Best Practices for Securing the CI/CD Pipeline
Question
A security engineer thinks the development team has been hard-coding sensitive environment variables in its code.
Which of the following would BEST secure the company's CI/CD pipeline?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://about.gitlab.com/blog/2021/04/09/demystifying-ci-cd-variables/![When creating a CI/CD variable in the settings, GitLab gives the user more configuration options for the variable. Use these
extra configuration options for stricter control over more sensitive variables:
1. Environment scope: If a variable only ever needs to be used in one specific environment, set it to only ever be
available in that environment. For example, you can set a deploy token to only be available in the production
environment.
2. Protected variables: Similar to the environment scope, you can set a variable to be available only when the
pipeline runs ona protected branch, like your default branch.
3. Masked: Variables that contain secrets should always be masked. This lets you use the variable in job scripts
without the risk of exposing the value of the variable. If someone tries to output it in a job log with a command like
echo $VARTABLE , the job log will only show echo [masked] . There are limits to the types of values that can be
masked.](https://eaeastus2.blob.core.windows.net/optimizedimages/assets/media/exam-media/04092/0001100001.jpg)
The BEST approach to securing the company's CI/CD pipeline when the development team is suspected of hard-coding sensitive environment variables in its code is to utilize a trusted secrets manager. Therefore, answer choice A is the correct answer.
Explanation:
Hard-coding sensitive environment variables in code can result in security vulnerabilities, as it makes sensitive information like passwords, access keys, and other credentials readily accessible to anyone who can access the code. It's therefore essential to secure the company's CI/CD pipeline to prevent unauthorized access and ensure the confidentiality, integrity, and availability of the company's information and assets.
Utilizing a trusted secrets manager is the best approach to addressing the issue of hard-coded environment variables. A secrets manager is a tool that enables developers to store and manage secrets securely, such as passwords, API keys, and other sensitive data. By using a secrets manager, developers can store secrets outside of the codebase, making it much more challenging for an attacker to gain access to sensitive data.
Performing Dynamic Application Security Testing (DAST) on a weekly basis (Answer choice B) is a testing methodology used to identify vulnerabilities by analyzing an application while it's running. Although it's a useful tool for detecting vulnerabilities, it's not an effective solution for securing the company's CI/CD pipeline, as it doesn't address the root cause of the issue of hard-coded environment variables.
Introducing the use of container orchestration (Answer choice C) is a useful approach to managing and deploying containerized applications at scale. However, it's not directly related to securing the company's CI/CD pipeline against hard-coded environment variables.
Deploying instance tagging (Answer choice D) is a useful approach to organizing resources in cloud environments, enabling IT teams to manage and monitor resources more effectively. However, instance tagging doesn't directly address the issue of hard-coded environment variables.
In conclusion, utilizing a trusted secrets manager is the BEST approach to securing the company's CI/CD pipeline when the development team is suspected of hard-coding sensitive environment variables in its code.
