T0147 - Scan public CI/CD configurations for secrets and vulnerable actions

M1120

Mitigation

Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.

Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser

M1201

Mitigation

Mitigation Restrict egresss traffic in CI/CD Restrict egress traffic from the build system to authorized destinations.

This is pretty straightforward and a very feasble mitigation since a build system usually requires access to a very limited destinations. Controlling the traffic has many benifits: 1. Prevent exfiltration of sensitive information 2. Block download of packages from unauthorized package repositories 3. Block download of malware

M1660

Mitigation

Mitigation Isolate pipeline for unreviewed code Ensure that pipelines running unreviewed code are executed on isolated nodes, not exposed to secrets and sensitive environments.

For sensitive pipelines, for example those that are exposed to secrets, ensure that each branch that is configured to trigger a pipeline in the CI system has a correlating branch protection rule in the SCM. Each pipeline should only have access to the credentials it needs to fulfill its purpose. The credentials should have the minimum required privileges.

M1662

Mitigation

Mitigation Evaluate pipeline execution permissions Evaluate the need for triggering pipelines on public repositories from external contributors.

Where possible, refrain from running pipelines originating from forks, and consider adding controls such as requiring manual approval for pipeline execution.

M1720

Mitigation

Mitigation Implement regular patches and updates Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems.

They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.

D1510

Detection

Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.

Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.

D1520

Detection

Detection Implement endpoint detection and response system An endpoint detection and response (EDR) system is a security tool designed to detect and respond to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices.

There are several reasons why an EDR system is essential for maintaining the security of endpoints: 1. Threat Detection: EDR can detect and alert on a wide range of threats, including malware, ransomware, and other types of attacks that may not be detected by traditional antivirus software. 2. Rapid Incident Response: EDR can help security teams to rapidly detect, investigate, and respond to security incidents on endpoints. EDR systems can provide detailed information about the scope and impact of an attack, enabling security personnel to respond quickly and effectively. 3. Behavioral Analysis: EDR can monitor endpoint behavior to detect and alert on suspicious or anomalous activity. This helps security teams to identify and respond to threats that may be missed by traditional signature-based detection. 4. Endpoint Visibility: EDR provides visibility into endpoint activity, including processes, network connections, and file activity. This helps security teams to identify potential attack vectors and take proactive measures to prevent future incidents.

D1590

Detection

Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.

This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.