Philippa Ă–rnell
Security Assessment of Continuous Deployment Pipelines
Abstract
Continuous deployment pipelines assist in achieving the goal of rapid, repeatable,
and reliable software releases. A deployment pipeline automatically
builds, deploys, tests and releases software. Since the pipeline is a significant
part of an organisations end-to-end software delivery process, the security of
the pipeline is essential. This study investigates potential threats and vulnerabilities in a continuous
deployment pipeline and evaluates the severity of them in a quantitative way.
Threats and vulnerabilities were identified by assessing previous literature on
the subject and by having risk identification sessions with experts. 25 different
threats and vulnerabilities were identified. The severity estimation was based
on the Common Vulnerability Scoring System (CVSS). We show that several threats and vulnerabilities exist in essential components
or interactions of the continuous deployment pipeline. Most of the vulnerabilities
are related to either improper access control or having unencrypted transfer
of information. The severity ratings indicates that most of the identified
threats can have a substantial impact on the security properties of the pipeline.
However, there is room for improvement in the risk analysis methodology, and
several suggestions for this are given.