An eBPF-based tool for code monitoring provides new visibility into the software pipeline, aiming to forestall further SolarWinds- or Codecov-style attacks.




DevOps DevSecOps Security Pipeline

Anterovium / Shutterstock

Cycode’s new Cimon monitoring tool for continuous integration and continuous delivery is designed to offer a new level of visibility into the CI/CD process, securing code against data exfiltration and other malicious activity.

According to the company’s announcement, Cimon — short for CI Monitor — is a runtime security agent that uses the enhanced Berkeley Packet Filter (eBPF) system to look directly into the CI pipeline, develop a baseline understanding of what normal behavior looks like, and monitor for abnormalities.

The use of eBPF, according to Cycode head of security research Alex Ilgayev, provides for flexibility and visibility into the operating system.

“Whether it’s a hosted runner on GitHub or a hosted runner on CircleCI or some self-hosted runner based on containers, once you install the agent, it sees everything,” he said.

The idea is to prevent cyberattacks against software code bases, Ilgayev said. Attacks on build systems, dependency attacks and typosquatting — where a bad actor publishes malicious software under a similar name to a widely used open source component — are on the rise. Cimon would prevent those by monitoring CI/CD for expected execution outcomes at the kernel level, as well as network and file system events.

Most attacks, according to Ilgayev, take one of two forms. The first is data or credential theft, with bad actors targeting tokens or environment variables or some other sensitive information within the CI build. The second is altering packages via malicious changes to dependencies in the supply chain.

Addressing those is an important new capability, according to IDC research vice president Jim Mercer, in part because it offers visibility into all parts of the software supply chain — not just open source.

“That’s totally legitimate, they should be concerned about [open source],” he said. “But Cycode is saying ‘We’re gonna look at your pipelines and if something’s unusual, we’re going to stop it.’”

The use of eBPF is another substantial upside, Mercer added, calling it a clever way to identify problems in a software build without the use of a more resource-intensive agent.

“They can just be looking at those packets and say ‘hey, this is unusual,’” he noted.

Cimon is available in a stand-alone format for free as of today, as well as as a part of the paid Cycode AppSec platform.

Jon Gold covers IoT and wireless networking for Network World.

Copyright © 2023 IDG Communications, Inc.