The National Security Agency and the Cybersecurity and Infrastructure Security Agency jointly released an information sheet recommending security best practices for organizations with Continuous Integration/Continuous Delivery coding platforms.
The guidance was published amid potential threats from malicious cyber actors to compromise CI/CD pipelines, which are key to executing development, security and operations strategies, NSA said Wednesday.
Top risks in CI/CD pipelines include insecure codes, poisoned pipeline execution, misconfigured systems, the use of third-party services and exposure of security keys and secrets.
NSA and CISA urge organizations to implement a zero trust approach to detect threats and use NSA-recommended cryptographic algorithms to boost protection of data, secrets, keys and application programming interfaces.
Long-term credentials should be avoided in software authentication, but if it must be maintained, administrators should protect and manage all keys associated with them. Ephemeral credentials should also be used in cloud environments, the agencies stated.
The full document is available on the NSA website.