Securing Dev Environments is Security Leaders’ Top Concern

Today, CI/CD pipelines form the backbone of modern DevOps operations.

Over the past few years, the software development industry has pivoted to a continuous integration and continuous delivery (CI/CD) process that offers application developers a faster and more automated way to develop, build, test and deploy new software.

But these improvements come at a cost — CI/CD pipelines create a new attack surface for organizations, introducing new security risks and challenges. The new process runs the company’s source code through a series of cloud-based services and open-source tools, all of which are now a part of its network.

In the past two years, we’ve seen dozens of security breaches and cyberattacks that exploit misconfigurations and vulnerabilities within development environments. Companies like SolarWinds, Microsoft, Mercedes and many others fell victim to such attacks on their software supply chain.

Following the SolarWinds breach, Argon Security partnered with Hyperwise Ventures, a leading cybersecurity VC, to seek answers about the state of security of the development environments. In this global survey, we surveyed more than 200 security leaders regarding the state of their software development environment’s security and the risks and challenges they are facing.

The survey revealed that although 90% of organizations rely on CI/CD pipelines for software delivery, and are using two or more tools, the level of confidence in the security of these development environments is very low. Additionally, 80% of leaders surveyed said they lack confidence in their ability to withstand an attack targeting their development environments.

The main risks of software supply chain breaches, as highlighted in the survey, were:

  • Lack of security over the CI/CD pipelines might create a backdoor to the organization’s network and infrastructure.
  • Access to the CI/CD tools that enable the attackers to tamper with code or inject vulnerabilities into the application as part of the CI/CD pipeline.
  • User misconfigurations that might result in code and secret leaks.

Although the risks are top of mind, only 30% of respondents deploy dedicated protection on their CI/CD pipeline; even then, it’s mainly siloed point solutions.

When asked about the reason behind this gap, security leaders raised three main recurring challenges:

  • High complexity — There are more than 100 different pipeline tools connected by DevOps scripts; there is no industry standard and no two pipelines look alike.
  • Limited cooperation between the R&D teams building and running the pipelines and the security teams who are responsible for securing the organization. Without visibility into the pipeline and collaboration with the DevOps teams, it’s difficult to enforce proper security measures.
  • The development team’s motivation is around release speed, so it’s hard to enforce security practices with the developers, as it’s not a key focus for them.

Overall, there’s substantial agreement among security leaders that securing the CI/CD pipeline would improve their overall organizational security posture. Most security leaders surveyed state that CI/CD security is a priority in their plans for the next 24 months.

Eran Orzel

Eran Orzel is chief revenue officer and founding member of Argon.io. He is an experienced and innovative business leader with over 20 years of experience in sales leadership and go-to-market operational roles in cybersecurity and enterprise software.

eran-orzel has 5 posts and counting.See all posts by eran-orzel