CI/CD systems must not automatically assume an activity is legitimate simply because it was signed with a valid developer token. Instead, they must prioritize identity protection. Attackers have already been observed specifically stealing credentials such as NPM tokens and GitHub secrets to automatically publish infected packages. Measures to protect these identities must therefore be given top priority.
Security silos should be broken down. Many security aspects still aren’t consolidated under a single, overarching management structure. Tools and departments dedicated to application security, infrastructure security, cloud security, network security, and many others create numerous islands within the vast sea of security strategy. They all need to collaborate more closely and be coordinated by the CISO.
A key risk is the previously described polyglot supply chain attack, which seamlessly transcends these silos. Therefore, CISOs must implement cross-departmental and cross-functional monitoring. To further illustrate the danger: An attack could begin with a JavaScript file, propagate through build scripts, and ultimately result in a backdoor in the cloud. Often, there’s no integrated visibility to track this entire process. The JavaScript team might lose sight of the attack once it leaves its sphere, while the cloud team relies on the CI pipeline.
