Securing the CI Pipeline
A key element of DevOps is the securing of the CI Pipeline.
Doing CI builds, testing and deployments have lots of advantages, when made correctly. Using libraries from 3rd parties in your build, which can be on compromised servers, or even signing your packages or artifacts automatically could end in you delivering compromised software to others.
- A set of practices for DevOps and Developers?
- CheatSheet for developers who use third party services?
- Recommendations for 3rd party service providers? (e.g: provide warning messages of possible insecurities?)
- DevSecOps (or SecDevOps), depending on DevSecOps vs SecDevOps.
- 3rd party service providers: Travis, SNYK, Codiscope, Gitlab, Node Security, ….
- Security professionals
- DEF CON 22 - Kyle Kelley and Greg Anderson - Is This Your Pipe? Hijacking the Build Pipeline
Related Working Session(s)
- Integrating Security Tools in the SDL
- Best practices in using SAST
- IAST and RASP Tools
- Scaling Static Analysis Reviews and Deployments
Back to list of all Working Sessions and Tracks
Edit this page here