The CI/CD space has seen some major attacks in 2023, emerging trends, and interesting industry news. In this blog, we’ll talk about all that’s gone and everything that’s coming in 2024- from eminent shifts, security challenges, and everything in between that you need to look out for in the CI/CD space. If you’re looking to secure your organizations from massive supply chain attacks that are a result of compromised CI/CD pipelines in 2024, this blog post is a must-read for you!
What Is CI/CD and Why Do You Need to Secure It?
The CI/CD pipeline takes software from source code creation to deployment and forms the foundation of DevOps. It is responsible for automating monotonous tasks in the development process, helps to save time, eliminates the scope of manual errors, and enables high-quality software.
Since CI/CD pipelines have access to source code and are responsible for automating the process of building, testing, and deploying it for production, it is important to ensure its security. The key risks with CI/CD pipelines being compromised are CI/CD credentials exfiltration which can give access to cloud infrastructure and build tampering that can lead to supply chain attacks.
2024 Predictions for CI/CD Security
1. Transition from Legacy CI/CD Providers to GitHub Actions
As per our conversations in the last 12 months, we’ve noticed a market trend emerging in the industry- many organizations are transitioning from legacy CI/CD providers such as Jenkins, Team City, or Travis CI to embrace modern platforms like GitHub Actions, GitLab CI, and Harness. These three enable the consolidation of source code and CI/CD within a single view, are available in a hosted environment, and require no setup. This relieves organizations from the tedious task of managing CI/CD infrastructure allowing teams to focus on development without the logistical overhead. Although, GitHub Actions stands out among these three as it's free for open-source projects and boasts a marketplace offering 20,000 Actions.
Moreover, a 2023 survey by Jetbrains lists the 17 most-used CI tools by responses from 29,000 developers from all over the world. The result- GitHub Actions leads the chart with 53% of developers using it regularly. Market trends and Internet discussions on forums like Reddit and Stack Overflow also reveal an inclination towards GitHub Actions as compared to Jenkins. One of the top reasons found responsible for the massive transition from Jenkins is the plugin ecosystem that is hard to maintain and secure. Also known as “abandonware” the huge number of plugins that are left unmaintained pose a huge security risk that may lead to serious damage to organizations.
2. Increase in Use of Third-party Components in CI/CD
In 2023, we saw a rising adoption of CI/CD which is cultivating a vibrant ecosystem of reusable components, reminiscent of npm for JavaScript or package managers for Golang. Thanks to platforms like GitHub Actions Marketplace, over 20,000 third-party Actions are now available which cover diverse tasks from code testing to security checks. These Actions are readily being leveraged by developers and are helping them save hundreds of hours and avoid redundant efforts. Further, third-party Actions also contribute to consistent CI/CD processes in the industry when they’re shared, well-maintained, and continuously improved by open-source CI/CD Action developers. This thriving ecosystem can immensely help organizations in efficient software development in the coming year.
However, managing dependencies and vulnerabilities in third-party Actions is quite challenging, and requires proper vetting practices and constant vigilance to ensure that they remain secure. As more and more organizations adopt third-party Actions and utilize CI/CD marketplaces, the need to address security concerns becomes increasingly important. In 2024, there will be a greater awareness of the potential security risks posed by "Abandonware" or unmaintained third-party Actions and organizations will realize the importance of ongoing maintenance and support within this evolving landscape.
3. Rise in CI/CD Security Incidents and a Consequent Need for CI/CD Security
An increase in the adoption of CI/CD in 2023 has also brought about a concerning surge in security threats this year. In 2023, a notable increase in CI/CD-based security attacks targeted not only popular software packages but also providers themselves. According to a Forrester study, 57% of organizations confirmed that they experienced a security incident related to exposed secrets from insecure DevOps processes in the past two years. Here are some of the major CI/CD security incidents of 2023:
CircleCI security breach in January 2023 impacting all CircleCI customers
North Korean and Russian state actors exploiting unpatched JetBrains TeamCity servers
Azure CLI bug discovered by Microsoft in November 2023 that was found leaking secrets in CI/CD build logs
The Google Cloud Build bug that let hackers launch supply chain attacks
This year, ethical security researchers and red teams actively engaged with CI/CD systems to raise awareness about security threats. Here are some examples of such blogs and articles published:
In 2024, similar security attacks will continue to prevail and have an even higher frequency and severity. Market trends like these will thus give rise to an increased need for CI/CD security in the coming year.
4. More Macro Industry Trends like Benchmarks and Guidance
In 2023, the industry rallied against escalating CI/CD security threats, fostering promising macro trends to fortify CI/CD pipelines. Here are some of these market trends from 2023:
The Center for Internet Security (CIS) introduced a GitHub benchmark, outlining vital recommendations for CI/CD security enhancement.
The collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) that resulted in joint guidance on defending CI/CD pipelines. Read more about the guidance in this blog.
The National Institute of Standards and Technology (NIST) contributed with an initial public draft emphasizing strategies for integrating software supply chain security into DevSecOps CI/CD pipelines.
Gartner’s formal recognition of Application Security Posture Management (ASPM) as a category, underscoring the substantial role of CI/CD security within it.
The National Cyber Security Centre in the UK releasing guidance on secure deployment practices.
Overall, these industry-wide initiatives reflect heightened awareness and proactive measures to address CI/CD security challenges. In 2024, this momentum points toward a more secure software development landscape with more organizations realizing the importance of vigilance and adaptation to increase CI/CD security.
5. CI/CD Security for AI and ML
In the dynamic world of AI and ML, the year 2023 witnessed a significant rise in the use of Generative AI and Large Language Models (LLMs). A study by Salesforce highlighted that 45% of the US population is now actively engaged with generative AIeven though ChatGPT only celebrated its first anniversary this year.
With a rich ecosystem of open-source large language models that allow enterprises to build their own LLM systems, the pressure to deploy new models is now higher than ever. In 2024, as more and more enterprises utilize CI/CD pipelines for AI/ML models, there is bound to be a storm of security challenges that will require innovative solutions and a shift in the mindset of the industry.
Some of the factors contributing to this challenge are:
Increased deployment of models in production: This expands the attack surface, making malicious actors more likely to target the pipelines that build and deploy them.
Data security concerns: AI/ML models are often trained on sensitive data, making data breaches a major threat.
Evolving regulatory landscape: As the adoption of Artificial intelligence and Machine Learning grows, regulations and compliance requirements will become more stringent and CI/CD pipelines will need to adapt to meet these evolving standards.
So, what can we expect to see in the CI/CD security landscape for AI/ML in 2024? Expect new tools to emerge designed explicitly for securing CI/CD pipelines for AI/ML- tools that will automate tasks, provide real-time insights, and help teams stay ahead of evolving threats.
Conclusion
The CI/CD space is rapidly evolving and is being adopted by more and more enterprises each year. The increasing adoption is also giving rise to a rise in the need for CI/CD security. 2024 will see an introduction of innovative security solutions that will empower enterprises to stay ahead of the evolving CI/CD threats and ensure secure software development.
Here’s to a safer 2024!
The CI/CD space has seen some major attacks in 2023, emerging trends, and interesting industry news. In this blog, we’ll talk about all that’s gone and everything that’s coming in 2024- from eminent shifts, security challenges, and everything in between that you need to look out for in the CI/CD space. If you’re looking to secure your organizations from massive supply chain attacks that are a result of compromised CI/CD pipelines in 2024, this blog post is a must-read for you!
What Is CI/CD and Why Do You Need to Secure It?
The CI/CD pipeline takes software from source code creation to deployment and forms the foundation of DevOps. It is responsible for automating monotonous tasks in the development process, helps to save time, eliminates the scope of manual errors, and enables high-quality software.
Since CI/CD pipelines have access to source code and are responsible for automating the process of building, testing, and deploying it for production, it is important to ensure its security. The key risks with CI/CD pipelines being compromised are CI/CD credentials exfiltration which can give access to cloud infrastructure and build tampering that can lead to supply chain attacks.
2024 Predictions for CI/CD Security
1. Transition from Legacy CI/CD Providers to GitHub Actions
As per our conversations in the last 12 months, we’ve noticed a market trend emerging in the industry- many organizations are transitioning from legacy CI/CD providers such as Jenkins, Team City, or Travis CI to embrace modern platforms like GitHub Actions, GitLab CI, and Harness. These three enable the consolidation of source code and CI/CD within a single view, are available in a hosted environment, and require no setup. This relieves organizations from the tedious task of managing CI/CD infrastructure allowing teams to focus on development without the logistical overhead. Although, GitHub Actions stands out among these three as it's free for open-source projects and boasts a marketplace offering 20,000 Actions.
Moreover, a 2023 survey by Jetbrains lists the 17 most-used CI tools by responses from 29,000 developers from all over the world. The result- GitHub Actions leads the chart with 53% of developers using it regularly. Market trends and Internet discussions on forums like Reddit and Stack Overflow also reveal an inclination towards GitHub Actions as compared to Jenkins. One of the top reasons found responsible for the massive transition from Jenkins is the plugin ecosystem that is hard to maintain and secure. Also known as “abandonware” the huge number of plugins that are left unmaintained pose a huge security risk that may lead to serious damage to organizations.
2. Increase in Use of Third-party Components in CI/CD
In 2023, we saw a rising adoption of CI/CD which is cultivating a vibrant ecosystem of reusable components, reminiscent of npm for JavaScript or package managers for Golang. Thanks to platforms like GitHub Actions Marketplace, over 20,000 third-party Actions are now available which cover diverse tasks from code testing to security checks. These Actions are readily being leveraged by developers and are helping them save hundreds of hours and avoid redundant efforts. Further, third-party Actions also contribute to consistent CI/CD processes in the industry when they’re shared, well-maintained, and continuously improved by open-source CI/CD Action developers. This thriving ecosystem can immensely help organizations in efficient software development in the coming year.
However, managing dependencies and vulnerabilities in third-party Actions is quite challenging, and requires proper vetting practices and constant vigilance to ensure that they remain secure. As more and more organizations adopt third-party Actions and utilize CI/CD marketplaces, the need to address security concerns becomes increasingly important. In 2024, there will be a greater awareness of the potential security risks posed by "Abandonware" or unmaintained third-party Actions and organizations will realize the importance of ongoing maintenance and support within this evolving landscape.
3. Rise in CI/CD Security Incidents and a Consequent Need for CI/CD Security
An increase in the adoption of CI/CD in 2023 has also brought about a concerning surge in security threats this year. In 2023, a notable increase in CI/CD-based security attacks targeted not only popular software packages but also providers themselves. According to a Forrester study, 57% of organizations confirmed that they experienced a security incident related to exposed secrets from insecure DevOps processes in the past two years. Here are some of the major CI/CD security incidents of 2023:
CircleCI security breach in January 2023 impacting all CircleCI customers
North Korean and Russian state actors exploiting unpatched JetBrains TeamCity servers
Azure CLI bug discovered by Microsoft in November 2023 that was found leaking secrets in CI/CD build logs
The Google Cloud Build bug that let hackers launch supply chain attacks
This year, ethical security researchers and red teams actively engaged with CI/CD systems to raise awareness about security threats. Here are some examples of such blogs and articles published:
In 2024, similar security attacks will continue to prevail and have an even higher frequency and severity. Market trends like these will thus give rise to an increased need for CI/CD security in the coming year.
4. More Macro Industry Trends like Benchmarks and Guidance
In 2023, the industry rallied against escalating CI/CD security threats, fostering promising macro trends to fortify CI/CD pipelines. Here are some of these market trends from 2023:
The Center for Internet Security (CIS) introduced a GitHub benchmark, outlining vital recommendations for CI/CD security enhancement.
The collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) that resulted in joint guidance on defending CI/CD pipelines. Read more about the guidance in this blog.
The National Institute of Standards and Technology (NIST) contributed with an initial public draft emphasizing strategies for integrating software supply chain security into DevSecOps CI/CD pipelines.
Gartner’s formal recognition of Application Security Posture Management (ASPM) as a category, underscoring the substantial role of CI/CD security within it.
The National Cyber Security Centre in the UK releasing guidance on secure deployment practices.
Overall, these industry-wide initiatives reflect heightened awareness and proactive measures to address CI/CD security challenges. In 2024, this momentum points toward a more secure software development landscape with more organizations realizing the importance of vigilance and adaptation to increase CI/CD security.
5. CI/CD Security for AI and ML
In the dynamic world of AI and ML, the year 2023 witnessed a significant rise in the use of Generative AI and Large Language Models (LLMs). A study by Salesforce highlighted that 45% of the US population is now actively engaged with generative AIeven though ChatGPT only celebrated its first anniversary this year.
With a rich ecosystem of open-source large language models that allow enterprises to build their own LLM systems, the pressure to deploy new models is now higher than ever. In 2024, as more and more enterprises utilize CI/CD pipelines for AI/ML models, there is bound to be a storm of security challenges that will require innovative solutions and a shift in the mindset of the industry.
Some of the factors contributing to this challenge are:
Increased deployment of models in production: This expands the attack surface, making malicious actors more likely to target the pipelines that build and deploy them.
Data security concerns: AI/ML models are often trained on sensitive data, making data breaches a major threat.
Evolving regulatory landscape: As the adoption of Artificial intelligence and Machine Learning grows, regulations and compliance requirements will become more stringent and CI/CD pipelines will need to adapt to meet these evolving standards.
So, what can we expect to see in the CI/CD security landscape for AI/ML in 2024? Expect new tools to emerge designed explicitly for securing CI/CD pipelines for AI/ML- tools that will automate tasks, provide real-time insights, and help teams stay ahead of evolving threats.
Conclusion
The CI/CD space is rapidly evolving and is being adopted by more and more enterprises each year. The increasing adoption is also giving rise to a rise in the need for CI/CD security. 2024 will see an introduction of innovative security solutions that will empower enterprises to stay ahead of the evolving CI/CD threats and ensure secure software development.