Making Secure Software Insecure without Changing Its Code: The Possibilities and Impacts of Attacks on the DevOps Pipeline

01/30/2022
by   Nicholas Pecka, et al.
0

Companies are misled into thinking they solve their security issues by using a DevSecOps system. This paper aims to answer the question: Could a DevOps pipeline be misused to transform a securely developed application into an insecure one? To answer the question, we designed a typical DevOps pipeline utilizing Kubernetes (K8s as a case study environment and analyzed the applicable threats. Then, we developed four attack scenarios against the case study environment: maliciously abusing the user's privilege of deploying containers within the K8s cluster, abusing the Jenkins instance to modify files during the continuous integration, delivery, and deployment systems (CI/CD) build phase, modifying the K8s DNS layer to expose an internal IP to external traffic, and elevating privileges from an account with create, read, update, and delete (CRUD) privileges to root privileges. The attacks answer the research question positively: companies should design and use a secure DevOps pipeline and not expect that using a DevSecOps environment alone is sufficient to deliver secure software.

READ FULL TEXT
research
10/23/2022

A Secure Design Pattern Approach Toward Tackling Lateral-Injection Attacks

Software weaknesses that create attack surfaces for adversarial exploits...
research
06/12/2023

Are Software Updates Useless Against Advanced Persistent Threats?

A dilemma worth Shakespeare's Hamlet is increasingly haunting companies ...
research
11/11/2022

An Integrity-Focused Threat Model for Software Development Pipelines

In recent years, there has been a growing concern with software integrit...
research
10/16/2019

DevOps in Practice – A preliminary Analysis of two Multinational Companies

DevOps is a cultural movement that aims the collaboration of all the sta...
research
04/17/2022

Quantifiable Assurance: From IPs to Platforms

Hardware vulnerabilities are generally considered more difficult to fix ...
research
05/10/2022

Decisions in Continuous Integration and Delivery: An Exploratory Study

In recent years, Continuous Integration (CI) and Continuous Delivery (CD...
research
04/16/2021

SecDocker: Hardening the Continuous Integration Workflow

Current Continuous Integration processes face significant intrinsic cybe...

Please sign up or login with your details

Forgot password? Click here to reset