Revising CI/CD Pipelines: NIST Unveils Draft Framework To Bolster Software Supply Chain Security

The National Institute of Standards and Technology (NIST) has taken a critical step towards enhancing cybersecurity practices by unveiling a groundbreaking draft document. This trailblazing guide is centred on the integration of software supply chain security safeguards into Continuous Integration / Continuous Deployment (CI/CD) pipelines, which are becoming increasingly crucial in the current digital landscape.

Central to the operation of cloud-native applications is a microservices architecture, often paired with a centralised service infrastructure, such as a service mesh. The new draft document by NIST underscores the importance of DevSecOps in the development of these applications, with CI/CD pipelines being pivotal in steering software through stages like build, test, package, and deployment, a process mirroring a software supply chain.

Speaking on the value of the draft document in the tech ecosystem, Security Researcher at Endor Labs, Henrik Plate, highlighted how it offers a guiding hand to development organisations. What stood out for Plate was the document's emphasis on access control measures determining the roles and authorizations for user and service accounts within CI/CD pipelines, sticking to least-privilege and need-to-know principles. While the process of managing these numerous authorizations across the systems and services during pipeline execution might be challenging, the framework provided by NIST is expected to be of great help.

NIST’s new draft responds to several recent evaluations of software vulnerabilities and attacks, which have prompted both public and private sector organisations active in software development, deployment and integration to prioritise security across the entire Software Development Lifecycle (SDLC).

The document lays out that the security of the Software Supply Chain (SSC) is reliant on the integrity of stages such as build, test, package, and deploy. As a result, vulnerabilities can arise not only from malicious threat actors but also from lapses and oversight during the SDLC.

The draft document also acknowledges the challenges that may arise while implementing the enormous steps needed for SSC security in the SDLC. As Plate points out, the document emphasizes there might be significant disruption to underlying business processes and operational costs.

The NIST's draft underscores the importance of the Secure Software Development Framework (SSDF), which is essentially a series of solid, secure software development practices based on secure software development documents from reputable organisations like BSA, OWASP, and SAFECode.

Interestingly, the draft addresses the forthcoming self-attestation requirement that will have software providers testify adherence to the SSDF's secure development practices. This is particularly relevant in the context of DevSecOps, CI/CD pipelines and also defines what is deemed necessary security-wise.

One significant concern raised by Plate is that adoption has been relatively sluggish for tools, like Sigstore and in-toto, that are designed to enhance software supply chains.

The draft encourages organisations to approach open-source risk management holistically, rather than solely focusing on defect detection. They should take into account considerations such as code quality, and other project activity, risk indicators which help to reduce both security and operational risks.

Focused towards a wide-ranging audience, the draft by NIST is aimed at practitioners in the software industry; this includes software engineers, site reliability engineers and product or project managers, along with security architects and engineers. Members of the public have until October 13, 2023, to provide their comments on the draft.

By leveraging no-code platforms like AppMaster, businesses can amplify their data security within CI/CD pipelines, deliver secure software, and contribute to strengthening the entire software supply chain. With over 60,000 users up until April 2023, AppMaster platform can efficiently serve as a security enabler for different businesses of varying sizes, something particularly relevant in the context of the publication of NIST's draft document.