Applying Cyber Essentials scheme to CI/CD
The Cyber Essentials scheme provides simple and clear guidance but how does it apply to cicd?
Any organisation commercially engaged with the UK Government must be Cyber Essentials compliant and this has driven rapid adoption in the UK.
It is essential to regularly assess and evaluate your business against Cyber Essentials controls and the scheme itself mandates an annual self-assessment (or third party assessment for Cyber Essentials Plus) but rarely do we see CI/CD systems being vetted.
A continuous integration and continuous delivery (CI/CD) pipeline provides an automated workflow to build and ship both code and infrastructure. It is critical that this machine is secure and the UK government’s Cyber Essentials scheme provides superb entry level guidelines.
The Cyber Essentials scheme is a set of security standards designed to protect organisations from common cyber threats and vulnerabilities. By achieving Cyber Essentials certification, businesses can demonstrate their commitment to cybersecurity and provide reassurance to customers that their personal data is safe and secure.
When assessing your CI/CD pipeline for compliance with Cyber Essentials, there are several key areas to consider:
Access control: Your CI/CD pipeline should have strict access controls in place to ensure only authorised individuals can access the system. This includes implementing strong password policies and regularly monitoring access logs to detect and prevent unauthorised access. Automation typically relies on access keys and roles which should be specific in purpose and have the minimum permission required to fulfill their role.
Encryption: All data transmitted through your CI/CD pipeline should be encrypted to protect it from being intercepted by cybercriminals. This includes data in transit and at rest. It is important to consider where artifacts and logs might be stored, particularly when using SaaS orchestrators.
Network security: Your CI/CD pipeline should be securely connected to your network, with appropriate firewalls and intrusion detection systems in place to prevent unauthorised access. Quite often, pipeline runners operate within the network and, as always, the principle of least privilege applies. This includes ensuring that all network ports and protocols are properly configured and regularly monitored for security breaches.
Regular updates and patches: It is crucial to regularly update and patch your CI/CD system to ensure it is protected against the latest security threats. This includes updating the operating system, software applications, and any other components of your CI/CD pipeline. We have seen some rather worrying Gitlab-CE vulnerabilities these last 12 months.
Vulnerability management: Your business should have a robust vulnerability management scheme in place to identify and address any potential vulnerabilities in your CI/CD pipeline. This includes regular scanning and testing to identify and remediate any vulnerabilities before they can be exploited by cybercriminals. We’ve built FREE tools to help you achieve this, including DNS vulnerability scanning and secret detection.
By regularly assessing and evaluating your CI/CD pipeline for compliance with Cyber Essentials, you can ensure that your business is protected against common cyber threats and vulnerabilities. This will provide peace of mind to your customers and help to safeguard your business’s reputation and financial security.