PHP Supply Chain Attack: Why Companies are Moving to CI/CD

Eran Orzel
Jul 27 · 4 min read

CI/CD and software supply chain security is becoming the biggest concern for software and IT teams globally. The scale of supply chain attacks is becoming larger than ever. 

The recent PHP Supply Chain Attack

On March 28, 2021, there was an attempted attack on the central PHP supply chain. Malicious actors attempted to insert bad code into a PHP repository under the guise of a genuine user trying to fix a typo. Fortunately, this attempt was spotted before the change made it to production and was prevented. However, the attackers may have had access to the PHP user database. 

In response the PHP team has decided that it is a big security risk to host their own Git infrastructure, and have now moved all their repositories to GitHub. They are in the process of adding all users to their GitHub organization. 

If successful, this attack could have exposed numerous PHP web servers worldwide as PHP is one of the most popular programming languages in the world. 

Why companies are moving to CI/CD

CI/CD pipelines are being adopted by organizations large and small. While they bring many benefits such as agility, speed of innovation, and better collaboration, they also come with inherent security risks.

Businesses need to deliver software at lightning quick speed in order to be competitive. With the pandemic collaboration between developers is more important than ever as software development has become completely remote. CI/CD pipelines enable collaboration, and allow organizations to deploy software faster despite the challenges of the modern software stack.

However, as the number of developers in an organization increases, as the number of tools increase, the surface attack also increases and security risks are reaching an all-time high. Although most software companies have measures in place to secure their code in development, more than half are only patching vulnerabilities when they become known. This can allow malicious actors to modify a code commit to trigger a security incident.

How software supply chain attacks happen

A software supply chain attack starts with a vulnerable piece of code that’s triggered by a vulnerability in a shared component. Without appropriate application security and authentication, the whole system is vulnerable. 

Once an attacker gains access, they have numerous options such as giving their accounts privileged access, compromising dependencies, attacking development or staging environments, or stealing sensitive data. Because of how well a malicious user masks themselves and their activity, it can take months or even years before they are discovered. 

What can you do to protect your Software Supply Chain and CI/CD?

Code is confidential and is one of the crown jewels each company needs to protect. It is also required to be protected by regulators and industry specific security requirements. Due to the high stakes, the source code of any component of the software supply chain should be audited and verified at every step. By doing this, the integrity of the source code is ensured. Security leaders must identify the needs of the software development, and security requirements of the CI/CD processes within the organization. They must then develop, integrate, and maintain the necessary security measures within their tools. But this is easier said than done. 

Types of tools used in CI/CD

A typical CI/CD pipeline includes many tools such as a Git repository like GitHub, a CI server like Jenkins, a test automation tool like Sauce Labs, build tools like a container registry, collaboration tools like Slack and Jira, deployment tools like Spinnaker, and numerous other open source tools such as Kubernetes and Prometheus. This is a long toolchain and is hard to secure end-to-end. According to OWASP Software Component Verification Standard The protection of CI/CD includes security requirements for the following domains:

Due to the complexities involved in deploying an agile CI/CD pipeline, traditional tools can not deliver all the security they promise. To make sure that your organization’s software supply chain remains safe, it takes a new security governance model that will cover all the components required to make your software secure. 

How Argon can help 

It is possible to create secure development pipelines to mitigate the risk of this situation happening.  Before your pipeline is implemented, you need to define the security controls you want to put in place.

Argon’s holistic software supply chain security solution helps security teams identify what needs to be addressed and enforces security best practices for development and deployment of software across the CI/CD pipelines. Argon connects via API to every part of the CI/CD pipeline and validates the security posture of every component in a way that makes sense to the security professional viewing this data. Argon generates real-time alerts and notifications to alert admins of any unusual activity detected. It is able to verify the migration and maintenance of security patches and configuration changes.

Argon has easy integration with the numerous tools across the length and breadth of the CI/CD pipeline. As your pipeline changes, Argon is able to adapt and keep pace with it. This way, your software supply chain is secured and protected. Leveraging a policy-based approach to security, Argon lets you set policies that can be as broad or as specific as you like. These policies can control what actions are allowed for a user, or which resources they have access to. Any violation to these policies is immediately reported. 

As the world moves to CI/CD for their software supply chain management, security should not be left behind. Leverage a modern software supply chain security solution like Argon and have peace of mind knowing your software supply chain is secured from end to end.

Eran Orzel
Jul 27 · 4 min read

Related Articles

Dependency Confusion: An open door to your on-prem

Modern software development and delivery is not done in a silo, on a single-developer machine. It is written in collaboration…

Eilon Elhadad
Sep 09 · 4 min read

The Essential Guide to Dependency Graphs

When building legacy or cloud-native applications, codebases can quickly become entangled. This complexity becomes an issue when your teams add…

Eylam Milner
Aug 29 · 7 min read

The importance of least privilege access in your CI/CD pipeline

There are many aspects to securing a software supply chain, and these keep changing and growing as technology advances. One…

Eylam Milner
Aug 23 · 5 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner
Join our CTO in a thought-provoking discussion on software supply chain attacks with Cyberint
Join our CTO in a thought-provoking discussion on supply chain attacks