Vulnerabilities in Continuous Delivery Pipelines? A Case Study

More and more companies are in the process of adopting modern continuous software development practices and approaches like continuous integration (CI), continuous delivery (CD), or DevOps. These approaches can support companies in order to increase the development speed, the frequency of product increments, and the time to market. To be able to get these advantages, especially the tooling and infrastructure need to be reliable and secure. In case CI/CD is compromised or even unavailable, all mentioned advantages are at stake. Potentially, this could also even hinder the forthcoming of the software development. Therefore, our goal was to identify which vulnerabilities are present in industry CD pipelines and how they can be detected. In this paper, we present our results of an industry case study which includes a qualitative survey of agile project teams regarding the awareness of security in CI/CD, the analysis and abstraction of two CD pipelines, and a threat analysis based on the deducted CD pipeline to identify vulnerabilities. In this case study, we found that the team members that work with the CD pipeline in different roles do not have a strong security background but are aware of security attributes in general. Furthermore, two CD pipelines from industry projects were analyzed using the STRIDE threat analysis approach. In total, we identified 22 vulnerabilities that have been confirmed by the project teams.