Government Agencies Share Best Practices for CI/CD Cloud Security

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have issued guidelines on implementing best practices to protect DevOps continuous integration/continuous delivery environments in the cloud.

In a cybersecurity information sheet, the two agencies prescribe development tools and proper authentication and access methods to properly harden CI/CD pipelines, which are processes meant to ensure that security and automation are applied throughout development.

Ethan Givens, technical director of critical and emerging technologies at NSA, explained that insufficient protection for CI/CD pipelines provides an opening for attackers to evade security policies and products.

Such malicious actors can obtain access to information, intellectual property or trade secrets, NSA said.

The agency defines DevOps as an approach that enables faster and continuous production and delivery of software at a high quality. CI/CD pipelines are an element of DevSecOps, an evolution of DevOps focused on applying security and automation principles at every stage of software development.

NSA and CISA have collaborated in the past on DevSecOps guidance. The two agencies and the Office of the Director of National Intelligence published a paper in 2022 detailing how developers can secure the software supply chain.