From darkreading.com
Continuous integration/continuous development (CI/CD) pipelines may be the most dangerous potential attack surface of the software supply chain, researchers say, as cyberattackers step up their interest in probing for weaknesses.
The attack surface is growing too: CI/CD pipelines are increasingly a fixture within enterprise software development teams, who use them to a build, test, and deploy code using automated processes. But over-permissioning, a lack of network segmentation, and poor secrets and patch management plague their implementation, offering criminals the opportunity to compromise them to freely range between on-premises and cloud environments.