Developers shouldn’t expose build environments: CSOs should ensure developers don’t expose build environments, Meghu said. “Using public hosted services like GitHub is not appropriate for enterprise code management and deployment,” he added. “Having a private GitLab/GitHub, service, or even your own git repository server, should be the default for business, making this attack impossible if [the threat actors] can’t see the repository to begin with. The business should be the one that owns the repository; [it should] not be something you just let your developers set up as needed.” In fact, he said, IT or infosec leaders should set up the code repositories. Developers “should be users of the system, not the ultimate owners.” Wiz strongly recommends that all AWS CodeBuild users implement the following safeguards to protect their own projects against possible compromise.”
Prevent untrusted Pull Requests from triggering privileged builds by:enabling the new Pull Request Comment Approval build gate;alternatively, using CodeBuild-hosted runners to manage build triggers via GitHub workflows;
if you must rely on webhook filters, ensure their regex patterns are anchored.
Secure the CodeBuild-GitHub connection by:generating a unique, fine-grained Personal Access Token (PAT) for each CodeBuild project;strictly limiting the PAT’s permissions to the minimum required.
considering using a dedicated unprivileged GitHub account for the CodeBuild integration.This article originally appeared on InfoWorld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4117692/possible-software-supply-chain-attack-through-aws-codebuild-service-blunted-2.html
