Improper artifact integrity validation may result in a supply chain attack in which an attacker gets access to one of the process flows in the CI/CD pipeline. This enables attackers to then insert malicious code directly into the development environment.
To better explain how companies can improve their CI/CD security, let’s start by identifying the CI/CD pipeline along with its main steps. The CI/CD pipeline is the combined practice of continuous integration and continuous deployment, cumulatively providing a fully operational system that is ready for use. A general CI/CD pipeline contains the following steps: planning the system, implementing it, testing, and finally deploying.
The main area of focus where hackers can insert malicious code is in the continuous integration cycle. This process is a continuous loop in which new code is continuously committed and merged into the original code. The chances of inserting suspicious code snippets in between will most likely occur here. Attackers can then compromise the code, leading to disastrous consequences.
With new tools and resources in the hands of attackers, the risk of supply chain attacks has never been higher. In the rest of this article, we will discuss some ways of protecting and hopefully completely eliminating the risk of improper artifact integrity validation leading to a secure supply chain through understanding CI/CD security.
Ways to Protect the Development Supply Chain
1. Validating the Integrity of the Code at Every Step
By tracking down each commit and pull request made by developers, companies can validate code integrity at every step of the supply chain. This allows companies to keep track of which developer added or removed code parts into or from the original code source. Moreover, by running a verification and validation check on each code snippet added to the source code, companies can make sure that the code meets the design requirements.
Additional precautions such as adding a unique committing signature can help improve your system’s safety by making sure that only personnel with real access can add to the original source code.
2. Keeping an Eye Open for Suspicious Behavior
By always monitoring their system’s performance at all times, organizations can keep up to date regarding any malicious behavior. In cases where such suspicious behavior is detected early on, fast and precise actions can be taken to reverse the effects immediately returning the system back to its original state.
So how can companies track their systems for suspicious behavior?
First, if a suspicious account starts violating code integrity, access must be withdrawn immediately until a clearer understanding of the issue at hand is available or the issue is completely solved. As stated earlier, the earlier the error is caught the easier it is to undo the damage with the least amount of issues. This can be achieved by reverting back to previous code versions that were deployed before the malicious code was introduced.
Another approach is adopting a vulnerability management program. Such a program will allow developers to catch system bugs early on, giving them time to patch and fix bugs as soon as they are discovered.
3. Utilizing a Software Bill of Materials (SBOM)
A bill of materials is a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, parts, and the quantities of each needed to manufacture an end product.
While BOMs are more commonly used for real-life physical objects, a similar concept known as SBOMs is implemented in the software world in which the origin of every code snippet added can be traced back to its provider.
Using SBOMs, companies can keep track of all the code used in the system’s infrastructure. Moreover, SBOMs are used to track open-source or third-party code that is integrated into the original code. SBOMs can also help developers keep track of which code versions they are using, making sure that older compromised versions are not being used.
Conclusion
While different companies may follow slightly different development pipelines, the concepts and ideas presented here can be replicated in most situations. It is worth noting that as it becomes more and more common for companies to release their code as open-source code, so does the risk of improper artifact integrity validation. Outside contributors can deploy unethical code into the main code source. Nowadays, companies should focus more on outside code contributions, keeping the main source code clean and safe.
In this short article, we have identified what improper artifact integrity validation is along with three measures that you can start integrating into your workflow today in order to protect against supply chain attacks.
I hope that after reading this article, you have grasped a better understanding of what improper artifact integrity validation is and the ways to stop it from affecting your supply chain system.