An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | June 28, 2023

NSA and CISA Best Practices to Secure Cloud Continuous Integration/Continuous Delivery Environments

Software development and delivery supply chains are attractive targets for malicious cyber actors. They can use these environments to compromise cloud deployments throughout the automated software development and delivery lifecycle.
 
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are publicly releasing a Cybersecurity Information Sheet (CSI) - “Defending Continuous Integration/Continuous Delivery (CI/CD) Environments” to provide recommendations for integrating security best practices into typical software development and operations (DevOps) CI/CD environments. The agencies encourage organizations to use the best practices to harden their CI/CD cloud deployments.

“The virtual cloud environment relies on software, making development and delivery a crucial component of providing services in the cloud,” said Dr. Ethan Givens, NSA’s Technical Director, Critical & Emerging Technologies. “Failure to effectively defend the CI/CD pipeline can provide an attack vector that circumvents security policies and products.”  

Typical DevOps CI/CD environments are attractive targets for malicious cyber actors. They can compromise information through the introduction of malicious code into CI/CD applications, gain access to intellectual property/trade secrets through code theft, or cause denial of service effects against applications. 

DevOps is a methodology that combines software development and information technology (IT) operations. It is used to shorten the software development lifecycle and provide continuous delivery of high quality products. When integrating security into DevOps, the methodology is called DevSecOps.

The CI/CD pipeline is a key part of the DevSecOps approach that integrates security and automation throughout the development lifecycle.  It focuses on automating the integration and delivery of applications securely, quickly, and efficiently. CI/CD pipelines are often implemented in commercial cloud environments. Organizations use DevSecOps CI/CD tools and services to securely streamline software development and manage applications and cloud programmable infrastructure.

Recommendations in the CSI for hardening CI/CD pipelines include best practices for authentication and access control, development environments and tools, and the development process as a whole. NSA and CISA recommend organizations and network defenders implement the mitigations in this CSI to reduce compromise of their CI/CD environments and create a challenging environment for malicious cyber actors.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721