)

TOP 10

CI/CD SEC RISKS

All blog posts

The Top 10 CI/CD Security Risks – Official Release

Today, we are proud to announce the release of the “Top 10 CI/CD Security Risks project

This extensive effort was led by Omer Gil, Director of Research at Cider Security, and myself, in collaboration with some of the industry’s top Application Security experts:

  • Iftach Ian Amit (Advisory CSO @ Rapid7)
  • Jonathan Claudius (Director of Security Assurance @ Mozilla)
  • Michael Coates (former CISO @ Twitter, former Chairman of the board @ OWASP)
  • Jonathan Jaffe (CISO @ Lemonade Insurance)
  • Adrian Ludwig (Chief Trust Officer @ Atlassian)
  • Travis McPeak (Head of Product Security @ Databricks)
  • Ron Peled (Founder & CEO @ ProtectOps, Former CISO @ LivePerson)
  • Ty Sbano (CISO @ Vercel)
  • Astha Singhal (Director of Application Security @ Netflix)
  • Hiroki Suezawa (Security Engineer @ Mercari, inc.)
  • Tyler Welton (Principal Security Engineer @ Built Technologies, Owner @ Untamed Theory)
  • Tyler Young (Head of Security at Relativity)
  • Noa Ginzbursky (DevOps Engineer @ Cider Security)
  • Asi Greenholts (Security Researcher @ Cider Security)

The CI/CD risk landscape has experienced immense growth and evolution over recent years. In 2021 alone, our infosec industry has experienced numerous high-magnitude events that proved again and again how significant CI/CD environments, systems, and processes are within any organization’s attack surface –

  • The SolarWinds build system compromise
  • The Codecov hack
  • The PHP breach
  • The “Dependency Confusion” vulnerability
  • The compromise of the RC, UA-Parser, and COA npm packages
  • Log4Shell

These incidents, together with many others, continue to shift the focus of many defenders to find the most effective ways to optimize the resilience of the engineering ecosystem. And being good at building strong cyber resilience always must begin with a deep understanding of the attacker’s perspective.

Long before our journey at Cider Security began, it was very clear to us that enabling defenders to meet the challenges of today’s CI/CD risk landscape would not only require technological innovation, but an equally important effort of equipping defenders with both the knowledge and sphere of reference that would enable them to think like today’s adversaries.

We embarked on this project to empower defenders to reshape the way they think about CI/CD security, allowing them to stay the course and build optimal resilience against today’s major risks. We will use this project to spark the much needed discussion within the infosec community around today’s CI/CD security risks, and invite all defenders to contribute and collaborate in any way they see fit.