In a recent update, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) collaborated on an advisory memorandum with the aim of strengthening security measures within application development software supply chains.
The memo, titled “Defending Continuous Integration/Continuous Delivery (CI/CD) Pipelines,” delves into the vulnerabilities associated with deployment processes and sheds light on potential methods that attackers can employ to exploit these pipelines.
These tactics range from the theft of login credentials and encryption keys to injecting malware into or assuming control over source code projects. To address these concerns, the advisory memo draws heavily upon the MITRE ATT&CK threat framework, utilizing its threat classification system to offer recommended strategies and countermeasures. The publication underscores the substantial scope for improvement in this area and serves as a valuable resource for enhancing defense mechanisms.
According to the recent State of Software Security report by Veracode Inc., a significant majority of the 130,000 applications tested exhibited at least one security flaw, accounting for 76% of the total. Furthermore, the report highlighted that approximately 24% of all applications assessed contained high-severity flaws. These findings indicate a substantial scope for improvement and ample opportunity to develop more secure applications.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: