Security News > 2023 > March > CI/CD: Necessary for modern software development, yet it carries a lot of risk
SCSW CI/CD over the past decade has become the cornerstone of modern software development.
"Today, CI/CD is where application code, build tools, third-party components, secrets, identities and even cloud resources come together," Adrian Diglio, principal program manager of secure software supply chain at Microsoft, told The Register.
"CI/CD adoption grows at feature velocity speed and these interconnected pipelines outpace organizational maturity and their ability to keep them secure. This makes CI/CD a prime target for attackers."
CI/CD expands the attack surface and intruders have become good at exploiting such systems to attack the software supply chain, as proven by the high-profile SolarWinds fiasco in 2020.
"CI/CD infrastructure compromises enable attackers to manipulate the software being built, making CI/CD infrastructure an attack surface for exploiting end users' trust," Diglio said.
The Microsoft executive outlined a number of steps enterprises can take to harden CI/CD pipelines, including performing an assessment using the Secure Supply Chain Consumption Framework, a tool developed and used by the software behemoth since 2019 to secure its own development processes.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/03/02/cicd_supply_chain_security/