installed, but not correctly configured or operated. Keeping in mind that most software is not secure by default, this can expand your organisation\u2019s attack surface quite significantly.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">In business terms, the cost of these issues is often paid in damaged reputations, intellectual property loss, financial loss, and the risk of compromise deeper within the organisation, as CI systems are prime candidates as beachheads from which to launch further attacks.<\/span><\/p>\n<h3 class=\"p6\"><span class=\"s1\">What can you do about it?<\/span><\/h3>\n<p class=\"p4\"><span class=\"s1\">Firstly, <span class=\"s3\">don\u2019t run builds on Jenkins master<\/span>. It\u2019s trivial to circumvent security controls in Jenkins if you\u2019re able to control a build that runs on master, so ensure that all builds execute on slaves. This was <a href=\"https:\/\/www.youtube.com\/watch?v=nBR7Kru6JX0\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">demonstrated a few years ago at DEF CON 22<\/span><\/a>.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">If you\u2019re still running an old version of Jenkins, consider upgrading. Aside from the <a href=\"https:\/\/developers.redhat.com\/blog\/2017\/06\/19\/its-tuesday-jenkins-is-down\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">importance of keeping in line with the latest security fixes<\/span><\/a>, Jenkins 2.x ensures that <a href=\"https:\/\/jenkins.io\/doc\/book\/managing\/security\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">security options are enabled by default<\/span><\/a>, meaning that many obvious weaknesses (e.g. default admin credentials, lack of CSRF protection) are avoided in the design and development of the product. This does not mean there\u2019s nothing for you to do &#8211; it just means you\u2019re starting out in a much better position.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">It\u2019s also worth considering how you can ensure the provenance of the code that runs in production (or gets shipped to your users via app stores). Can you be sure that the packaged artifact you\u2019re deploying has not been modified in any way since it was created? Can you trace it back to a particular tag in your source repository? Can you track all the commits that make up that tag to individual contributors? Can you be sure that those contributors genuinely produced the code within those commits? <\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">One potential solution to address these concerns lies in cryptographic signatures and verifications. GitHub supports <a href=\"https:\/\/blog.github.com\/2016-04-05-gpg-signature-verification\/\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">GPG signed commits and tags<\/span><\/a>, and similar concepts can be used to sign binary packages that are produced as the result of a build. And don\u2019t forget to validate the signatures.<\/span><\/p>\n<p class=\"p4\"><span class=\"s1\">All the above are fairly specific pointers, but the starting point for many teams is to recognise the build system as a true production system that warrants the same degree of attention as any live environment. That includes monitoring, alerting, patching, secrets management, secure communications channels, access control, changing default credentials, and on the list goes. A threat model goes a long way to identifying many of these issues and ensuring they are handled appropriately in your context.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my previous post, I explained how the security of your production line is intrinsic to the security of the product you\u2019re building. This post picks up on that theme by exploring some practical steps you can take to improve the security of your pipeline. While each production line has its idiosyncrasies, most modern CI\/CD [&hellip;]<\/p>\n","protected":false},"author":76,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[3],"tags":[],"location":[397],"class_list":["post-5713","post","type-post","status-publish","format-standard","hentry","category-tech-focus"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Securing the production line | Equal Experts<\/title>\n<meta name=\"description\" content=\"The security of your production line is intrinsic to the security of your product. Follow these practical steps to improve the security of your pipeline.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing the production line\" \/>\n<meta property=\"og:description\" content=\"The security of your production line is intrinsic to the security of your product. Follow these practical steps to improve the security of your pipeline.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\" \/>\n<meta property=\"og:site_name\" content=\"Equal Experts\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-12T10:12:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-12T12:20:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/07\/production_line_main.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1170\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Stuart Gunter\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Securing the production line\" \/>\n<meta name=\"twitter:creator\" content=\"@EqualExperts\" \/>\n<meta name=\"twitter:site\" content=\"@EqualExperts\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stuart Gunter\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\"},\"author\":{\"name\":\"Stuart Gunter\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/person\/5a21b96defd660dd42e1692ce9f7ff88\"},\"headline\":\"Securing the production line\",\"datePublished\":\"2018-07-12T10:12:13+00:00\",\"dateModified\":\"2024-12-12T12:20:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\"},\"wordCount\":741,\"publisher\":{\"@id\":\"https:\/\/www.equalexperts.com\/#organization\"},\"articleSection\":[\"Tech Focus\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\",\"url\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\",\"name\":\"Securing the production line | Equal Experts\",\"isPartOf\":{\"@id\":\"https:\/\/www.equalexperts.com\/#website\"},\"datePublished\":\"2018-07-12T10:12:13+00:00\",\"dateModified\":\"2024-12-12T12:20:37+00:00\",\"description\":\"The security of your production line is intrinsic to the security of your product. Follow these practical steps to improve the security of your pipeline.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.equalexperts.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing the production line\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.equalexperts.com\/#website\",\"url\":\"https:\/\/www.equalexperts.com\/\",\"name\":\"Equal Experts\",\"description\":\"Making Software. Better.\",\"publisher\":{\"@id\":\"https:\/\/www.equalexperts.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.equalexperts.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.equalexperts.com\/#organization\",\"name\":\"Equal Experts\",\"url\":\"https:\/\/www.equalexperts.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg\",\"contentUrl\":\"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg\",\"width\":719,\"height\":340,\"caption\":\"Equal Experts\"},\"image\":{\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/EqualExperts\",\"https:\/\/www.linkedin.com\/company\/equal-experts\/?viewAsMember=true\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/person\/5a21b96defd660dd42e1692ce9f7ff88\",\"name\":\"Stuart Gunter\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.equalexperts.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d595653748eebaf4ac1bf9e2abf7ddb48ce96f3bb5f6d30790d80149119dfe5e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d595653748eebaf4ac1bf9e2abf7ddb48ce96f3bb5f6d30790d80149119dfe5e?s=96&d=mm&r=g\",\"caption\":\"Stuart Gunter\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Securing the production line | Equal Experts","description":"The security of your production line is intrinsic to the security of your product. Follow these practical steps to improve the security of your pipeline.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/","og_locale":"en_GB","og_type":"article","og_title":"Securing the production line","og_description":"The security of your production line is intrinsic to the security of your product. Follow these practical steps to improve the security of your pipeline.","og_url":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/","og_site_name":"Equal Experts","article_published_time":"2018-07-12T10:12:13+00:00","article_modified_time":"2024-12-12T12:20:37+00:00","og_image":[{"width":1170,"height":720,"url":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/07\/production_line_main.jpg","type":"image\/jpeg"}],"author":"Stuart Gunter","twitter_card":"summary_large_image","twitter_title":"Securing the production line","twitter_creator":"@EqualExperts","twitter_site":"@EqualExperts","twitter_misc":{"Written by":"Stuart Gunter","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/#article","isPartOf":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/"},"author":{"name":"Stuart Gunter","@id":"https:\/\/www.equalexperts.com\/#\/schema\/person\/5a21b96defd660dd42e1692ce9f7ff88"},"headline":"Securing the production line","datePublished":"2018-07-12T10:12:13+00:00","dateModified":"2024-12-12T12:20:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/"},"wordCount":741,"publisher":{"@id":"https:\/\/www.equalexperts.com\/#organization"},"articleSection":["Tech Focus"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/","url":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/","name":"Securing the production line | Equal Experts","isPartOf":{"@id":"https:\/\/www.equalexperts.com\/#website"},"datePublished":"2018-07-12T10:12:13+00:00","dateModified":"2024-12-12T12:20:37+00:00","description":"The security of your production line is intrinsic to the security of your product. Follow these practical steps to improve the security of your pipeline.","breadcrumb":{"@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.equalexperts.com\/blog\/tech-focus\/securing-the-production-line\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.equalexperts.com\/"},{"@type":"ListItem","position":2,"name":"Securing the production line"}]},{"@type":"WebSite","@id":"https:\/\/www.equalexperts.com\/#website","url":"https:\/\/www.equalexperts.com\/","name":"Equal Experts","description":"Making Software. Better.","publisher":{"@id":"https:\/\/www.equalexperts.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.equalexperts.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.equalexperts.com\/#organization","name":"Equal Experts","url":"https:\/\/www.equalexperts.com\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg","contentUrl":"https:\/\/www.equalexperts.com\/wp-content\/uploads\/2018\/08\/Equal_Experts_Logo_CMYK_Colour.jpg","width":719,"height":340,"caption":"Equal Experts"},"image":{"@id":"https:\/\/www.equalexperts.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/EqualExperts","https:\/\/www.linkedin.com\/company\/equal-experts\/?viewAsMember=true"]},{"@type":"Person","@id":"https:\/\/www.equalexperts.com\/#\/schema\/person\/5a21b96defd660dd42e1692ce9f7ff88","name":"Stuart Gunter","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.equalexperts.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d595653748eebaf4ac1bf9e2abf7ddb48ce96f3bb5f6d30790d80149119dfe5e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d595653748eebaf4ac1bf9e2abf7ddb48ce96f3bb5f6d30790d80149119dfe5e?s=96&d=mm&r=g","caption":"Stuart Gunter"}}]}},"_links":{"self":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/posts\/5713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/users\/76"}],"replies":[{"embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/comments?post=5713"}],"version-history":[{"count":0,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/posts\/5713\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/media?parent=5713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/categories?post=5713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/tags?post=5713"},{"taxonomy":"location","embeddable":true,"href":"https:\/\/www.equalexperts.com\/wp-json\/wp\/v2\/location?post=5713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}