The rise in digital demands has led to an increase in the frequency of software releases, with some companies deploying code thousands of times per day.
However, the continuous integration and deployment (CI/CD) process has not historically been treated with the same security forethought. As a result, new CI/CD vulnerabilities have emerged, and companies need to take a DevSecOps approach to mitigate risks.
The OWASP Top 10 CI/CD Security Risks provide an overview of the most common vulnerabilities, including:
- Insufficient Flow Control Mechanisms
- Inadequate Identity and Access Management
- Dependency Chain Abuse
- Poisoned Pipeline Execution (PPE)
- Insufficient PBAC (Pipeline-Based Access Controls)
- Insufficient Credential Hygiene
- Insecure System Configuration
- Ungoverned Usage of 3rd-Party Services
- Improper Artifact Integrity Validation
- Insufficient Logging and Visibility
To reduce these risks, companies should map their surface area, review dependencies, implement access controls, and encourage secure coding practices. Additional strategies should include code signing, artifact verification, and configuration drift detection.
