Know Your Code Infrastructure (CIx)

Ajit Hatti May 29, 2022 Uncategorized

You must be familiar with IaC (Infrastructure as a Code). If not, Stackify has a very good primer on this topic. Code Infrastructure (CIx) simply involves all the tools and systems involved in the Software Development Life Cycle (SDLC process) of an organisation.

Recent supply chain attacks makes it evident, that adversaries world over are targeting the CIx (in other words SDLC tools) of the global software manufacturers. This write up will briefly explain various attacks on Code Infrastructure (CIx) components with the references of some recent supply-chain incidents.

What Is Code Infrastructure (CIx)? 

Code Infrastructure (CIx) comprises of all the distributed applications / systems & artefacts that are involved with or result of each and every step involved in the Software Development Life Cycle (SDLC process). Here is how Code Infrastructure of a typical software engineering organisation looks like -

Components of Code Infrastructure (CIX)

  • Engineering Environment (developer machines and local repositories) 
  • Code Management tools (version control systems, git* or Bit Bucket) 
  • Code Auditing tools (code scanners etc) 
  • Build Systems (build platforms like Jenkins, CICD pipelines) 
  • Code Attestation (Key vaults used for code signing) 
  • Package Distribution Systems ( popular tools like Jfrog)
  • Deployment Platforms  (Cloud services, PaSS/SaaS)

  

Threats to your Code Infrastructure

CIx presents a vast attack surface which is not often properly secured. This is evident In all the recent supply chain attacks that we have witnessed. We have seen all the attacks targeted to one or more CIx components.

IncidentTarget & MethodReference
Target - Build Systems
Method - Insertion of untrusted code
Solarwinds - SunBurst
Target - Code Attestation System 
Method - Stolen Credentials
NVIDIA - Stolen Signing Keys
Target - Deployed Vulnerable Code
Method - Stolen Credential 
Kaseya CVE-2021-30116
Target - Code Management System
Method - Stolen Credentials
NPM Supply-Chain Attack
Target - Deployment Platforms
Method - Stolen Credentials
Mime Cast - Attacks in Cloud 
Quick overview of recent supply-chain attacks

It becomes very crucial for enterprises to pay attention to their CIx and secure the attack vercorts applicable for each of these components.

Attacks on Code Infrastructure, SDLC Tools

How to secure CIx?

The majority of attacks we have seen are due to exploitation of the Identity & Trust framework. In all the cases Identity was managed by conventional passwords and MFA/2FA. The trust breach happened due to leaked signing keys (private keys), access to which was not properly secured.

In the case of Solarwinds we can also see that the build systems built and distributed untrusted code. This happened due to the absence of a Trust framework which can automatically verify that the code being built is a work of a verified/trusted engineer and not a malicious actor.

The careful study of all supply chain attacks in recent times clearly shows the industry needs to move to a better Identity & Trust framework. We need better Identity management to control access to our CIx resources and robust Trust Framework to verify sanctity of the deliverables at each and every level in software engineering, both pre & post built.

PureAUTH Identity & Trust Platform

PureAUTH provides a breach resilient Identity & Trust Platform using its innovative Zero User Data Initiative (0UDI).

To learn more, how PureAUTH is used by various organisations to secure access to their CIx resources and Build Trust in all relevant user actions, schedule a demo with us.

Share the post    
Previous Post
The Incident Many Avenger fans would have felt frustrated when they were not able to view the latest Hawkeye series 4th episode when Disney+ was down due to an AWS outage. The outage also affected the competitor of Disney+ thats Netflix. Condesk, Tinder, Roku and many other services depended on AWS backbone were out last […]
Read More...
A critical vulnerability in Citrix’s Application Delivery Management (ADM) technology was reported & patched this week.  Tracked with CVE-2022-27511, Citrix reported that, if left unattended, exploitation of the vulnerability could enable remote attackers to reset admin passwords. (reference: Citrix ADM vulnerability) Overview Citrix ADM is a virtual appliance, that gives centralized management solution. It simplifies […]
Read More...